WebSocket connection fails (Apache2 reverse proxy, sub-path)

Grafana Configuration
1

System setup

Debian 11 bullseye
Grafana 11.1.0
Apache 2.4.59

I am using Apache as a reverse proxy for Grafana. It is served from a sub-path.

Problem

I keep getting a WebSocket connection failure in the Browser console.

The Grafana logs look like this:

Jul 03 11:21:48 ... grafana[6215]: logger=context userId=... level=info msg="Request Completed" method=GET path=/api/live/ws status=400 remote_addr=... referer= handler=/api/live/ws status_source=server

The Apache logs look like this:

127.0.0.1:443 192.168.52.2 - ... [03/Jul/2024:11:24:55 +0200] "GET /grafana/api/live/ws HTTP/1.1" 400 416 "-" "<user agent info>"

Config

I know that the reverse proxy needs to be configured properly to pass along the WebSockets connection, but I can’t get it to work.

Here what I attempted in my Apache configuration:

<IfModule mod_ssl.c>
<VirtualHost *:443>
        SSLCertificateFile ....pem
        SSLCertificateKeyFile ....key

        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

        SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
        SSLHonorCipherOrder on
        SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
        SSLHonorCipherOrder     on
        SSLCompression          off
        SSLOptions +StrictRequire
        SSLProxyEngine on
        SSLProxyCheckPeerCN off

        <Proxy https://localhost:3000>
                AuthType Basic
                AuthName "..."
                AuthBasicProvider ldap
                AuthLDAPUrl ldaps://...
                AuthGroupFile "/etc/.htaccess.groups"
                Require group GRAFANA
                RewriteEngine On
                RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
                RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
        </Proxy>

        # This is my attempt to handle the WebSockets requests:
        RewriteEngine On
        RewriteCond %{HTTP:Connection} upgrade [NC]
        RewriteCond %{HTTP:Upgrade}    websocket [NC]
        RewriteRule /grafana/(.*)      ws://localhost:3000/grafana/$1 [P,L]

        ProxyPass /grafana https://localhost:3000/grafana
        ProxyPassReverse /grafana https://localhost:3000/grafana

        <Location /grafana>
                RequestHeader unset Authorization
        </Location>
</VirtualHost>
</IfModule>

The grafana.ini should be configured properly. Here is the server section:

[server]
protocol = https
http_addr = 127.0.0.1
http_port = 3000
domain = ...
root_url = %(protocol)s://%(domain)s:%(http_port)s/grafana/
serve_from_sub_path = true
cert_file = ....pem
cert_key = ....key

Please let me know, if I should provide any other information.

2

I’ve got the same problem. Seemingly happens since a grafana update via package manager some weeks ago