Running Grafana behind a reverse proxy when TLS termination occurs at the load-balancer

Evening. I have Grafana running on a Kubernetes cluster behind a reverse-proxy. TLS termination occurs at the load balancer level, so no certs are set locally. The root_url is left as default and all is currently working fine using the standard login portal.

We now want to incorporate Azure AD via OAuth to allow users to use their MS email to login. This requires a redirect url that must use https. After setting up AD I see that authentication occurs successfully but the redirect uri generated in the response by Grafana uses the root_url which is - and obviously not reachable from the internet.

If I change root_url to our actual domain (which uses https) then the Grafana container backs off and refuses to start because no cert file and key are set locally.

How is it best to configure Grafana to run behind a reverse proxy with TLS termination?

You need to provide reproducible example - you have many unknown variables, e.g. used docker image, grafana version, error message, …

Configuring Grafana behind a reverse proxy with TLS termination is a common setup. To achieve this, follow these steps:

  1. Ensure that the Latest reverse proxy handles TLS termination correctly and has a valid SSL certificate for your domain.
  2. In Grafana, set the root_url to your actual domain (e.g., so that the redirect URL for Azure AD OAuth is correct.
  3. To handle HTTPS within the Grafana container, you can use environment variables to specify the path to your SSL certificate and key files. For example:

javascriptCopy code

  1. Make sure the SSL certificate and key files are accessible within the Grafana container.
  2. Restart the Grafana service to apply the new configuration.

This setup should allow you to use Azure AD OAuth with Grafana behind a reverse proxy that handles TLS termination. Ensure proper permissions and file paths are set for the SSL certificate and key files.