Grafana被反向代理及Iframe嵌入

作者: heichong | 来源:发表于2023-01-18 10:51 被阅读0次

Grafana如果被网关（类似Nginx、Apisix等）反向代理以后，如果反向代理路径含有前缀（比如grafana实际地址为：http://10.3.23.191:9912，而通过反向代理的地址为：http://10.3.23.191:9906/grafana/），那就需要修改Grafana配置。

这里以APISIX为例，来反向代理Grafana

APISIX配置

以下配置均可以从APISIX-DASHBOARD查看

上游配置

{
  "nodes": [
    {
      "host": "10.3.23.191",
      "port": 9912,
      "weight": 1
    }
  ],
  "timeout": {
    "connect": 6,
    "send": 6,
    "read": 6
  },
  "type": "roundrobin",
  "scheme": "http",
  "pass_host": "pass",
  "name": "grafana",
  "desc": "grafana",
  "keepalive_pool": {
    "idle_timeout": 60,
    "requests": 1000,
    "size": 320
  }
}

路由配置

{
  "uri": "/grafana/**",
  "name": "grafana",
  "methods": [
    "GET",
    "POST",
    "PUT",
    "DELETE",
    "PATCH",
    "HEAD",
    "OPTIONS",
    "CONNECT",
    "TRACE",
    "PURGE"
  ],
  "plugins": {
    "proxy-rewrite": {
      "regex_uri": [
        "^/grafana/(.*)",
        "/$1"
      ]
    }
  },
  "upstream_id": "443580032573506244",
  "status": 1
}

可以看到，通过网关访问时，多了/grafana前缀

Grafana配置

我这里以docker-compose方式部署的grafana，其配置文件已经被映射至宿主机data/grafana/grafana.ini
主要修改以下几个地方：

修改1：配置反向代理路径前缀
增加如下一行代码

[server]
# The full public facing url you use in browser, used for redirects and emails
# If you use reverse proxy and sub path specify full url (with sub path)
root_url = %(protocol)s://%(domain)s:%(http_port)s/grafana/

image.png

修改2：允许被系统嵌入
增加如下一行代码

[security]

# set to true if you want to allow browsers to render Grafana in a <frame>, <iframe>, <embed> or <object>. default is false.
allow_embedding = true

image.png

修改3：允许匿名登录
我们的目标是通过Iframe嵌入Grafana页面，所以需要设置Grafana的匿名登录

[auth.anonymous]
# enable anonymous access
enabled = true

# specify organization name that should be used for unauthenticated users
org_name = Main Org.

# specify role for unauthenticated users
org_role = Viewer