Server.protocol is http with tls terminated at AWS NLB but Azure OAuth2 needs it to be https

In my setup, the Grafana UI is accessed via an internal AWS NLB on which TLS connections are terminated and the TLS certificate for this purpose lives in AWS Certificate Manager. Connections through to Grafana in the backend are made on a tcp connection. So until now i’ve had the server.protocol set to http. However now that I want to configure Azure AD OAuth2 authentication, server.protocol needs to be set to https because its used to form the Grafana root_url which is used to formulate the SSO redirect url. When I do set server.protocol to https the container doesn’t start because its expecting a cert_file and cert_key to be specified. I cant export the TLS cert from AWS ACM and I dont have an external cert to apply to Grafana. Can I specify the SSO redirect url somehow so I can apply https to it without changing the Grafana root_url configuration? What I could really do with is an auth.azuread.redirect_url configuration option.

• What Grafana version and what operating system are you using?
  v9.3.1 on ubuntu

• What are you trying to achieve?
  Grafana SSO via Azure OAuth2

• How are you trying to achieve it?
  Configuring Azure AD and Grafana config using Grafana’s instructions

• What happened?
  Microsoft sign in error: The redirect URI ‘http://grafana.dev.XXXX.com:3000/login/azuread’ specified in the request does not match the redirect URIs configured for the application

• What did you expect to happen?
  I expected this to happen given that server.protocol is http in grafana config. But changing it to https results in container startup error: error: cert_file cannot be empty when using HTTPS. I dont have a tls certificate to apply though for this config since the certificate is locked in AWS ACM and TLS for my Grafana UI is terminated at an AWS NLB.

• Can you copy/paste the configuration(s) that you are having problems with?
  |server||
  |—|—|
  |cdn_url||
  |cert_file||
  |cert_key||
  |domain|grafana.dev.XXXX.com|
  |enable_gzip|false|
  |enforce_domain|false|
  |http_addr|0.0.0.0|
  |http_port|3000|
  |protocol|http|
  |read_timeout|0|
  |root_url|%(protocol)s://%(domain)s:%(http_port)s/|
  |router_logging|false|
  |serve_from_sub_path|false|
  |socket|/tmp/grafana.sock|
  |socket_gid|-1|
  |socket_mode|0660|
  |static_root_path|public|

The root_url is used for the redirect url.

• Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.

When i set server.protocol to https i get the following error fro grafana container:

logger=server t=2023-06-20T14:30:38.521136554Z level=error msg="Server shutdown" error="*api.HTTPServer run error: cert_file cannot be empty when using HTTPS"
*api.HTTPServer run error: cert_file cannot be empty when using HTTPS

• Did you follow any online instructions? If so, what is the URL?
  Configure Azure AD OAuth2 authentication | Grafana documentation

There is a tiny note in Configure generic OAuth2 authentication | Grafana documentation which should be also in AD auth doc:

You may have to set the root_url option of [server] for the callback URL to be correct. For example in case you are serving Grafana behind a proxy.

So configure root_url properly.

Thanks for the tip. I set root_url to https://%(domain)s/ via the GF_SERVER_ROOT_URL environment variable and SSO is working now. I’d considered modifying root_url to fit my purposes but assumed that it was probably being used in other places in the code, so tailoring it for my SSO purposes would break something somewhere else. But so far so good!