Etusivu Tutki Apua
Rekisteröidy Kirjaudu sisään
angela
/
brain-dump
Tarkkaile 1
Äänestä 2
Fork 0
Tiedostot Ongelmat 0 Pull-pyynnöt 0 Wiki
Branch: master
Branchit Tagit
brain-dump
/
grafana-prtg
/
enabling-ssl.md

enabling-ssl.md 2.9 KB
Pysyvä linkki Historia Raaka

Enable SSL on the Grafana Server

The following instructions are for a Windows-based install of Grafana.

At some point, you're logging into Grafana with a password. Even on a private network, there could be other devices listening and waiting to grab your credentials that are trasmitting in plain text. It's a wise idea to use SSL and encrypt the transmission of your password, since it's quite easy to do.

It is also assumed you have an existing SSL cert on PRTG; if you don't, you can use Let's Encrypt.

  • The server config is located at C:\Program Files\GrafanaLabs\grafana\conf\custom.ini

If custom.ini doesn't exist, simply duplicate defaults.ini and name the new copy custom.ini, Grafana will pick it up once the Grafana service is restarted.

By default, Grafana installs itself as a localhost address, to use the SSL on an internal network, it is assumed you've already adjusted your internal DNS server to respond to something like grafana.example.com at the IP address of the server Grafana runs on (and that you already have a wildcard SSL cert from Let's Encrypt running on PRTG on the same machine Grafana resides on).

Under the [server] Section of custom.ini

Find:

protocol = http

Change to:

protocol = https

Find:

domain = localhost

Change to (adjust to suit):

domain = grafana.example.com

Find:

cert_file =
cert_key =

Change to (the path of the SSL cert that PRTG uses):

cert_file = "C:\Program Files (x86)\PRTG Network Monitor\cert\fullchain.pem"
cert_key = "C:\Program Files (x86)\PRTG Network Monitor\cert\prtg.key"

Note that if you use prtg.crt instead of fullchain.pem for cert_file some browsers (like Midori) may untrust the cert; I didn't experience such in Firefox.

Go into services.msc on the Windows host and locate the Grafana service > right-click > restart

You should now find you previous access to the http version of Grafana error out - you can now find it at: https://grafana.example.com:3000

SSL Padlock Warning

If you previously uploaded images under your http connection, you'll note that Grafana still loads them as http and under the previous address you were accessing Grafana from (resulting in broken images).

To fix it:

Simply edit that object and change the URL prefix to https://grafana.example.com:3000

Test the Certificate

From a Linux machine:

openssl s_client -showcerts -connect grafana.example.com:3000

You'll see statistical output, like so:

New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

The last line being the important message. Anything other than (ok) indicates the config isn't correct.