Hi,
I am trying configure auth proxy on server witch is behinde reverse proxy (nginx) for TV panel only. Users will need to login to see whole grafana.
Does anyone know how to configur it? I guess it should work with two domains like http://tv.example.com/ and https://example.com/.
If anybody has hint I will be gratefull.
I also saw this pages: https://grafana.com/docs/grafana/latest/auth/auth-proxy/
https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
How to keep Auth proxy and regular login enabled?
My confs
nginx/sites-enabled/default
server {
if ($host = foo.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
listen 80;
server_name tv.foo.com;
location / {
auth_basic “username”;
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://grafana.staged-by-discourse.com/;
proxy_set_header X-WEBAUTH-USER $remote_user;
proxy_set_header Authorization "";
#proxy_redirect http://grafana.staged-by-discourse.com http://tv.foo.com;
}
}
server {
listen 443 ssl http2;
server_name foo.com;
root /usr/share/nginx/html;
index index.html index.htm;
ssl_protocols TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_cache shared:SSL:10m;
ssl_certificate /etc/letsencrypt/live/foo.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/foo.com/privkey.pem; # managed by Certbot
location / {
rewrite /(.*) /$1 break;
proxy_pass http://grafana.staged-by-discourse.com/;
proxy_redirect off;
proxy_set_header Host $host;
}
}
grafana.ini
#################################### Auth Proxy ##########################
[auth.proxy]
enabled = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = true
sync_ttl = 60
;whitelist = 192.168.1.1, 192.168.2.1
;headers = Email:X-User-Email, Name:X-User-Name
;enable_login_token = false
I would be grateful for any idea.
Thank you
I finally did it.
It works without a token at the moment, but I’m using https and adding an IP whitelist, so I don’t think it matters.
Note that certification of both domains is a standard procedure with certbot. Do not change any name or variable in grafana.ini, just remove the comments you see here.
I use two domains. One is for regular users who log in, the other is for TV panels to gain access to one dashboard. I restrict access using the user’s viwer role. The user is on a team that sees only one dashboard. The user in grafana has the same name and password as the user in the .htpasswd file I created using apache2. The authentication proxy server automatically logs in to the TV using the login data from the file.
grafana.ini
#################################### Basic Auth ##########################
[auth.basic]
enabled = true
#################################### Auth Proxy ##########################
[auth.proxy]
enabled = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = true
sync_ttl = 60
;whitelist = 192.168.1.1, 192.168.2.1
;headers = Email:X-User-Email, Name:X-User-Name
Read the auth proxy docs for details on what the setting below enables
;enable_login_token = false
nginx /etc/nginx/sites-enable/default
server {
listen 80;
server_name userforlogin.foo.com;
return 301 https://$server_name$request_uri;
}
server {
listen 80;
server_name tv.userforlogin.foo.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name userforlogin.foo.com;
root /usr/share/nginx/html;
index index.html index.htm;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_certificate /etc/letsencrypt/live/userforlogin.foo.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/userforlogin.foo.com/privkey.pem; # managed by Certbot
location / {
rewrite /(.*) /$1 break;
proxy_pass http://grafana.staged-by-discourse.com/;
proxy_redirect off;
proxy_set_header Host $host;
}
}
server {
listen 443 ssl http2;
server_name tv.userforlogin.foo.com;
root /usr/share/nginx/html;
index index.html index.htm;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_certificate /etc/letsencrypt/live/tv.userforlogin.foo.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tv.userforlogin.foo.com/privkey.pem; # managed by Certbot
location / {
proxy_pass http://grafana.staged-by-discourse.com/;
proxy_buffering off;
proxy_set_header Host tv.userforlogin.foo.com/;
add_header X-uri UsernameOfYourUser;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
auth_basic off;
proxy_set_header Authorization "";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_set_header X-WEBAUTH-USER "UsernameOfYourUser";
}
}