Origin not allowed messages after upgrade to 8.3.6

zerog · February 9, 2022, 11:38pm

Grafana: Enterprise Edition without token, Version 8.3.6
InfluxDB: 1.8.10
OS: Debian 10

Dear all,
after upgrading my instance from version 8.3.4 I’m having problems with getting data from InfluxDB and navigating through Grafana. Whenever I try to change organization for instance, the following warning pops up: “Origin not allowed”. Here are some things I tried/observed:

Upgrade InfluxDB to the latest version
When I stop Influx the warning message is gone and I can navigate again. So I guess this is somehow related to Influx.
Tried upgrading Grafana on another device (Raspberry) without problems (InfluxDB 1.8.10, Grafana Community Edition) → Might only affect Enterprise Edition.

I’ve also tried to identify something odd in the logs, but I don’t see any errors. Please tell me if you need some more information.

Thanks!

Chris

jangaraj · February 10, 2022, 8:02am

In the case of Apache Server, you need to add ProxyPreserveHost on in your proxy configuration. In case of NGINX, you can need to add proxy_set_header Host $http_host; in your configuration.

It is broken for IPv6 access: https://github.com/grafana/grafana/issues/45115

zerog · February 11, 2022, 1:31pm

Thank you for your fast reply! That did the trick.

For future reference this was also discussed here.

grounzero · February 11, 2022, 3:32pm

I’m having the same messages with 8.3.6 using IIS URLRewrite as a proxy.

grounzero · February 11, 2022, 3:42pm

Fixed by running this in a console

%windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/proxy -preserveHostHeader:true /commit:apphost

cretin · February 12, 2022, 9:22pm

I’m encountering the same error, but I’m not using any reverse proxies. Does that mean that I have to use a reverse proxy if I want grafana to be able to connect to prometheus?

jangaraj · February 12, 2022, 10:32pm

No, it means that this piece of code is detecting problem:

			host := strings.Split(r.Host, ":")[0]
			origin, err := url.Parse(r.Header.Get("Origin"))
			if err != nil || (origin.String() != "" && origin.Hostname() != host) {
				http.Error(w, "origin not allowed", http.StatusForbidden)
				return
			}

what is your Host and Origin for your request? How is deployed your Grafana (you may think that you are not using proxy, but proxy can used by used infrastructure under the hood - e.g. Cloudfoundry, K8, …)?

cretin · February 13, 2022, 7:53am

While writing the response, I’ve just realiased that you’re referring to the proxy grafana is behind, not prometheus. I thought it was the other way around. I’ve just added the Host header and it’s worked. Thank you

jordipalet · February 14, 2022, 1:24pm

Same problem here.

It seems related to the use of IPv6 from the browser. If I disable IPv6 in the browser, it just works …

No proxies here and no changes from previous version, we just updated it, so it seems a bug.

jangaraj · February 14, 2022, 3:42pm

See my first post here. There is a link for IPv6 issue - current CSRF test implementation doesn’t support that.

cpiggott · February 17, 2022, 4:23pm

Oh boy. I’m not sure what to do about this. I’m using nginx, and I already have proxy_set_header Host $http_host set in the configuration. I’m not quite sure where to go next.

angryrockkillers · February 17, 2022, 5:29pm

same issue here. let me post my settings file. maybe someone can tell me more.
ps: i am not running docker.

# this is required to proxy Grafana Live WebSocket connections.
map $http_upgrade $connection_upgrade {
  default upgrade;
  '' close;
}

server {
  listen 80;
  server_name grafana.************;
  root /usr/share/nginx/html;
  index index.html index.htm;

  location / {
    proxy_pass http://localhost:2000/;
  }

  # Proxy Grafana Live WebSocket connections.
  location /api/live {
    rewrite  ^/(.*)  /$1 break;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header Host $http_host;
    proxy_pass http://localhost:2000/;
  }
}

jangaraj · February 17, 2022, 8:09pm

See Run Grafana behind a reverse proxy | Grafana Labs

angryrockkillers · February 18, 2022, 6:13pm

thx that fixed it all.

gotenk · March 5, 2022, 8:18am

Hi, adding the line “proxy_set_header Host $http_host;” did not change anything for me. Do you have any other suggestions?

lukelu · April 26, 2022, 8:10am

I found a way workaround for myself and you can try this:
in your Nginx configuration file using the real domain name replace the $http_host

# proxy_set_header Host $http_host;
proxy_set_header Host example.com;

It worked for me, hope it can help you also.

bism2020 · June 20, 2022, 11:40am

I am encountering the same error “origin not allowed” while trying add any datasource. I am not using any proxy. Is there any way to fix this error without using proxy ?

michaelmartinez1 · November 17, 2022, 12:37am

My case: upgrading from 7.4.3 to 8.5.15. Users browsers get to Grafana via oauth-proxy running in kubernetes. Using tcpdump to look at the HTTP headers arriving at the Grafana host, we see “Host:” and “Origin:” which are different values, therefore triggering the “Origin not allowed” which is given by the snippet of code someone posted above.

The fix: set “pass_host_header = true” in the oauth-proxy config. Doing this now the “Host” and “Origin” headers match, and things work correctly.

dilipssn · December 15, 2022, 7:30am

Hi Team,

The grafana (grafana-7.5.11-2.el8.rpm) package we have updated it to the below-mentioned version with dependency.

grafana-pcp-3.2.0-2.el8.x86_64.rpm
grafana-7.5.15-3.el8.x86_64.rpm

We are using “Graphite” as DB to connect with Grafana. It worked until we use old version (grafana-7.5.11-2.el8.rpm) and post to the update, the databse connection not worked.

During graphite connection, I get the error “origin not allowed”. also Attached here.

Could you please help us on fixing this issue…