Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Plugin should work on grafana-server behind firewall with no internet access #99

Closed
drewboswell opened this issue May 12, 2016 · 7 comments

Comments

Projects
None yet
3 participants
@drewboswell
Copy link

commented May 12, 2016

The plugin makes plugin-proxy calls via the server, which is not compatible with companies that have a no Internet access policy on production setups.

We do not want to open access to our network zone that contains our production grafana/graphite/ELK/InfluxDB setup.

Perhaps the use of a license file, or making the calls directly via the browser would be a solution? This is in any case a problem for us, and be a major blocker for adoption for others I imagine.

Example calls the server is trying to make:
/api/plugin-proxy/raintank-worldping-app/api/endpoints
/api/plugin-proxy/raintank-worldping-app/api/org/quotas

@torkelo

This comment has been minimized.

Copy link
Contributor

commented May 12, 2016

since worldping is an external service (metrics are stored in the raintank hosted metrics database) external internet access is required from your grafana-server.

@drewboswell

This comment has been minimized.

Copy link
Author

commented May 12, 2016

I understand that given that it is external it needs internet, I am just wondering if it could be configured like the datasources for elasticsearch or graphite are: proxy/direct.

I see that the datasource for raintank has the "direct/proxy" setting but it still passes via the server of our choosing in any case (url+direct-access), it would be interesting if the posts could be done directly to a raintank endpoint cloud-side. Any ideas?

@woodsaj

This comment has been minimized.

Copy link
Contributor

commented May 12, 2016

The Worldping service is a SaaS service, so to use it you will need internet access to be able to use it.

@drewboswell unfortunately it is not possible for the the api requests to the worldping backend to be made directly from the browser. The api requests need to be authenticated with an apiKey and would be very insecure to expose this key to the browser. So instead this apiKey is stored (encrypted) in the Grafana database and added to requests when they are being proxied.

You do no not need to have direct Internet access on the Grafana server, you can instead just use a HTTP/HTTPS proxy. To have Grafana use the proxy, you need to pass the proxy addresses via http_proxy and https_proxy environment variables.

@drewboswell drewboswell changed the title Plugin should work on server behind firewall with no internet access Plugin should work on grafana-server behind firewall with no internet access May 12, 2016

@drewboswell

This comment has been minimized.

Copy link
Author

commented May 17, 2016

Very true about it being insecure with that method, sounds logical to me.

It might be a good idea to add to the documentation/requirements that an http(s) proxy for direct ( grafana-server --> SaaS ) access is needed.

@drewboswell

This comment has been minimized.

Copy link
Author

commented May 17, 2016

For the proxy setup I have a few questions:

  • Is the following URL pattern enough for opening on a proxy? https://app.raintank.io/*
  • What verb/methods need to be authorized? GET/POST/DELETE etc?
@woodsaj

This comment has been minimized.

Copy link
Contributor

commented May 18, 2016

All of the routes needed are listed in the app's plugin.json

https://github.com/raintank/worldping-app/blob/master/plugin.json#L6-L47

So in summary, you need GET/PUT/POST/DELETE on https://worldping-api.raintank.io/api/*

The routes may change in future as we add new features, so when updating the app it would pay to check the plugin.json for an changes.

@drewboswell

This comment has been minimized.

Copy link
Author

commented May 19, 2016

Perfect this works for me now thank you.

http_proxy=protocol://ip:port/
https_proxy=protocol://ip:port/
no_proxy=127.0.0.0/8,domain.com,etc

this works properly when added to a wrapper start script for grafana.

@woodsaj woodsaj closed this May 20, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.