[Bug]: Server Side PNG Rendering authentication when going through http proxy using proxy auth feature

[davidballano]

Hi,
I am having trouble trying to get direct link rendered image to work, at first i was getting 404 but after reading the other issues i finally change my root_url parameter to the correct URL and i got that working, although now i am getting a completely transparent image.

my configuration looks like this:

grafana version: 2.6

grafana.ini:

[server]
domain = grafana.mydomain.net
root_url = https://grafana.mydomain.net

httpd/conf.d.grafana.conf:

ProxyPass / http://localhost:3000/
ProxyPassReverse / http://localhost:3000/

this is what i see on grafana.log:

2016/08/25 22:32:05 [I] PhantomRenderer::renderToPng url https://grafana.mydomain.net/dashboard-solo/db/tat-first-relay-layer?panelId=2&fullscreen&from=1472074836042&to=1472161176043&width=1000&height=500

I have a VIP on top off httpd on 443 which takes care of ssl and sends trafic to grafana on port 80.
don't know if that could be the problem? or i am doing something else wrong.

thanks!

[torkelo]

VIP , does your httpd proxy do any authentication?

what happens when you wget https://grafana.mydomain.net/dashboard-solo/db/tat-first-relay-layer?panelId=2&fullscreen&from=1472074836042&to=1472161176043&width=1000&height=500 from the grafana server?

[davidballano]

Now that I look close, Apache does have authentication and it forwards/proxies it to Grafana,
i believe this is the part that forwards the auth:

httpd/conf.d.grafana.conf:

 AuthLDAPRemoteUserAttribute uid
 RequestHeader unset X-WEBAUTH-USER
 RewriteEngine On
 RewriteRule .* - [E=GRAFANA_USER:%{LA-U:REMOTE_USER},NS]
 RequestHeader set X-WEBAUTH-USER "%{GRAFANA_USER}e"
 RequestHeader unset Authorization

when I run: https://grafana.mydomain.net/dashboard-solo/db/tat-first-relay-layer?panelId=2&fullscreen&from=1472074836042&to=1472161176043&width=1000&height=500

i get:

awaiting response... 401 Authorization Required
Authorization failed.

thanks.

[torkelo]

I think that might be the issue.

[davidballano]

Hi,

I modified render.js and added credentials user/pass, the image rendered nicely, you are right render.js doesn't have a way to auth against the server.

/usr/share/grafana/vendor/phantomjs/render.js:

var page = require('webpage').create();
var args = require('system').args;
var params = {};
var regexp = /^([^=]+)=([^$]+)/;

page.settings.userName = "tempuser";
page.settings.password = "*********";
...

for now this little workaround works for us, hopefully there is a smarter way in the future to do this using the users credentials.

[Esya]

Please see #6115 I think we should just have two variables in grafana.ini

[earwin]

Makes perfect sense.
On another note, "self" address might be possible to calculate without forcing the user to configure anything.

[Esya]

Right, it should default to protocol://domain:port instead of relying on
root_url which is the user facing URL to use for load balancers, VIP, etc.

On Sep 22, 2016 4:21 PM, "Kirill Zakharenko" notifications@github.com
wrote:

I think we should just have two variables in grafana.ini
Makes perfect sense.
On another note, "self" address might be possible to calculate without
forcing the user to configure anything.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#5906 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AA5M2xsClNRAhVoALWiStbBTt_oPouiwks5qsw1hgaJpZM4Jtl8g
.

[torkelo]

fixed in 175c651 !

[oryband]

Still not working. Please see: #6115 (comment)