How to set up Grafana HTTPS for secure web traffic

Hi everyone! I’m struggling to configure Grafana to work via https. I have certificates generated by Let’s Encrypt, and grafana.ini configured like this:

[server]
# Protocol (http or https)
protocol = https

# The ip address to bind to, empty will bind to all interfaces
;http_addr =

# The http port  to use
http_port = 3000

# The public facing domain name used to access grafana from a browser
domain = localhost

# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
enforce_domain = false

# The full public facing url you use in browser, used for redirects and emails
# If you use reverse proxy and sub path specify full url (with sub path)
root_url = http://grafana.staged-by-discourse.com

# Log web requests
router_logging = false

# the path relative working path
static_root_path = public

# enable gzip
enable_gzip = false

# https certs & key file
cert_file = /etc/letsencrypt/live/mysite/fullchain.pem
cert_key = /etc/letsencrypt/live/mysite/privkey.pem

my openhab running on 443 port, so the question is… Is it possible to run both grafana and openhab on https?

you can run https on any port

root_url = http://grafana.staged-by-discourse.com
```
This should be the url you want to use in the browser, so https://my_certififed_domain:3000  (if you want to use port 3000 for https)

this config leading to an error - grafana-server is failing to start

  [server]
    # Protocol (http or https)
    protocol = https

    # The ip address to bind to, empty will bind to all interfaces
    ;http_addr =

    # The http port  to use
    #http_port = 3000

    # The public facing domain name used to access grafana from a browser
    #domain = localhost

    # Redirect to correct domain if host header does not match domain
    # Prevents DNS rebinding attacks
    #enforce_domain = false

    # The full public facing url you use in browser, used for redirects and emails
    # If you use reverse proxy and sub path specify full url (with sub path)
    root_url = https://localhost:3000

    # Log web requests
    #router_logging = false

    # the path relative working path
    #static_root_path = public

    # enable gzip
    #enable_gzip = false

    # https certs & key file
    cert_file = /etc/letsencrypt/live/mysite/fullchain.pem
    cert_key = /etc/letsencrypt/live/mysite/privkey.pem

is there someone who did such kind of thing?

UPD: in grafana log file I found

t=2017-04-13T14:48:42+0000 lvl=info msg="Initializing HTTP Server" logger=http.server address=0.0.0.0:3000 protocol=https subUrl=
t=2017-04-13T14:48:42+0000 lvl=eror msg="Fail to start server" logger=server error="open /etc/letsencrypt/live/mysite/fullchain.pem: permission denied"
t=2017-04-13T14:48:42+0000 lvl=info msg="Shutdown started" logger=server code=1 reason="Startup failed"

and that is weird, because

root@server:~# stat /etc/letsencrypt/live/mysite/fullchain.pem
  File: ‘/etc/letsencrypt/live/mysite/fullchain.pem’ -> ‘../../archive/mysite/fullchain1.pem’
  Size: 48              Blocks: 0          IO Block: 4096   symbolic link
Device: b302h/45826d    Inode: 517147      Links: 1
Access: (0777/lrwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2017-04-10 11:38:32.720709836 +0000
Modify: 2017-04-10 11:38:32.720709836 +0000
Change: 2017-04-10 11:38:32.720709836 +0000
 Birth: -

Seems there is a permission problem

problem was solved by placing certificate key file to grafana folder /etc/grafana/

Can someone help me on configuring the https for grafana? I am running grafana as a windows service in my local host.

how to solve this permission error. please help.

Placing cert file to /etc/grafana is not a solution.

the solution work for me is to copy the cert and private key to some other location like (/opt or something) and mention the same path in grafana.ini

Do you need help? Is sounds like you have already figured this out?

Thanks for reply.

But I have solved the issue.

Thanks again.

Hi @torkel ,

My grafana works perfect with https, the only thing is when i try to check this using online tool it shows

“The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate.”

I have have verified the same certificate with placing test site with same binding in IIS and then it not shows any chain issue. but don’t know why it is showing for grafana site, is there any configs we need to do for CA and intermediate certs in grafana config ? all these certificates are installed in servers cert repository.

Thanks.

Hi,

I resolved it by giving cert path to certificates bundle.pem file.

Thanks.

how to create file .pem?

Hi,

You can manage SSL(https) with Apache without modifying anything in your Grafana installation.

This is very useful if you want Grafana being accessible from Internet without using a port number.

My grafana server is accessible with this kind of URL https://grafana.domain.tld but still using port 3000 internally on the server.

The only thing you have to do is to use this Apache vhost and replace “grafana.domain.tld” with your subdomain or domain (if grafana is directly accessible with domain.tld).

<VirtualHost *:80>
        ServerName grafana.domain.tld
        ServerAdmin me@mydomain.tld
        RewriteEngine On
        RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</VirtualHost>

<IfModule mod_ssl.c>
        <VirtualHost *:443>
                ServerName grafana.domain.tld
                ServerAdmin me@mydomain.tld
                
                # Use HTTP Strict Transport Security to force client to use secure connections only.
                Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
                # Referer logging is used to allow websites and web servers to identify where people are visiting them from, for promotional or statistical purposes.
                Header always set Referrer-Policy "no-referrer"                 
                
                SSLCertificateFile /etc/letsencrypt/live/grafana.domain.tld/fullchain.pem
                SSLCertificateKeyFile /etc/letsencrypt/live/grafana.domain.tld/privkey.pem

                SSLEngine on
                SSLProtocol all -TLSv1 -TLSv1.1 -SSLv2 -SSLv3
                SSLHonorCipherOrder on
                SSLCompression off
                SSLOptions +StrictRequire
                SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

  
                ProxyPreserveHost On 
                ProxyPass / http://127.0.0.1:3000/
                ProxyPassReverse / http://127.0.0.1:3000/
        </VirtualHost>
</IfModule>

Here is how this Virtual Host works :

• If someone try to access

  http://grafana.domain.tld
  

The user will be redirected to

     https://grafana.domain.tld

This could be improved by rewrite rules to cover any http requested URL…

• If someone type

  https://grafana.domain.tld
  

Apache will deal with the Let’s Encrypt Certificate (so your grafana access is secure) but internally Apache will still call

     http://127.0.0.1:3000

That’s clean, secure and you can use this for a lot of other softwares than Grafana.

Enjoy

You can still improve your TLS security:

• disable insecure TLS versions -TLSv1 -TLSv1.1 unless you have to support them
• disable SSLSessionTickets SSLSessionTickets off to ensure Perfect Forward Secrecy

It is also good to mention, that your cipher list supports only modern clients. Some older clients won’t be able to connect - oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8.

A good reference for secure TLS configuration is Redirecting to ssl-config.mozilla.org...

In my case this cause a browser error " SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET"

Anyway I get A+ with this test : SSL Server Test (Powered by Qualys SSL Labs)

Yup this worked for me … Thanks !!

When I have the *.conf file ready, where do I execute the include within the httpd.conf file?
thanks

Hi,

What is your OS and version ?
What is your Webserver and version ?
How do you want to access grafana ? grafana.domain.tld ?

CentOS 7
apache 2.4.41 (CPanel)
I would like to access grafana using subdomain.domain.report without using port number 3000.
It is currently running on port number 3000

Sorry, I’m not familiar with CentOS because I work with Debian, anyway there is a good doc here : How To Install the Apache Web Server on CentOS 7 | DigitalOcean

That’s a good thing. The trick is not to modify grafana ports and create a Apache vhost that say “if someone ask for https://subdomain.domain.report from the Internet then I will handlle the SSL (https) and redirect the request internally to http://127.0.0.1:3000/”

This part of the vhost file do the trick:

ProxyPass / http://127.0.0.1:3000/
ProxyPassReverse / http://127.0.0.1:3000/

You have to create the vhost file

sudo vi /etc/httpd/sites-available/subdomain.domain.report.conf

Now that you have created the virtual host files, you will enable them so that Apache knows to serve them to visitors. To do this, create a symbolic link for each virtual host in the sites-enabled directory:

sudo ln -s /etc/httpd/sites-available/subdomain.domain.report.conf /etc/httpd/sites-enabled/subdomain.domain.report.conf

Then you can restart Apache

sudo systemctl restart httpd

I hope this will help