-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Managed grafana behind application gateway doesn't work due to bad oauth redirect #12
Comments
Hi @JoostLambregts , unfortunately this is what we call the "custom domain name" scenario where you want to use a different DNS name to access Grafana. This is currently not a supported scenario. Even without the redirection problem, the certificate used for TLS on the server side will also not match the custom domain. |
That is unfortunate. Thank you for the response. edit: If you were to support this pattern, this would offer a viable alternative for others looking to run Managed Grafana under a custom domain, using only Azure native components. I am not the only one who would like to have this feature (see https://learn.microsoft.com/en-us/answers/questions/1101743/custom-domain-for-azure-managed-grafana-instance) and the change should be relatively small since this configuration option is already available in Grafana (see https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#root_url) |
That's probably true. Supporting custom domain name is not a small feature, we can take it into consideration. |
I've run into this issue as well trying to secure public access to the Azure managed instance of Grafana. @brahmnes is there currently any way to implement network access control to the public endpoint? The problem is the private endpoint isn't routable outside of Azure. I don't want full private access, but want to limit the public access to just our VPN network. |
Hi @garretwyman , unfortunately I cannot think of a good solution. From a theoretical stand point, you can probably setup something where you put Grafana in private access mode, then you have a VNET that has a private endpoint to it. From that VNET, you setup the appropriate access control, or use Azure VPN Gateway if you want to access from outside of Azure. Having said that, I am not an expert in networking so this is theoretical. You may have to try it yourself. |
We have Azure Managed Grafana with public access disabled. Our user access Grafana through Azure Application Gateway. However, Grafana redirects the users to an oauth2 endpoint, and after login the user is redirected not to the application gateway, but directly to Grafana. Since Grafana is not public, this fails.
To be a bit more precise and technical:
Azure Application Gateway sets the x-forwarded-host request header. This header should be taken into consideration when building the oauth2 redirect. the redirect should look something like this: https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=[some-client-id]&redirect_uri=https%3a%2f%2fsso.weu.grafana.azure.com%2flogin%2fazuread&state=[my-custom-grafana-domain.com]&[some-more-stuff]
The text was updated successfully, but these errors were encountered: