Install and Secure Grafana on Ubuntu 18.04 with SSL and Nginx

Grafana is an open-source data visualization and monitoring tool that integrates complex data from sources like Prometheus, InfluxDB, Graphite, and ElasticSearch. Grafana lets you create alerts, notifications, and ad-hoc filters for your data while also making collaboration with your teammates easier through built-in sharing features.

In this tutorial, you will install Grafana and secure it with an SSL certificate and an Nginx reverse proxy. Once you have set up Grafana, you’ll have the option to configure user authentication through GitHub, allowing you to better organize your team permissions.

Prerequisites

To follow this tutorial, you will need:

• One Ubuntu 18.04 server set up by following the Initial Server Setup Guide for Ubuntu 18.04, including a non-root user with sudo privileges and a firewall configured with ufw.
• A fully registered domain name. This tutorial uses your_domain throughout. You can purchase a domain name on Namecheap, get one for free on Freenom, or use the domain registrar of your choice.
• The following DNS records set up for your server:
  • An A record with your_domain pointing to your server’s public IP address.
  • An A record with www.your_domain pointing to your server’s public IP address.
• Nginx set up by following the How To Install Nginx on Ubuntu 18.04 tutorial, including a server block for your domain.
• An Nginx server block with Let’s Encrypt configured, which you can set up by following How To Secure Nginx with Let’s Encrypt on Ubuntu 18.04.
• Optionally, to set up GitHub authentication, you’ll need a GitHub account associated with an organization.

Step 1 — Installing Grafana

In this first step, you will install Grafana onto your Ubuntu 18.04 server. You can install Grafana either by downloading it directly from its official website or by going through an APT repository. Because an APT repository makes it easier to install and manage Grafana’s updates, you’ll use that method in this tutorial.

Although Grafana is available in the official Ubuntu 18.04 packages repository, the version of Grafana there may not be the latest, so use Grafana’s official repository.

Download the Grafana GPG key with wget, then pipe the output to apt-key. This will add the key to your APT installation’s list of trusted keys, which will allow you to download and verify the GPG-signed Grafana package.

wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add -

Next, add the Grafana repository to your APT sources:

sudo add-apt-repository "deb https://packages.grafana.com/oss/deb stable main"

Refresh your APT cache to update your package lists:

sudo apt update

Next, make sure Grafana will be installed from the Grafana repository:

apt-cache policy grafana

You can now proceed with the installation:

sudo apt install grafana

Once Grafana is installed, use systemctl to start the Grafana server:

sudo systemctl start grafana-server

Lastly, enable the service to automatically start Grafana on boot:

sudo systemctl enable grafana-server

Step 2 — Setting Up the Reverse Proxy

Using an SSL certificate will ensure that your data is secure by encrypting the connection to and from Grafana. But, to make use of this connection, you’ll first need to reconfigure Nginx as a reverse proxy for Grafana.

Open the Nginx configuration file you created when you set up the Nginx server block with Let’s Encrypt in the Prerequisites. You can use any text editor, but for this tutorial we’ll use nano:

sudo nano /etc/nginx/sites-available/your_domain

Locate the following block:

location / {
    try_files $uri $uri/ =404;
}

Delete the existing try_files line in this location block and replace it with the following options:

location / {
    proxy_set_header Host $http_host;
    proxy_pass http://localhost:3000;
}

Also, in order for the Grafana Live WebSocket connections to work correctly, add the following section outside the server section:

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

Then add the following location section:

location /api/live {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header Host $http_host;
    proxy_pass http://localhost:3000;
}

Test the new settings to make sure everything is configured correctly:

sudo nginx -t

Finally, activate the changes by reloading Nginx:

sudo systemctl reload nginx

You can now access the default Grafana login screen by pointing your web browser to https://your_domain. If you’re unable to reach Grafana, verify that your firewall is set to allow traffic on port 443 and then re-trace the previous instructions.

Step 3 — Updating Credentials

Because every Grafana installation uses the same administrative credentials by default, it is best practice to change your login information as soon as possible. In this step, you’ll update the credentials to improve security.

Start by navigating to https://your_domain from your web browser. This will bring up the default login screen where you’ll see the Grafana logo, a form asking you to enter an Email or username and Password, a Log in button, and a Forgot your password? link.

Enter admin into both the Email or username and Password fields and then click on the Log in button.

On the next screen, you’ll be asked to make your account more secure by changing the default password:

Enter the password you’d like to start using into the New password and Confirm new password fields.

From here, you can click Submit to save the new information or press Skip to skip this step. If you skip, you will be prompted to change the password the next time you login.

In order to increase the security of your Grafana setup, click Save. You’ll return to the Welcome to Grafana page.

You’ve now secured your account by changing the default credentials. Next, you will make changes to your Grafana configuration so that nobody can create a new Grafana account without your permission.

Step 4 — Disabling Grafana Registrations and Anonymous Access

Grafana provides options that allow visitors to create user accounts for themselves and preview dashboards without registering. When Grafana isn’t accessible via the internet or when it’s working with publicly available data like service statuses, you may want to allow these features. However, when using Grafana online to work with sensitive data, anonymous access could be a security problem. To fix this problem, make some changes to your Grafana configuration.

Start by opening Grafana’s main configuration file for editing:

sudo nano /etc/grafana/grafana.ini

Locate the following allow_sign_up directive under the [users] heading:

[users]
# disable user signup / registration
;allow_sign_up = true

Uncomment this directive by removing the ; at the beginning of the line and then setting the option to false:

[users]
# disable user signup / registration
allow_sign_up = false

Next, locate the following enabled directive under the [auth.anonymous] heading:

[auth.anonymous]
# enable anonymous access
;enabled = false

Uncomment this directive and set it to false to disable anonymous access:

[auth.anonymous]
# enable anonymous access
enabled = false

Save the file and exit your text editor.

To activate the changes, restart Grafana:

sudo systemctl restart grafana-server

Verify that everything is working by checking Grafana’s service status:

sudo systemctl status grafana-server

Once you have signed out, verify that there is no Sign Up button and that you can’t sign in without entering login credentials.

Step 5 — (Optional) Setting Up a GitHub OAuth App

For an alternative approach to signing in, you can configure Grafana to authenticate through GitHub, which provides login access to all members of authorized GitHub organizations. This can be particularly useful when you want to allow multiple developers to collaborate and access metrics without having to create Grafana-specific credentials.

Start by logging into a GitHub account associated with your organization and then navigate to your GitHub profile page.

Click on your organization’s name under Organization settings in the navigation menu on the left-hand side of the screen.

Because Grafana uses OAuth — an open standard for granting remote third parties access to local resources — to authenticate users through GitHub, you’ll need to create a new OAuth application within GitHub.

Click the OAuth Apps link under Developer settings on the lower left-hand side of the screen.

Click the Register an application button to continue.

On the next screen, fill in the following details about your Grafana installation:

• Application name: This helps you distinguish your different OAuth applications from one another.
• Homepage URL: https://your_domain
• Application Description: A description of your OAuth application’s purpose.
• Authorization callback URL: https://your_domain/login/github

Click the Register application button.

You will now be redirected to a page containing the Client ID and Client Secret associated with your new OAuth application. Make note of both values, because you will need to add them to Grafana’s main configuration file to complete the setup.

Warning: Keep your Client ID and Client Secret in a secure and non-public location.

Step 6 — (Optional) Configuring Grafana as a GitHub OAuth App

To complete GitHub authentication for your Grafana setup, you will now make some changes to your Grafana configuration files.

Open the main Grafana configuration file:

sudo nano /etc/grafana/grafana.ini

Locate the [auth.github] section and uncomment the lines by removing the ; at the beginning of each relevant line:

[auth.github]
enabled = true
allow_sign_up = true
client_id = your_client_id_from_github
client_secret = your_client_secret_from_github
scopes = user:email,read:org
auth_url = https://github.com/login/oauth/authorize
token_url = https://github.com/login/oauth/access_token
api_url = https://api.github.com/user
allowed_organizations = your_organization_name

To ensure correct redirects behind a reverse proxy, set the root_url under the [server] section:

[server]
root_url = https://your_domain

Save the file and restart Grafana to apply the changes:

sudo systemctl restart grafana-server

After restarting, navigate to https://your_domain. You will now see a new Sign in with GitHub button on the login page.

Click the button, sign into your GitHub account, and authorize Grafana.

If everything is configured correctly, you will be logged into Grafana using your GitHub credentials.

Conclusion of How to Install and Secure Grafana on Ubuntu 18.04

In this tutorial, you installed, configured, and secured Grafana, and you also permitted members of your organization to authenticate through GitHub.

Specifically, you have:

• Installed Grafana on Ubuntu 18.04 using the official APT repository.
• Secured Grafana with an SSL certificate and configured Nginx as a reverse proxy.
• Updated the default administrative credentials for improved security.
• Disabled user registration and anonymous access to safeguard sensitive data.
• (Optionally) Configured GitHub OAuth to simplify user authentication and management.

To extend your current Grafana installation, explore the list of official and community-built dashboards. You can also dive deeper into the official Grafana documentation for more advanced configurations and features.

By following these steps, your Grafana instance is now secure and ready for productive use within your organization. Enjoy monitoring and visualizing your data!