Origin not allowed messages after upgrade to 8.3.6

Grafana: Enterprise Edition without token, Version 8.3.6
InfluxDB: 1.8.10
OS: Debian 10

Dear all,
after upgrading my instance from version 8.3.4 I’m having problems with getting data from InfluxDB and navigating through Grafana. Whenever I try to change organization for instance, the following warning pops up: “Origin not allowed”. Here are some things I tried/observed:

  • Upgrade InfluxDB to the latest version
  • When I stop Influx the warning message is gone and I can navigate again. So I guess this is somehow related to Influx.
  • Tried upgrading Grafana on another device (Raspberry) without problems (InfluxDB 1.8.10, Grafana Community Edition) → Might only affect Enterprise Edition.

I’ve also tried to identify something odd in the logs, but I don’t see any errors. Please tell me if you need some more information.

Thanks!

Chris

5 Likes

In the case of Apache Server, you need to add ProxyPreserveHost on in your proxy configuration. In case of NGINX, you can need to add proxy_set_header Host $http_host; in your configuration.

It is broken for IPv6 access: New CSRF check broken with raw IPv6 Host · Issue #45115 · grafana/grafana · GitHub

7 Likes

Thank you for your fast reply! That did the trick.

For future reference this was also discussed here.

I’m having the same messages with 8.3.6 using IIS URLRewrite as a proxy.

Fixed by running this in a console

%windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/proxy -preserveHostHeader:true /commit:apphost
1 Like

I’m encountering the same error, but I’m not using any reverse proxies. Does that mean that I have to use a reverse proxy if I want grafana to be able to connect to prometheus?

No, it means that this piece of code is detecting problem:

			host := strings.Split(r.Host, ":")[0]
			origin, err := url.Parse(r.Header.Get("Origin"))
			if err != nil || (origin.String() != "" && origin.Hostname() != host) {
				http.Error(w, "origin not allowed", http.StatusForbidden)
				return
			}

what is your Host and Origin for your request? How is deployed your Grafana (you may think that you are not using proxy, but proxy can used by used infrastructure under the hood - e.g. Cloudfoundry, K8, …)?

1 Like

While writing the response, I’ve just realiased that you’re referring to the proxy grafana is behind, not prometheus. I thought it was the other way around. I’ve just added the Host header and it’s worked. Thank you :slight_smile:

Same problem here.

It seems related to the use of IPv6 from the browser. If I disable IPv6 in the browser, it just works …

No proxies here and no changes from previous version, we just updated it, so it seems a bug.

See my first post here. There is a link for IPv6 issue - current CSRF test implementation doesn’t support that.

Oh boy. I’m not sure what to do about this. I’m using nginx, and I already have proxy_set_header Host $http_host set in the configuration. I’m not quite sure where to go next.

2 Likes

same issue here. let me post my settings file. maybe someone can tell me more.
ps: i am not running docker.

# this is required to proxy Grafana Live WebSocket connections.
map $http_upgrade $connection_upgrade {
  default upgrade;
  '' close;
}

server {
  listen 80;
  server_name grafana.************;
  root /usr/share/nginx/html;
  index index.html index.htm;

  location / {
    proxy_pass http://localhost:2000/;
  }

  # Proxy Grafana Live WebSocket connections.
  location /api/live {
    rewrite  ^/(.*)  /$1 break;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header Host $http_host;
    proxy_pass http://localhost:2000/;
  }
}

See Run Grafana behind a reverse proxy | Grafana Labs

thx that fixed it all.

Hi, adding the line “proxy_set_header Host $http_host;” did not change anything for me. Do you have any other suggestions?

I found a way workaround for myself and you can try this:
in your Nginx configuration file using the real domain name replace the $http_host

# proxy_set_header Host $http_host;
proxy_set_header Host example.com;

It worked for me, hope it can help you also.

I am encountering the same error “origin not allowed” while trying add any datasource. I am not using any proxy. Is there any way to fix this error without using proxy ?

My case: upgrading from 7.4.3 to 8.5.15. Users browsers get to Grafana via oauth-proxy running in kubernetes. Using tcpdump to look at the HTTP headers arriving at the Grafana host, we see “Host:” and “Origin:” which are different values, therefore triggering the “Origin not allowed” which is given by the snippet of code someone posted above.

The fix: set “pass_host_header = true” in the oauth-proxy config. Doing this now the “Host” and “Origin” headers match, and things work correctly.

Hi Team,

The grafana (grafana-7.5.11-2.el8.rpm) package we have updated it to the below-mentioned version with dependency.

grafana-pcp-3.2.0-2.el8.x86_64.rpm
grafana-7.5.15-3.el8.x86_64.rpm

We are using “Graphite” as DB to connect with Grafana. It worked until we use old version (grafana-7.5.11-2.el8.rpm) and post to the update, the databse connection not worked.

During graphite connection, I get the error “origin not allowed”. also Attached here.

Could you please help us on fixing this issue…