Hi All,
When creating UI’s in Habpanel and referencing URLs, private ones, they dont render. I assume because myopenhab.org cannot route to those private IPs.
Does anyone know the work around to getting this working for grafana graphs?
Does one need to setup NGINX, certificate, domain etc to get this working and then allow inbound access on HTTPS for that?
Thanks
Thanks Rich for the second point, that seems the way forward. CPU isnt an issue but opening access using authentication is a pita! Thankyou
Hi @rlkoshak, decided on just using nginx and exposing the grafana box but locking it down via source IP on the firewall.
Question. I can get the graphs - they work. But when you visit the domain name, it brings up the login screen to grafana. Is there a way to prevent that whilst still getting the ability to render the graphs?
Here is my nginx configuration. I cant seem to stop it
upstream grafana {
server 192.168.1.3:3000;
}
server {
listen 80;
listen [::]:80;
server_name domain.name;
return 301 https://domain.name$request_uri;
server_tokens off; # This hide server version just in case someones needs it for a hack...
}
server {
listen 443 ssl;
listen [::]:443 ssl http2;
server_name domain.name;
server_tokens off;
access_log /var/log/nginx/domain.name/access.log;
error_log /var/log/nginx/domain.name/error.log;
#### SSL Config
ssl_certificate /etc/letsencrypt/live/domain.name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.name/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:20m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_protocols TLSv1.2 TLSv1.3; # This will affect old Browsers that doesn't supports new versions of TLS (not SSL ;)).
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
#### Compression - Can be disabled anytime but will help externally
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 9;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types text/plain
text/css
application/json
application/javascript
application/x-javascript
text/xml
application/xml
application/xml+rss
text/javascript
application/vnd.ms-fontobject
application/x-font-ttf
font/opentype
image/svg+xml
image/x-icon;
location / {
proxy_pass http://grafana; # Defined on the upstream section
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect default;
proxy_redirect http://$host/ https://$host/;
proxy_redirect http://hostname/ https://$host/;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_send_timeout 1200s;
proxy_read_timeout 1200s;
fastcgi_send_timeout 1200s;
fastcgi_read_timeout 1200s;
}
location /grafana/render/ {
proxy_pass http://grafana/render/;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr ;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
proxy_set_header X-Forwarded-Proto $scheme;
}