Grafana provides the ability to off-load the authentication process to a web proxy. I'm using this feature to auto-login Grafana to display a dashboard on a NOC display wall where I don't want to rely on human intervention to login.
Enable Proxy Auth in the Grafana config (/etc/grafana/grafana.ini). I'm going to run the proxy on the same server as Grafana, hence the whitelist for 127.0.0.1.
[auth.proxy]
enabled = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = false
sync_ttl = 60
whitelist = 127.0.0.1
;headers = Email:X-User-Email, Name:X-User-Name
;enable_login_token = falseI'm using NGINX as a reverse proxy that prompts for Basic Auth, then proxies Grafana like normal.
This configuration accomplishes the following:
server {
listen 3100;
server_name grafana.example.com;
auth_basic "Grafana Auth Proxy";
auth_basic_user_file /etc/nginx/.htpasswd;
allow 192.168.40.0/24;
deny all;
location ~ /\.ht { deny all; }
location ^~ /grafana-auth/ {
root /var/www/html/grafana;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-WEBAUTH-USER "userful";
proxy_set_header Authorization "";
proxy_pass http://127.0.0.1:3000;
}
}Notice the location /grafana-auth/. This is a workaround for Grafana that allows the use of the following authentication format:
http://user:password@grafana.example.com/grafana-auth/For some reason, authenticating in the latter way when navigating directly to Grafana, it fails to auth correctly. /grafana-auth/ contains a PHP file that simply redirects to the web root (which would be the default/root Grafana page).
/grafana-auth/ successfully, which is a basic HTML page./ to use Grafana as normal now that auth has occurred.