Login/Register
grafana switch from http to https
Asked Answered
Solved grafana
W

3

17

I have successfully running a grafana instance on my server. It runs on http without a problem. Now I want to switch from http to https. My grafana.ini is shown bellow:

#################################### Server ####################################
[server]
# Protocol (http or https)
protocol = https

# The ip address to bind to, empty will bind to all interfaces
http_addr = 0.0.0.0

# The http port  to use
http_port = 3000

# The public facing domain name used to access grafana from a browser
;domain = localhost

# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
;enforce_domain = false

# The full public facing url
;root_url = %(protocol)s://%(domain)s:%(http_port)s/

# Log web requests
;router_logging = false

# the path relative working path
;static_root_path = public

# enable gzip
;enable_gzip = false

# https certs & key file
cert_file = /usr/local/ssl/crt/certificate.cer
cert_key = /usr/local/ssl/private/private_key.key
Welker answered 10/10, 2016 at 11:2 Comment(5)
Have you checked the grafana log output?Gaudy
@Gaudy sadly the log shows nothing.Welker
As in, it's completely empty? I don't see any issue with your config, as long as the paths to the cert files are valid and the user grafana-server runs as can read them it should work.Gaudy
@Gaudy no they are not empty but there ist nothing which would relayt to my Problem. Hm ok i will Check thatWelker
@BitcoinMurderousManiac yes I got it working. Sry that I forgot to mark the question as solved -> fixed thatWelker
B
13

The above configuration may have a problem: after changing the grafana.ini file the "grafana-server" service will not start again.

Here's how I solved my problem:

  1. Change grafana.ini as mentioned above.
  2. Copy the certificate files (pem, crt and key) to /etc/grafana.
  3. Change the file permissions of the certificate files to 644 (go+r) and the owner to root:root.

After that the grafana service will work properly in HTTPS mode.

Barraza answered 19/9, 2017 at 19:38 Comment(4)
if you update the cert, don't forget to restart grafana serverGrindstone
You literally saved my life :D I had the same error with the certificates. Another thing to mention. Think to uncomment the lines in the grafana.ini file. Uncomment = Remove the ; at the beginning of the lines. Took me half an hour to figure that one out...Dysphagia
By the way, restart the Grafana server with sudo service grafana-server restart as Hernán Eche already told.Dysphagia
Caution! this is a very dangerous solution. Unfortunately, there doesn't seem to be a viable way to secure Grafana out of the box and I cannot secure different URLs with different certificates, which both is very sad. I will revert my SSL settings and try this one: community.grafana.com/t/grafana-https-configuration/524/13 (so I can have Apache handle SSL).Jessie
J
2

So, as I mentioned in a comment above, I tried it with Apache2 and a proxy as given here in the Grafana community and it worked for me, although I had to fiddle a bit to finally get it working. I'll cover that here.

The basic idea is to keep your keys/certificates safely in their /etc/ssl/... directories while the Grafana instance is configured with plain old HTTP on Port 3000 with only local access. Then, Apache provides a proxy, that can be properly configured for SSL/TLS and handles communication between Grafana's server and clients.

Take the following steps, which differ from OS to OS, so I only provide a generic phrase and no specific commands or file paths.

  1. Install Apache2
  2. Enable modules ssl, headers, proxy, proxy_http, rewrite
  3. Create a configuration file for Grafana with the following content (I only include the necessary bits, feel free to follow the above link for more on automatic redirection from HTTP and such):
<IfModule mod_ssl.c>
  <VirtualHost *:443>
    # change the following fields according to your setup
    ServerName grafana.domain.tld
    ServerAdmin [email protected]

    SSLCertificateFile /etc/ssl/certs/certificate.cer
    SSLCertificateKeyFile /etc/ssl/private/private_key.key
    SSLEngine on

    ProxyPreserveHost on
    ProxyPass / http://127.0.0.1:3000/
    ProxyPassReverse / http://127.0.0.1:3000/
  </VirtualHost>
</IfModule>
  1. Enable the site you just created a config file for.
  2. Restart or reload Apache.

Hope this helps. Stay safe... and secure ;)

Jessie answered 26/7, 2022 at 13:54 Comment(0)
P
1

Suggest give certificate and key files the same permission as other files under /etc/grafana. chgrp grafana ; chmod 640

Pennipennie answered 28/12, 2020 at 20:28 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.