Question about forcing HTTPS traffic with Grafana

Hello,

I’m not sure if this is the right place to ask and not sure if anybody would know this, but when you specify protocol = https in grafana.ini, how does that actually work and force HTTPS traffic? Does grafana create some type of Apache config file from there?

I’m just curious on how this actually works.

Thanks!

1 Like

If you configure Grafana to use HTTPS it will only respond to HTTPS requests. If you want to be able to listen on both HTTP & HTTPS and redirect HTTP requests to use HTTPS then you need to use a reverse proxy setup. http://docs.grafana.org/installation/behind_proxy/

1 Like

Right, but my question was more towards the actual inner workings of how Grafana will force HTTPS traffic. Like stated in the initial post, I specify protocol = https and Grafana will magically start forcing HTTPS traffic without touching any web server config files? I’d just like to know how this works.

There is no magic, if you specify protocol=https then Grafana will expect clients to communicate with it using the HTTPS protocol (on port 3000). Any client trying to use http is going to encounter an SSL/TLS error.

An HTTPS redirect is achieved by having a server listen for HTTP on one port (80 by convention) and answer all requests with a Redirect header directing the user to submit the request to another port (443 by convention) via HTTPS.

Since Grafana will only ever listen on a single port, the concept of an HTTPS redirect does not apply.

1 Like

To clarify, this is handled at the Grafana service level rather than with any web server configs?

Thanks a ton!

Grafana does not do any HTTP-to-HTTPS redirect, it accepts either HTTP or HTTPS requests based on your config setting.

If you want to have an HTTP-to-HTTPS redirect you need to use a reverse proxy like the Nginx setup I linked above in front of Grafana.

Is there a place I can go to learn how to do that? I’m kinda new to this. Or do you have a few steps for me to learn?

Thanks

The link already given http://docs.grafana.org/installation/behind_proxy/
contains instructions.

Antony.

I added the certificate and the server only returns “Client sent an HTTP request to an HTTPS server.” errors.
Everything works if I add an s to the http of the proxy_pass http://127.0.0.1:3000.
Everything also works if I replace the http with the $scheme variable to keep the protocol used by the client.

    # Grafana
    rewrite ^/$ $scheme://$http_host/graph/;
    rewrite ^/graph$ /graph/;
    location /graph {
      proxy_cookie_path / "/;";
      proxy_pass http://127.0.0.1:3000; # <== Works with an `s` here, or with `$scheme` instead of `http`
      rewrite ^/graph/(.*) /$1 break;
      proxy_read_timeout 600;
    }

The problem is that this configuration (it’s a Percona PMM server) is outside the configuration volumes.