Securing grafana locally

Truly just a few quick questions… with a lot of words…

I have a small grafana server running locally on my host PC with prometheus, ohmgraphite and windows exporter. I’m trying REALLY hard to understand the innerworkings of how to go about securing this now (if it’s even necessary?). The ports associated with each exporter or service (I set everything up to run as a windows service) do not send outbound packets or data, right? Only to grafana, which also sends nothing outbound? So realistically, “securing” grafana on a somewhat decently secured soho network with no VM’s and everything ran locally should only consist of setting up rules within the firewall to idk like make those ports only communicate with grafana and nothing else, setting up IP filtering, etc?

I ask because not only do I not know THAT much about server security, or network security in general, but I honestly can’t seem to find ANYYYYYYYYYYYYYYYYYYYYYYYYYYYYTHING about how ANYONEEEEEEE in my shoes secured their instance of grafana because it seems everyone runs this all on VM’s and large corporate networks. I understand my device is connected to the internet, but locally what else should be done to further secure this?

Also, does the data source proxy even pertain to anything within a localhost environment? With virtually no easy to read rules elaborating on it’s true purpose other than how to vaguely set it up and what it briefly does, it’s hard to understand if that’s a “general security practice” that’s viewed as a no-brainer to all of those with a configured grafana instance or something that should be done in a corporate environment with all of their devices ran through.

If prometheus is my only data source with windows exporter and ohmgraphite alongside and everthing is being scraped and sent for grafana to snatch and view, should I really only be worried about jamming some firewall down it’s tube?

Appreciate all the help and sorry for the long winded post, I’m just actually stunned that I can’t seem to find anything related to this.


Hi @grindfatherrr,

Welcome to the :grafana: community support forums !!

So, the best way (while using the Grafana OSS version locally) to secure it is to:

1- Use Firewall for ports (can use Windows own Firewall service or any other 3rd party ones)

2- Use SSL to sure the Grafana page on the web server.

3- Run the webserver behind a proxy server (very common nowadays e.g. Nginx).

4- Disable anonymous users (if you do not want to share any data)

5- Create user roles (or better teams or Org) if you want to give access to others

6- Create strong passwords.

8- Backup your Grafana Database regularly (can create e.g. script for it)

This is I think a good starting point to secure it on a basic level. Of course, there are more advanced ways to secure it but I do not know them that well :slight_smile:

In case, if security is extremely important for you then can recommend using Grafana Cloud (but it is not free).

I hope this helps.

Thank you so much for this response! :slight_smile:


Have you in the past secured a server?
And is this your first time working with grafana and the other grafana stacks?

Hi! Looking further into this and taking a look at nginx, I am not running this on docker (just locally) and nginx appears to require docker… Can I just manually create an SSL token and edit the grafana ini? Would I then have to manually forward grafana traffic from 80 to 443 for https? I just find it annoying I need all of these external programs for authentication and security when I have like 4 small things locally lmao.

I think I’m just over my head trying to understand all of this O:

1 Like

Hi! This would be my first for both grafana and configuring some security!

On the topics of proxy servers, do I need to bounce stuff out to docker for stuff like nginx? I’m truly having issues understanding what needs to be done to configure certain things. There’s not a ton of documentation and what is available makes it seem like all of this should be deployed on massive networks lmao. I just have it all running as windows services and trying to parse all of the linux CLI forums to find virtually no windows questions is quite disheartening.

I think I’m just lost at this point.

Yeah keep it simple. You are trying to absorb all these stacks when you just want to learn grafana .

Crawl before you walk.

One stack at a time.