Running Grafana behind a reverse proxy

[GowthamShanmugam]

bugzilla: 1590416 tendrl-bug-id: Tendrl/api#446

Signed-off-by: GowthamShanmugam gshanmug@redhat.com

[GowthamShanmugam]

@shtripat @shirshendu @gnehapk @mbukatov please review

[GowthamShanmugam]

Yes http will come, if will show like http://{ip}/grafana/{dashboard_name}

[shtripat]

Yes http will come, if will show like http://{ip}/grafana/{dashboard_name}

So this ideally means we are not actually enabling https for grafana, rather we are redirecting https URL to http URL of grafana. Right?

So this means this is actually partially solved, as ideal situation would be to enable https for grafana as well if https enabled for tendrl server.

[shirshendu]

So this ideally means we are not actually enabling https for grafana, rather we are redirecting https URL to http URL of grafana. Right?

No, a reverse proxy is not redirection. The traffic is routed by apache over local loopback to grafana, because we're using 127.0.0.1. Local loopback is not susceptible to an attacker sniffing the traffic, unless the attacker already has access to the machine.

So this means this is actually partially solved, as ideal situation would be to enable https for grafana as well if https enabled for tendrl server.

No, the problem is solved completely for our current use-case. Only in case of separate grafana server would we need https to grafana, which (as we discussed in last meeting), is not a currently supported scenario. Anyone needing such a deployment will also need to configure grafana HTTPS, which can be advised on a case-by-case basis, or in documentation for SSL configuration.

[shtripat]

Ack

[GowthamShanmugam]

Tendrl/ui/pull/1074

[GowthamShanmugam]

@shirshendu @shtripat please review this and merge