I am considering making a Grafana dashboard available on a public website.
Since the projects here also use Grafana and public dashboards are probably made available more often, I thought I would ask here.
What should be considered?
What is the best way to make Grafana available?
What and how should Grafana be secured?
other than using Let’s Encrypt to serve public access to the Grafana instance via https://, wrapping it behind an Nginx server with reverse proxy configuration, and using the Grafana configuration settings outlined below, I don’t think we have any special configurations or protections in place. Depending on how your instance will be used, more details may be needed.
You may find the Nginx configuration bits outlined below helpful to allow embedding Grafana panels on other websites/domains than the Grafana instance is running on.
With kind regards,
Andreas.
A few Grafana configuration settings
[analytics]
# Server reporting, sends usage counters to stats.grafana.org every 24 hours.
# No ip addresses are being tracked, only simple counters to track
# running instances, dashboard and error counts. It is very helpful to us.
# Change this option to false to disable reporting.
reporting_enabled = false
# Set to false to disable all checks to https://grafana.net
# for new vesions (grafana itself and plugins), check is used
# in some UI views to notify that grafana or plugin update exists
# This option does not cause any auto updates, nor send any information
# only a GET request to http://grafana.net to get latest versions
check_for_updates = false
[security]
# When false, the HTTP header X-Frame-Options: deny will be set in Grafana HTTP responses which
# will instruct browsers to not allow rendering Grafana in a <frame>, <iframe>, <embed> or <object>.
# The main goal is to mitigate the risk of Clickjacking. Default is false.
# https://grafana.com/docs/grafana/latest/administration/configuration/#allow_embedding
allow_embedding = true
[auth.anonymous]
# enable anonymous access
enabled = true
# specify role for unauthenticated users
org_role = Viewer
Configure website security policy to allow embedding
Those instructions configure the Nginx webserver to send appropriate HTTP response headers to let defined third-party sites embed Grafana content.
# Policy parameters
# "X-Frame-Options" is deprecated, right?
# add_header X-Frame-Options "allow-from https://getkotori.org/";
# add_header X-Frame-Options "allow-from https://community.hiveeyes.org/";
# "Content-Security-Policy" is used now.
# https://chrisguitarguy.com/2019/07/05/working-with-multiple-content-security-policy-headers/
# https://content-security-policy.com/
set $CSP "frame-ancestors hiveeyes.org *.hiveeyes.org getkotori.org *.getkotori.org panodata.org *.panodata.org";
add_header Content-Security-Policy $CSP;
When configuring the Hiveeyes package repository at packages.hiveeyes.org, you will only receive the most recent Grafana 6.x release [1]. However, according to the snippet referenced below, Grafana 8.x has been verified to work already.
So, I would recommend to get the most recent Grafana 8 .deb package from upstream at Download Grafana | Grafana Labs to start your installation [2]. I think there is no reason to use Grafana 6 here.
While we haven’t used Luftdatenpumpe together with Grafana 9 yet, you may want to give it a spin if you feel lucky. On this matter, please note that Panodata Map Panel for Grafana has also not been confirmed to work on Grafana 9, yet [3]. ↩︎
If you want to use a map component, Panodata Map Panel for Grafana will probably be crucial for the whole setup, as a few things within Luftdatenpumpe are made so to set the stage for its proper operation. While we are also looking at the official Geomap | Grafana documentation, we haven’t had time to make Luftdatenpumpe support it. If you have interest in this, and you can make it work, we will be all ears to receive feedback about it. ↩︎
If you concluded the setup of the system successfully, and managed to put it on a public website, we will be very happy to hear about the outcome on your end.