Origin not allowed between docker image on Azure Container App and Azure Application Gateway

Grafana Configuration
, ,
1

  • What Grafana version and what operating system are you using?
    11.0.0

  • What are you trying to achieve?
    I have a grafana docker image configured and deployed on Azure Container Apps. The image with its configuration works perfect locally, but when deploying to Azure, I receive ‘origin not allowed’ errors when trying to view dashboards (and probably other grafana features)

  • How are you trying to achieve it?
    I am using the grafana docker image and using provisiong (yaml) files to configure everything.
    There is a DNS in front of the Azure Container app which we configured to be the Host. In the UI I can see this is correctly being set as the Host. The Host set on Application Gateway is the same.

  • What happened?
    The dashboard API calls are being blocked by the errors

  • What did you expect to happen?
    Seeing dashboards without issues

  • Can you copy/paste the configuration(s) that you are having problems with?
    I configured everything in the grafana.ini file as follows:

.env file

  base_url: 'https://dev-monitor.datalake.sante.service.ec.europa.eu'
  domain: 'dev-monitor.datalake.sante.service.ec.europa.eu'

grafana.ini file

[security]
disable_initial_admin_creation = true
csrf_trusted_origins = "https://dev-monitor.datalake.sante.service.ec.europa.eu"
csrf_additional_headers = X-FORWARDED-HOST
[auth.basic]
enabled = false
disable_login_form = true
[auth.generic_oauth]
enabled = true
; auto_login = true
name = EU Login
allow_sign_up = true
client_id = $__env{auth_generic_oauth_clientid}
client_secret = $__env{auth_generic_oauth_clientsecret}
scopes = openid profile
auth_url = https://ecas.acceptance.ec.europa.eu/cas/oauth2/authorize
token_url = $__env{auth_generic_oauth_tokenurl}
api_url = $__env{auth_generic_oauth_apiurl}
use_pkce = true
use_refresh_token = false
email_attribute_path = email
role_attribute_path = contains(roles[*], 'developer_portal_private_admin') && 'Admin' || contains(roles[*], 'monitor_admin') && 'Admin' || contains(roles[*], 'monitor_viewer') && 'Viewer'
allow_assign_grafana_admin = false
org_attribute_path = organisation
role_attribute_strict = true
; [smtp]
; enabled = true
; host = $__env{smtp_host}
; user = $__env{smtp_user}
; password = $__env{smtp_password}
; from_address = $__env{smtp_user}
; from_name = DG Sante
[server]
root_url = $__env{base_url}
domain = $__env{domain}
serve_from_sub_path = true
[live]
allowed_origins = "https://dev-monitor.datalake.sante.service.ec.europa.eu"
  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
    I see this in the grafana UI:
origin not allowed
Object
status:403
statusText:"Forbidden"
data:Object
message:"origin not allowed
"
error:"Forbidden"
response:"origin not allowed
"
config:Object
url:"api/ds/query?ds_type=grafana-azure-monitor-datasource&requestId=Q101-A"
method:"POST"
data:Object
requestId:"Q101-A"
hideFromInspector:false
headers:Object
retry:0
traceId:undefined
message:"origin not allowed
"
2

Make sure that infrastructure in front of Grafana doesn’t modify Host request header (or set it properly to dev-monitor.datalake.sante.service.ec.europa.eu there).

3

How do I make sure the Host headers is not modified? I have no custom code running just the grafana image on Azure Container Apps.
Thanks for your help!

4

I don’t know. Try to ask your Azure support/read Azure doc/… This is Grafana forum, so you can expect Grafana knowledge here, but not Azure knowledge.