Nginx Reverse Proxy

I am trying to setup Grafana with an Nginx Reverse Proxy for SSL Termination.
Grafana: v6.2.5

I have attached some relevant configs for this:

grafana.ini

[server]
domain = grafana.example.com

nginx.conf

[...]
listen 443 ssl;
server_name grafana.example.com;
[...]

location / {
  proxy_pass http://127.0.0.1:3000;
}

Every other config in grafana.ini is left to the default.

I can access the login page fine if I connect directly to Port 3000. However, attempting to access via the domain name brings up the error regarding reverse proxy configuration issues.

I can access the API with the domain name:

$ curl https://admin:admin@grafana.example.com/api/org
{"id":1,"name":"Main Org.","address":{"address1":"","address2":"","city":"","zipCode":"","state":"","country":""}}

I have also attempted to change the root_url and it did not work. Port 3000 worked but using the Domain brings me to the same error page for /login .

Initially, this was setup in a Docker Compose with Nginx running on host but I moved Grafana out of it to try to make it easier to debug.

The server it is on is also hosting a Prometheus in Docker with reverse proxy.

Hi Arvent,
According to the documentation, in the Nginx you should have the following configuration:

[...]
listen 443 ssl;
server_name grafana.example.com;
[...]

location / {
  proxy_pass http://127.0.0.1:3000/;
}

After some additional testing, I discovered that certain calls are being blocked by my Nginx’s Security Headers/Settings.

I discovered these errors in my Browser Console when loading the login page:

EvalError: call to eval() blocked by CSP core.js:4
Content Security Policy: The page’s settings blocked the loading of a resource at eval (“default-src”). angular.js:1286
Content Security Policy: The page’s settings blocked the loading of a resource at eval (“default-src”). core.js:4

I use the following security headers by default in my Nginx installations:

# security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

# . files
location ~ /\.(?!well-known) {
  deny all;
}

After commenting out the Content-Security-Policy Header, Grafana works as expected on a Reverse Proxy.

It seems that the frontend may be performing some unsafe eval calls?

1 Like