rrichards
2/20/2020 - 9:34 AM
nginx config for using grafana, Influxdb via reverse proxy with authentication
nginx config for using grafana, Influxdb via reverse proxy with authentication
# The full public facing url
#root_url = %(protocol)s://%(domain)s:%(http_port)s/
root_url = http://localhost:80/grafana/#user nobody
worker_processes 1;
error_log /var/log/nginx/error.log warn;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#gzip setup
gzip on;
gzip_http_version 1.1;
gzip_vary on;
gzip_comp_level 6;
gzip_proxied any;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js;
gzip_buffers 16 8k;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
#log formats
log_format grafana '$time_iso8601 $remote_addr - $remote_user $proxy_host$request$cookie_grafanasess "$request" $status $body_bytes_sent $request_time' ;
log_format influx '$time_iso8601 $remote_addr - $remote_user "$scheme://$server_name/$uri" $status $body_bytes_sent $request_time' ;
#proxy cache formats
proxy_cache_path temp/grafana_cache levels=1:2 keys_zone=grafana_cache:25m max_size=500m inactive=5m use_temp_path=off;
proxy_cache_path temp/influx_cache levels=1:2 keys_zone=influx_cache:25m max_size=50m inactive=15m use_temp_path=off;
##################################Maps to detect Influx hardcoded traffic############################
#check the referer to identify requests originated by Influx Web UI
map $http_referer $proxyloc {
~*influx influx;
}
#Influx Web API end points
map $request_uri $backend {
~*query influxdb;
~*write influxdb;
~*ping influxdb;
}
#We will enable caching for only queries, not for regular UI pages of grafana
map $request_uri $nonquery {
~*query 0;
default 1;
}
#####################################################################################################
######################################Upstream servers###############################################
upstream grafana {
server localhost:3000;
keepalive 15;
}
upstream influx {
server localhost:8083;
keepalive 10;
}
upstream influxdb {
server localhost:8086;
keepalive 10;
}
#####################################################################################################
server {
listen 80;
server_name grafana.adystech.com;
############################### proxy grafana###################################################
location /grafana/ {
proxy_buffering on;
proxy_buffers 8 128k;
proxy_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
access_log /var/log/nginx/grafana-access.log grafana buffer=1024 flush=5m;
proxy_pass http://grafana/;
proxy_redirect default;
proxy_cache_key "$request_uri";
proxy_cache_min_uses 1;
proxy_cache grafana_cache;
proxy_cache_bypass $nonquery;
proxy_cache_valid 200 302 120s;
proxy_cache_valid 404 1m;
add_header X-Cache-Status $upstream_cache_status;
#proxy_cache_key $proxy_host$request$cookie_grafanasess;
#proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
}
################################################################################################
############################### proxy influx db#################################################
#proxy influxDB
location /influx/ {
auth_basic "Needs Autherization to visit";
auth_basic_user_file influx.conf;
root /inflx/;
access_log /var/log/nginx/influx-access.log influx buffer=1024 flush=5m;
proxy_pass http://influx/;
proxy_redirect default;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Authorization "";
#for keep alive to work
proxy_http_version 1.1;
proxy_set_header Connection "";
#handle upstream timeout
proxy_max_temp_file_size 0;
proxy_connect_timeout 240;
proxy_send_timeout 240;
proxy_read_timeout 240;
#cache the static content
expires 1d;
add_header Pragma public;
add_header Cache-Control "public";
#cahce dynamic data
proxy_cache influx_cache;
proxy_cache_min_uses 1;
proxy_cache_valid 200 302 30s;
proxy_cache_valid 404 1m;
add_header X-Cache-Status $upstream_cache_status;
}
location /influxdb/ {
auth_basic "Needs Autherization to visit";
auth_basic_user_file influx.conf;
root /influxdb/;
access_log /var/log/nginx/influx-access.log influx buffer=1024 flush=5m;
proxy_pass http://influxdb/;
proxy_redirect default;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Authorization "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_max_temp_file_size 0;
proxy_connect_timeout 240;
proxy_send_timeout 240;
proxy_read_timeout 240;
expires -1;
add_header Cache-Control private;
}
################################################################################################
###################Default location also handles the Influx redirects###########################
location /{
if ($backend) {
return 302 /$backend/$request_uri;
}
if ($proxyloc) {
return 302 /$proxyloc/$uri;
}
return 302 /grafana/;
}
################################################################################################
}
}This config will enable Nginx to listen on port 80, and act as a reverse proxy for grafana (refer to the custom ini root_url section below), and Influx DB. Influx DB has a problem where it is using root path on admin UII (refer issue#5352) and this config handles it via referrer and api end point redirects.