grafana报错origin not allowed

背景

今天安装grafana 11，使用nginx设置完反向代理之后，访问设置新密码或者更改密码时候出现了这个报错

查找原因

从社区查找，发现以前有人也遇到了类似的原因

解决

Looking at the new CSRF check again, this is not only broken for IPv6 addresses but every reverse proxy setup where the rev proxy changes the Host header. Configure your rev proxy to keep the original Host header.

For nginx: proxy_set_header Host $http_host;
For Apache2: ProxyPreserveHost On
For those working on k8s + ingress set in grafana.ini
csrf_additional_headers: ""
csrf_trusted_origins: "<extarnal_domain>"

复盘

官方使用nginx配置反向代理时，只是在websocket里边配置了这部分，当调用外边的接口时候，比如说更新密码，就会报错。我们需要在/这里也添加一下，就可以了。

# This is required to proxy Grafana Live WebSocket connections.
map $http_upgrade $connection_upgrade {
  default upgrade;
  '' close;
}

upstream grafana {
  server localhost:3000;
}

server {
  listen 80;
  root /usr/share/nginx/www;
  index index.html index.htm;

  location /grafana/ {
    proxy_set_header Host $host;
    proxy_pass http://grafana;
  }

  # Proxy Grafana Live WebSocket connections.
  location /grafana/api/live/ {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header Host $host;
    proxy_pass http://grafana;
  }
}

参考链接：
https://grafana.com/tutorials/run-grafana-behind-a-proxy/
https://community.grafana.com/t/grafana-9-origin-not-allowed/88956
https://github.com/grafana/grafana/issues/45117#issuecomment-1426714353

欢迎关注我的公众号“辣个男人Devin”，新鲜技术文章第一时间推送。