grafana switch from http to https

Question

I have successfully running a grafana instance on my server. It runs on http without a problem. Now I want to switch from http to https. My grafana.ini is shown bellow:

#################################### Server ####################################
[server]
# Protocol (http or https)
protocol = https

# The ip address to bind to, empty will bind to all interfaces
http_addr = 0.0.0.0

# The http port  to use
http_port = 3000

# The public facing domain name used to access grafana from a browser
;domain = localhost

# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
;enforce_domain = false

# The full public facing url
;root_url = %(protocol)s://%(domain)s:%(http_port)s/

# Log web requests
;router_logging = false

# the path relative working path
;static_root_path = public

# enable gzip
;enable_gzip = false

# https certs & key file
cert_file = /usr/local/ssl/crt/certificate.cer
cert_key = /usr/local/ssl/private/private_key.key

As in, it's completely empty? I don't see any issue with your config, as long as the paths to the cert files are valid and the user grafana-server runs as can read them it should work. — AussieDan, Oct 10 '16 at 17:57
@AussieDan no they are not empty but there ist nothing which would relayt to my Problem. Hm ok i will Check that — IIIIIIIIIIIIIIIIIIIIII, Oct 10 '16 at 17:59
@BitcoinMurderousManiac yes I got it working. Sry that I forgot to mark the question as solved -> fixed that — IIIIIIIIIIIIIIIIIIIIII, Mar 09 '18 at 07:41

score 13 · Accepted Answer · edited Sep 19 '17 at 20:45

13

The above configuration may have a problem: after changing the grafana.ini file the "grafana-server" service will not start again.

Here's how I solved my problem:

Change grafana.ini as mentioned above.
Copy the certificate files (pem, crt and key) to /etc/grafana.
Change the file permissions of the certificate files to 644 (go+r) and the owner to root:root.

After that the grafana service will work properly in HTTPS mode.

edited Sep 19 '17 at 20:45

Ilmari Karonen

49,047
9
93
153

answered Sep 19 '17 at 19:38

mojdeh

174
2
3

1

if you update the cert, don't forget to restart grafana server – Hernán Eche Jul 20 '18 at 19:54
1

You literally saved my life :D I had the same error with the certificates. Another thing to mention. Think to uncomment the lines in the grafana.ini file. Uncomment = Remove the **;** at the beginning of the lines. Took me half an hour to figure that one out... – FranzHuber23 Sep 30 '18 at 16:45
1

By the way, restart the Grafana server with `sudo service grafana-server restart` as [Hernán Eche](https://stackoverflow.com/users/231382/hern%c3%a1n-eche) already told. – FranzHuber23 Sep 30 '18 at 16:46
Caution! this is a very dangerous solution. Unfortunately, there doesn't seem to be a viable way to secure Grafana out of the box and I cannot secure different URLs with different certificates, which both is very sad. I will revert my SSL settings and try this one: https://community.grafana.com/t/grafana-https-configuration/524/13 (so I can have Apache handle SSL). – Chris Tophski Jul 26 '22 at 13:04

score 1 · Answer 2 · answered Dec 28 '20 at 20:28

1

Suggest give certificate and key files the same permission as other files under /etc/grafana. chgrp grafana ; chmod 640

answered Dec 28 '20 at 20:28

lijun1234

21
2

score 0 · Answer 3 · answered Jul 26 '22 at 13:54

So, as I mentioned in a comment above, I tried it with Apache2 and a proxy as given here in the Grafana community and it worked for me, although I had to fiddle a bit to finally get it working. I'll cover that here.

The basic idea is to keep your keys/certificates safely in their /etc/ssl/... directories while the Grafana instance is configured with plain old HTTP on Port 3000 with only local access. Then, Apache provides a proxy, that can be properly configured for SSL/TLS and handles communication between Grafana's server and clients.

Take the following steps, which differ from OS to OS, so I only provide a generic phrase and no specific commands or file paths.

Install Apache2
Enable modules ssl, headers, proxy, proxy_http, rewrite
Create a configuration file for Grafana with the following content (I only include the necessary bits, feel free to follow the above link for more on automatic redirection from HTTP and such):

<IfModule mod_ssl.c>
  <VirtualHost *:443>
    # change the following fields according to your setup
    ServerName grafana.domain.tld
    ServerAdmin me@mydomain.tld

    SSLCertificateFile /etc/ssl/certs/certificate.cer
    SSLCertificateKeyFile /etc/ssl/private/private_key.key
    SSLEngine on

    ProxyPreserveHost on
    ProxyPass / http://127.0.0.1:3000/
    ProxyPassReverse / http://127.0.0.1:3000/
  </VirtualHost>
</IfModule>

Enable the site you just created a config file for.
Restart or reload Apache.

Hope this helps. Stay safe... and secure ;)

grafana switch from http to https

3 Answers3