So I read: The Reverse Proxy Documentation
And although I followed what it says there I had a hard time getting reverse proxy to work. Basically because I missed a ‘/’ in the Apache configuration.
The situation at hand:
- Internet facing server/router reachable by https://grafana.myserver.com
(correct certificates available on that server). Apache installed reverse proxy rules in use
- A local server running Grafana on the same LAN reachable by http://mini-server.my.lan:3000
<VirtualHost *:443> ServerName grafana.myserver.com DocumentRoot /var/www/virtual/grafana.myserver.com/html ErrorLog /var/www/virtual/grafana.myserver.com/logs/grafana.myserver.com_error_log CustomLog /var/www/virtual/grafana.myserver.com/logs/grafana.myserver.com_access_log combined SSLEngine on SSLCertificateFile /etc/letsencrypt/live/grafana.myserver.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/grafana.myserver.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/grafana.myserver.com/chain.pem # No weak export crypto allowed SSLHonorCipherOrder on SSLProtocol all -SSLv2 -SSLv3 -TLSv1 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!3DES:!aNULL:!MD5 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 #Starts here ReWriteEngine on ProxyPass "/" "http://mini-server.my.lan:3000/" ProxyPassReverse "/" "http://mini-server.my.lan:3000/" #Ends here </VirtualHost>
My grafana.conf :
# The public facing domain name used to access grafana from a browser domain = grafana.myserver.com # Redirect to correct domain if host header does not match domain # Prevents DNS rebinding attacks ;enforce_domain = false # The full public facing url you use in browser, used for redirects and emails # If you use reverse proxy and sub path specify full url (with sub path) root_url = https://%(domain)s/
Of course it would have been better to use Nginx or HAProxy but my server is already running Apache, so I wanted to use that. Maybe others can benefit from this too.