|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: Grafana reverse proxy in IIS with Azure AD |
| 4 | +permalink: /2022/grafana-reverse-proxy-with-azure-ad.html |
| 5 | +--- |
| 6 | + |
| 7 | +## Precursor (ignore if you want the tutorial) |
| 8 | + |
| 9 | +It's 2022, it's been almost a year since the last (and first) post. A lot has happened, including the beginning of the end of the pandemic, and a paradigm shift of telemetry and instrumentation for the software company I work at. I have finally started the transition to introduce Grafana at work - and with that transition, came the upfront cost of expensive trials and tribulations. How do I make this SSL? How do I add Azure AD to Grafana? How do I reverse proxy Grafana with IIS? |
| 10 | + |
| 11 | +## My environment |
| 12 | + |
| 13 | +Before anyone yells at me for not using Linux. We're a .NET shop and a lot, if not all, our applications actively run on Windows-based hosts. This might change in the future. We're not locked to Windows, except for our WPF apps, but we're certainly comfy with Windows and I'm more comfortable in a Windows environment than Linux environment. So, here is the environment I'm working with: |
| 14 | + |
| 15 | +- Windows Server 2019 (Standard) |
| 16 | +- IIS 10 |
| 17 | +- Grafana (self hosted) 8.3.6 |
| 18 | +- AzureAD |
| 19 | +- Certify The Web 5.6.5 |
| 20 | + |
| 21 | +This assumes a base, vanilla, installation of Grafana situated on `localhost:3000`. If you have changed your port, adapt these instructions. |
| 22 | + |
| 23 | +## Adding an IIS Reverse Proxy |
| 24 | + |
| 25 | +Outcome: Adding bindings for HTTP(S) traffic on Default Web Site for IIS. |
| 26 | + |
| 27 | +1. Launch Certify The Web, create a new managed certifficate for the target Website |
| 28 | + - Before requesting a certificate, under `Tasks` add a new task to `Export Certificate`. Under `Task Parameters`: |
| 29 | + - Keep `Authentication` as `Local` |
| 30 | + - Change destination file path to a file path of your choice, in my case `C:\SSL\cert.pem` |
| 31 | + - Change `Export As` to `PEM - Primary Certificate` |
| 32 | + - Once you have added this task, repeat the process, this time adding an export certificate task for the `PEM - Private Key` |
| 33 | + |
| 34 | +Your deployment tasks should look like this: |
| 35 | + |
| 36 | + |
| 37 | + |
| 38 | +2. Request the certificate and verify the bindings have been allocated to the website on IIS |
| 39 | +3. Install the [URL Rewrite](https://www.iis.net/downloads/microsoft/url-rewrite) IIS module |
| 40 | +4. Install the [Application Request Routing](https://www.iis.net/downloads/microsoft/application-request-routing) IIS module |
| 41 | +5. Open your target website and select the URL rewrite module, clicking `Add Rule(s)...` on the right hand panel |
| 42 | + |
| 43 | + |
| 44 | + |
| 45 | + |
| 46 | + |
| 47 | +6. With the new rule dialog open, in the `Inbound Rules`, enter `https://localhost:3000`. |
| 48 | + |
| 49 | +## Modifying Grafana config for SSL |
| 50 | + |
| 51 | +When we are going to add AzureAD OAuth, we need a `https` redirect - unfortunately, we cannot tell Grafana to blindly run on https, it requires a valid certificate to do so. Leaving it empty will cause Grafana to (gracefully?) crash at startup. |
| 52 | + |
| 53 | +Go to the Grafana configuration ini, for my Windows Server installation, that's at `C:\Program Files\GrafanaLabs\grafana\conf`. Ensure you edit `sample.ini` or any renamed variant of this. I have called my `custom.ini`. **Do not edit the defaults.ini file if you can help it.** |
| 54 | + |
| 55 | +1. Stop `Grafana` service, if it's running |
| 56 | +2. Open the `ini` configuration file |
| 57 | +3. Find the `[server]` section |
| 58 | +4. Uncomment and change `protocol` to `protocol = https` |
| 59 | +5. Uncomment and change `domain` to your desired domain, i.e. `domain = grafana.contoso.com` |
| 60 | +6. Uncomment and change `root_url` to `root_url = %(protocol)s://%(domain)s/`, the important note here is we're removing the port |
| 61 | +7. Uncomment and change `cert_file` to `cert_file = C:\SSL\cert.pem` or the location of your certificate file, as exported in Certify The Web's manager |
| 62 | +8. Uncomment and change `cert_key` to `cert_key = C:\SSL\key.pem` or the location of your certificate's key file, as export in Certify The Web's manager |
| 63 | +9. Start `Grafana` service and verify it is reachable via your domain |
| 64 | + |
| 65 | +Because IIS will be running on 443. We cannot run Grafana on 443 by default, it will continue to run on 3000. By changing the `root_url` configuration, we're forcing Grafana to act as though it's directly hosted on 443, rather than behind a reverse proxy. |
| 66 | + |
| 67 | +The disadvantage to this is that you will no longer be able to access Grafana via `localhost`, if that's a requirement, unless you are willing to accept the ""untrusted"" certificate. I say ""untrusted"" because it was generated by us, for the target domain. |
| 68 | + |
| 69 | +## Adding Azure AD to Grafana |
| 70 | + |
| 71 | +This is mostly a [documented process on the official Grafana documentation](https://grafana.com/docs/grafana/latest/auth/azuread/), which is great. Assuming you have followed these steps, modified the config further to include AzureAD and restarted your Grafana service, you will now see a Log in with Microsoft button, using your AzureAD tenant. |
| 72 | + |
| 73 | +The redirect URL should work, and your reverse proxy is none the wiser. |
| 74 | + |
| 75 | +This process was mostly trial and error. It is not perfect by any means and I will be revisit it once we have to migrate servers/versions, but it does get AzureAD working in Grafana on self deployed environments. At least in Windows. |
| 76 | + |
| 77 | +## Want help? |
| 78 | + |
| 79 | +Comment here and I will do my best to respond. |
0 commit comments