Chronograf incorrectly forwards http basic auth headers to proxy

[mgcrea]

I have an up-to-date working setup with docker-compose.

Context

All my services are behind an Nginx proxy handling SSL/TLS. For chronograf, I've added some custom basic auth on the proxy side to protect access of the dashboard.

Problem

it looks like chronograf frontend is relaying this custom basic auth header when performing /proxy requests to chronograf towards the influxdb database. While it should (probably) forward the one specified in the InfluxDB sources configuration or no headers at all.

Since the nginx basic auth has nothing to do with the influxdb users, I end up with a mostly broken interface with a lot of received status code 401 from server: err: authorization failed errors on /proxy endpoints. What is stange is that some requests/graphs are working so it does properly use the correct headers (or no headers at all) for some requests.

If I use a correct InfluxDB user/password in my nginx frontend basic auth, it works (since the forwarded header is also valid as an InfluxDB user), however I don't want my users to have the InfluxDB password. Would be nice to be able to separate the basic auths.

Maybe there should exist an option to drop the basic auth headers on chronograf side before proxying the request?

---

Update

After changing the basic auth password to match influxDB one's, I still encounter some basic auth errors, but way less often.

I have two almost identical requests that goes out, first one works, second one fails:

https://chronograf.foobar.io/chronograf/v1/sources/4/proxy

Only change I'm noticing in devtools is that the second one does not have a strict-transport-security | max-age=31536000 header

It might not be an issue with forwarding a basic auth header afterall as some request do work and other fail... Very strange.

[mgcrea]

Finally, ended up using env vars to configure chronograf, restarted from a clean db and it looks like it is OK. Maybe Kapacitor was not properly configured or sth.