You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
All my services are behind an Nginx proxy handling SSL/TLS. For chronograf, I've added some custom basic auth on the proxy side to protect access of the dashboard.
Problem
it looks like chronograf frontend is relaying this custom basic auth header when performing /proxy requests to chronograf towards the influxdb database. While it should (probably) forward the one specified in the InfluxDB sources configuration or no headers at all.
Since the nginx basic auth has nothing to do with the influxdb users, I end up with a mostly broken interface with a lot of received status code 401 from server: err: authorization failed errors on /proxy endpoints. What is stange is that some requests/graphs are working so it does properly use the correct headers (or no headers at all) for some requests.
If I use a correct InfluxDB user/password in my nginx frontend basic auth, it works (since the forwarded header is also valid as an InfluxDB user), however I don't want my users to have the InfluxDB password. Would be nice to be able to separate the basic auths.
Maybe there should exist an option to drop the basic auth headers on chronograf side before proxying the request?
Update
After changing the basic auth password to match influxDB one's, I still encounter some basic auth errors, but way less often.
I have two almost identical requests that goes out, first one works, second one fails:
Finally, ended up using env vars to configure chronograf, restarted from a clean db and it looks like it is OK. Maybe Kapacitor was not properly configured or sth.
I have an up-to-date working setup with docker-compose.
Context
All my services are behind an Nginx proxy handling SSL/TLS. For chronograf, I've added some custom basic auth on the proxy side to protect access of the dashboard.
Problem
it looks like chronograf frontend is relaying this custom basic auth header when performing
/proxy
requests to chronograf towards the influxdb database. While it should (probably) forward the one specified in the InfluxDB sources configuration or no headers at all.Since the nginx basic auth has nothing to do with the influxdb users, I end up with a mostly broken interface with a lot of
received status code 401 from server: err: authorization failed
errors on/proxy
endpoints. What is stange is that some requests/graphs are working so it does properly use the correct headers (or no headers at all) for some requests.If I use a correct InfluxDB user/password in my nginx frontend basic auth, it works (since the forwarded header is also valid as an InfluxDB user), however I don't want my users to have the InfluxDB password. Would be nice to be able to separate the basic auths.
Maybe there should exist an option to drop the basic auth headers on chronograf side before proxying the request?
Update
After changing the basic auth password to match influxDB one's, I still encounter some basic auth errors, but way less often.
I have two almost identical requests that goes out, first one works, second one fails:
Only change I'm noticing in devtools is that the second one does not have a
strict-transport-security | max-age=31536000
headerIt might not be an issue with forwarding a basic auth header afterall as some request do work and other fail... Very strange.
The text was updated successfully, but these errors were encountered: