blog.crox.net

The solution described here works for me.

I did the following on the internal host where Grafana is installed:

• Configured Apache (on port 80) as reverse proxy to Grafana (on port 3000)
• Setup the virtualhost to add/set the required headers to login automatically as user admin

Relevant section from /etc/grafana/grafana.ini:

[auth.proxy]
enabled = true
;header_name = X-WEBAUTH-USER
;header_property = username
auto_sign_up = false

Apache config extract (you will need to enable mod_proxy, mod_proxy_http and mod_headers for this to work):

<VirtualHost *:80>
        ProxyPreserveHost On
        ProxyRequests Off
        ProxyPass / http://localhost:3000/
        ProxyPassReverse / http://localhost:3000/
        RequestHeader set "X-WEBAUTH-USER" "admin"
</VirtualHost>

On a separate Apache instance exposed to more networks I did the following:

• Configured Apache as reverse proxy to the internal instance
• Restricted access from specific IP addresses
• Setup a rule to redirect requests to the root of the website (and only those) to a specific dashboard

This is how the Apache config looks like (requires mod_proxy, mod_proxy_http and mod_alias; IP addresses, host names etc. changed)

<VirtualHost *:80>
        ServerName sub.example.org
        ServerAlias www.sub.example.org
        <Location />
            Require ip 192.0.2.0/24
            Require ip 203.0.113.0/24
            Require ip 2001:0db8:85a4::/64
            Require ip 2001:0db8:85a5::/64
            RedirectMatch ^/$ /dashboard/db/mydashboard
        </Location>
        ProxyPreserveHost On
        ProxyRequests Off
        ProxyPass / http://[2001:0db8:85a3::aaaa:8a2e:0370:7334]/
        ProxyPassReverse / http://[2001:0db8:85a3::aaaa:8a2e:0370:7334]/
</VirtualHost>

Using a public IPv6 address on the internal host allows the whole thing to work with just a few firewall rules, without the need to mess with NAT or a VPN.