Redirect loop on /grafana/login

Hello,

I installed grafana 8.5.3 behind a proxy reverse and in a subdirectory, it works well.
But when I run https://www.domain.com/grafana, I’m redirected to https://www.domain.com/grafana/login for ever. (stopped after 50 loops).

Here the log :

...
logger=context traceID=00000000000000000000000000000000 userId=0 orgId=0 uname= t=2022-05-20T17:15:31.13+0200 lvl=info msg="Request Completed" method=GET path=//login status=302 remote_addr=127.0.0.1 time_ms=0 d
uration=574.839µs size=61 referer= traceID=00000000000000000000000000000000
logger=context traceID=00000000000000000000000000000000 userId=0 orgId=0 uname= t=2022-05-20T17:15:31.15+0200 lvl=info msg="Request Completed" method=GET path=//login status=302 remote_addr=127.0.0.1 time_ms=0 d
uration=435.698µs size=61 referer= traceID=00000000000000000000000000000000
...

Here the configuration:

pp_mode = production

[paths]
data = /var/lib/grafana

logs = /var/log/grafana

[server]
protocol = https

http_addr = 127.0.0.1

http_port = 3000

domain = www.domain.com

# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
;enforce_domain = false

root_url = https://www.domain.com/grafana

serve_from_sub_path = true

router_logging = false

enable_gzip = true

# https certs & key file
cert_file = /etc/letsencrypt/live/domain.com/fullchain.pem
cert_key  = /etc/letsencrypt/live/domain.com/privkey.pem

nginx config :

    location /grafana {
        proxy_set_header Host $http_host;
        proxy_pass https://127.0.0.1:3000/;
    }

    # Proxy Grafana Live WebSocket connections.
    location /grafana/api/live {
    	rewrite  ^/(.*)  /$1 break;
	    proxy_http_version 1.1;
	    proxy_set_header Upgrade $http_upgrade;
	    proxy_set_header Connection $connection_upgrade;
	    proxy_set_header Host $http_host;
	    proxy_pass https://127.0.0.1:3000/;
    }

And a test with curl :

curl -IL https://www.domain.com/grafana

HTTP/2 302 
server: nginx
date: Fri, 20 May 2022 15:28:47 GMT
content-type: text/html; charset=utf-8
cache-control: no-cache
expires: -1
location: /grafana/login
pragma: no-cache
set-cookie: redirect_to=%2Fgrafana%2F; Path=/grafana; HttpOnly; Secure
x-content-type-options: nosniff
x-frame-options: deny
x-xss-protection: 1; mode=block

HTTP/2 302 
server: nginx
date: Fri, 20 May 2022 15:28:47 GMT
content-type: text/html; charset=utf-8
cache-control: no-cache
expires: -1
location: /grafana/login
pragma: no-cache
set-cookie: redirect_to=%2Fgrafana%2F%2Flogin; Path=/grafana; HttpOnly; Secure
x-content-type-options: nosniff
x-frame-options: deny
x-xss-protection: 1; mode=block

...

Thanks for your help!

try using this for root url
root_url = %(protocol)s://%(domain)s:%(http_port)s/grafana/

see this config as a reference:

My guess: proxy pass needs also used path, so:

proxy_pass https://127.0.0.1:3000/grafana/;
proxy_pass https://127.0.0.1:3000/;

replace with

proxy_pass https://127.0.0.1:3000;

Last slash makes Grafana mad.

Do not blindly guess. %(protocol)s is not a magic spell, it’s just a template. It does not matter if the string is a constant string or a template to be rendered to a string

Same problem here. Is there a solution? What do the cookies do?

Note that the behavior of serve_from_sub_path = true in grafana.ini seems to have changed in 10.x.

I’d previously had a working setup with 9.something, Apache 2.4.x, a ProxyPass reverse proxy setup, and serve_from_sub_path = true. After upgrading to 10.x, I needed to comment this out (reverting it to its default of false) in order to stop the endless redirect loop. Nothing else about the Apache configuration was changed, or needed to be changed.

I don’t claim to understand what this setting does, except that #70110 on GitHub mentions it (specifically this comment), and altering my config back to the default allowed me to reach our Grafana site again.

1 Like

Thanks! I just upgraded from 8.6 to 12.x and this was the solution!!