Skip to content

Instantly share code, notes, and snippets.

@oroce
Created January 31, 2014 20:40
Show Gist options
  • Save oroce/8742704 to your computer and use it in GitHub Desktop.
Save oroce/8742704 to your computer and use it in GitHub Desktop.
nginx config for using grafana, elasticsearch and graphite with authentication.
user www-data;
worker_processes 1;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
server_names_hash_bucket_size 32;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_disable "msie6";
# elasticsearch reverse proxy
server {
listen 5200;
server_name elasticsearch.frontend;
location / {
proxy_pass <address of elasticsearch, eg: http://127.0.0.1:9200, you have to set elasticsearch not to listen on every address by setting netword.bind_host: 127.0.0.1, see more: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-network.html>;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Host $host;
# this is one the tricks, we should hide elasticsearch's header,
# because it returns asterisk which isnt allowed in cors request with authorization
proxy_hide_header 'Access-Control-Allow-Origin';
add_header 'Access-Control-Allow-Origin' '<url of grafana>';
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE';
add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type';
add_header 'Access-Control-Allow-Credentials' 'true';
if ($request_method = 'OPTIONS' ) {
# if request method is options we immediately return with 200 OK.
return 200;
}
# here comes the basic auth, after the options part
auth_basic 'Restricted';
auth_basic_user_file <htpasswd file location>;
# trick number two: elasticsearch rest api follows rest conventions, so it returns on
# first save 201 Created response, but in cors it's not allowed
# we are resetting status to 200 if it's 201 using lua
header_filter_by_lua "
if ngx.status == 201 then
ngx.status = ngx.HTTP_OK
end
";
}
}
# grafana hosting
server {
listen 5100;
auth_basic 'Restricted';
auth_basic_user_file <location of htpasswd file>;
location / {
root <location of grafana src>;
}
}
# graphite reverse proxy
server {
listen 5000;
server_name graphite.frontend;
location / {
proxy_pass <address of graphite, eg: http://127.0.0.1:8000>;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Host $host;
add_header 'Access-Control-Allow-Origin' '<url of grafana>';
add_header 'Access-Control-Allow-Methods' 'GET, POST';
add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type';
add_header 'Access-Control-Allow-Credentials' 'true';
if ($request_method = 'OPTIONS' ) {
# if request method is options we immediately return with 200 OK.
return 200;
}
# here comes the basic auth, after the options part
auth_basic 'Restricted';
auth_basic_user_file <htpasswd file location>;
}
}
}

These config is using luascripting. So you have to compile nginx with luascripting. Or if you are using install with apt: sudo apt-get install nginx nginx-extras

@mig8447
Copy link

mig8447 commented Dec 18, 2020

This was perfect for what I needed (Not Graphana specifically but BASIC Auth + CORS)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment