Getting graphs to display in myopenhab.org (cloud connector) for private IPs

Hi All,

When creating UI’s in Habpanel and referencing URLs, private ones, they dont render. I assume because myopenhab.org cannot route to those private IPs.

Does anyone know the work around to getting this working for grafana graphs?

Does one need to setup NGINX, certificate, domain etc to get this working and then allow inbound access on HTTPS for that?

Thanks

  • Expose your Grafana to the internet and use the public address (with authentication of course) (which is basically what you describe)

  • Have Grafana render the charts as an image (doesn’t work so well on RPis). See Grafana Image Charts for about the most efficient way to do it that I could manage

1 Like

Thanks Rich for the second point, that seems the way forward. CPU isnt an issue but opening access using authentication is a pita! Thankyou

Hi @rlkoshak, decided on just using nginx and exposing the grafana box but locking it down via source IP on the firewall.

Question. I can get the graphs - they work. But when you visit the domain name, it brings up the login screen to grafana. Is there a way to prevent that whilst still getting the ability to render the graphs?

Here is my nginx configuration. I cant seem to stop it

upstream grafana {

        server 192.168.1.3:3000;
}

server {

        listen 80;
        listen [::]:80;

        server_name domain.name;

        return 301 https://domain.name$request_uri;

        server_tokens off; # This hide server version just in case someones needs it for a hack...

}


server {

        listen 443 ssl;
        listen [::]:443 ssl http2;

        server_name domain.name;
        server_tokens off;

        access_log      /var/log/nginx/domain.name/access.log;
        error_log       /var/log/nginx/domain.name/error.log;

        #### SSL Config
        ssl_certificate         /etc/letsencrypt/live/domain.name/fullchain.pem;
        ssl_certificate_key     /etc/letsencrypt/live/domain.name/privkey.pem;
        ssl_dhparam             /etc/ssl/certs/dhparam.pem;
        ssl_session_timeout     1d;
        ssl_session_cache       shared:SSL:20m;
        ssl_session_tickets     off;
        ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
#    ssl_protocols               TLSv1.2 TLSv1.3; # This will affect old Browsers that doesn't supports new versions of TLS (not SSL ;)).
        ssl_prefer_server_ciphers       on;
        ssl_ecdh_curve          secp384r1;
        ssl_ciphers             'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_stapling            on;
        ssl_stapling_verify     on;

        resolver                        8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout                5s;

        add_header                      Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
        add_header                      X-Frame-Options DENY;
        add_header                      X-Content-Type-Options nosniff;
        add_header                      X-XSS-Protection "1; mode=block";

        #### Compression - Can be disabled anytime but will help externally

        gzip                    on;
        gzip_disable            "msie6";
        gzip_vary                       on;
        gzip_proxied            any;
        gzip_comp_level                 9;
        gzip_buffers            16 8k;
        gzip_http_version               1.1;
        gzip_min_length                 256;
         gzip_types                     text/plain
                                text/css
                                application/json
                                application/javascript
                                application/x-javascript
                                text/xml
                                application/xml
                                application/xml+rss
                                text/javascript
                                application/vnd.ms-fontobject
                                application/x-font-ttf
                                font/opentype
                                image/svg+xml
                                image/x-icon;

      location / {

         proxy_pass                     http://grafana; # Defined on the upstream section
         proxy_set_header               X-Real-IP        $remote_addr;
         proxy_set_header               X-Forwarded-For  $proxy_add_x_forwarded_for;
         proxy_set_header               Host $http_host;
         proxy_set_header               X-Forwarded-SSL on;
         proxy_set_header               X-Forwarded-Proto https;
         proxy_redirect                 default;
         proxy_redirect                 http://$host/ https://$host/;
         proxy_redirect                 http://hostname/ https://$host/;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
         proxy_send_timeout 1200s;
         proxy_read_timeout 1200s;
         fastcgi_send_timeout 1200s;
         fastcgi_read_timeout 1200s;

        }


location /grafana/render/ {
    proxy_pass  http://grafana/render/;
    proxy_set_header Host $host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Real-IP $remote_addr ;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
    proxy_set_header X-Forwarded-Proto $scheme;
}