Redirect loop on /grafana/login

Hello,

I installed grafana 8.5.3 behind a proxy reverse and in a subdirectory, it works well.
But when I run https://www.domain.com/grafana, I’m redirected to https://www.domain.com/grafana/login for ever. (stopped after 50 loops).

Here the log :

...
logger=context traceID=00000000000000000000000000000000 userId=0 orgId=0 uname= t=2022-05-20T17:15:31.13+0200 lvl=info msg="Request Completed" method=GET path=//login status=302 remote_addr=127.0.0.1 time_ms=0 d
uration=574.839µs size=61 referer= traceID=00000000000000000000000000000000
logger=context traceID=00000000000000000000000000000000 userId=0 orgId=0 uname= t=2022-05-20T17:15:31.15+0200 lvl=info msg="Request Completed" method=GET path=//login status=302 remote_addr=127.0.0.1 time_ms=0 d
uration=435.698µs size=61 referer= traceID=00000000000000000000000000000000
...

Here the configuration:

pp_mode = production

[paths]
data = /var/lib/grafana

logs = /var/log/grafana

[server]
protocol = https

http_addr = 127.0.0.1

http_port = 3000

domain = www.domain.com

# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
;enforce_domain = false

root_url = https://www.domain.com/grafana

serve_from_sub_path = true

router_logging = false

enable_gzip = true

# https certs & key file
cert_file = /etc/letsencrypt/live/domain.com/fullchain.pem
cert_key  = /etc/letsencrypt/live/domain.com/privkey.pem

nginx config :

    location /grafana {
        proxy_set_header Host $http_host;
        proxy_pass https://127.0.0.1:3000/;
    }

    # Proxy Grafana Live WebSocket connections.
    location /grafana/api/live {
    	rewrite  ^/(.*)  /$1 break;
	    proxy_http_version 1.1;
	    proxy_set_header Upgrade $http_upgrade;
	    proxy_set_header Connection $connection_upgrade;
	    proxy_set_header Host $http_host;
	    proxy_pass https://127.0.0.1:3000/;
    }

And a test with curl :

curl -IL https://www.domain.com/grafana

HTTP/2 302 
server: nginx
date: Fri, 20 May 2022 15:28:47 GMT
content-type: text/html; charset=utf-8
cache-control: no-cache
expires: -1
location: /grafana/login
pragma: no-cache
set-cookie: redirect_to=%2Fgrafana%2F; Path=/grafana; HttpOnly; Secure
x-content-type-options: nosniff
x-frame-options: deny
x-xss-protection: 1; mode=block

HTTP/2 302 
server: nginx
date: Fri, 20 May 2022 15:28:47 GMT
content-type: text/html; charset=utf-8
cache-control: no-cache
expires: -1
location: /grafana/login
pragma: no-cache
set-cookie: redirect_to=%2Fgrafana%2F%2Flogin; Path=/grafana; HttpOnly; Secure
x-content-type-options: nosniff
x-frame-options: deny
x-xss-protection: 1; mode=block

...

Thanks for your help!

try using this for root url
root_url = %(protocol)s://%(domain)s:%(http_port)s/grafana/

see this config as a reference:

My guess: proxy pass needs also used path, so:

proxy_pass https://127.0.0.1:3000/grafana/;
proxy_pass https://127.0.0.1:3000/;

replace with

proxy_pass https://127.0.0.1:3000;

Last slash makes Grafana mad.

Do not blindly guess. %(protocol)s is not a magic spell, it’s just a template. It does not matter if the string is a constant string or a template to be rendered to a string