This article is also available in the following other languages / Dieser Beitrag ist auch in folgenden anderen Sprachen verf├╝gbar: Deutsch

Grafana Guest Access and multiple Organizations

2020-06-10 - christian - grafana, linux, nginx, server

Grafana supports guest access to dashboards only for one single organization, which needs to be configured in the server configuration.

But with a reverse proxy hack it is still possible for more than one origanization. The Proxy Authentication module allows a reverse proxy to send a header to the grafana backend, which is used for the login process.

Grafana configuration:

enabled = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = false
;ldap_sync_ttl = 60
whitelist =
headers =
enable_login_token = true

By sending the header X-WEBAUTH-USER (which contains a valid account name) to the grafana backend, the specified user will be automatically authenticated.

The dark magic is done in the reverse proxy. To allow both, anonymous access and autenticated users, we use two domains.

NGINX configuration:

# set auto login username based on domain name
map $http_host $grafana_user {
    # per default, don't use the header login at all
    default "";
    # if it is the guest domain, use 'anon' as account "anon";

# listen for HTTPS requests
# and do the proxing to the grafana backend
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    index index.html;
    root /var/www/officemetrics;

    ssl_certificate /root/;
    ssl_certificate_key /root/;

    location /grafana/ {
        proxy_buffering                       off;
        proxy_set_header X-Real-IP            $remote_addr;
        proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto    $scheme;

        # enforce the default domain for grafana
        # otherwise grafana would do a redirect to the
        # in grafana.ini configured domain
        proxy_set_header Host       ;

        # send the with map {} defined user
        # by proxy header to grafana
        proxy_set_header X-WEBAUTH-USER       $grafana_user;


When is opened, the map {} block will set the $grafana_user to anon. $grafana_user will used in the X-WEBAUTH-USER header afterwards.

When is opened, the $grafana_user variable and X-WEBAUTH-USER header are set to empty. Grafana will now not perform a automatic login. But the user can input their login credentials.

Now we can use the Grafana Permissions to grant Access so single dashboards or entire organizations.

Grafana Permissions

Have fun! BG by Carl Lender (CC BY 2.0)
fa7dff93 2020-10-25 21:40