Add SSL
Video Lecture
Description
I add SSL to the Grafana web server to ensure all traffic is encrypted between the server and web browser.
I use LetsEncrypt by following the Certbot instructions.
For Web Server software, I choose Nginx
For Operating system, I choose Ubuntu 20.04 LTS
I then SSHÂ onto my new Grafana server,
I ensure snap is installed.
sudo snap list
Make sure I have the latest version of snap
sudo snap install core; sudo snap refresh core
I install the classic Certbot
sudo snap install --classic certbot
Prepare the command so that it can be executed from the command line
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Start the process of installing the SSL certificate for my domain name.
sudo certbot --nginx
Follow the prompts, and enter the domain name that you want to secure.
After completion, you should then be able to now visit your Grafana server using the URL
https://YOUR-DOMAIN-NAME
Note that after running Certbot, it has changed the settings of your Nginx configuration file you created earlier.
You can see those changes by using the cat command.
cat /etc/nginx/sites-enabled/YOUR-DOMAIN-NAME
Port 80 and 443
After installing the SSL certificate using Certbot, and request to your domain name on port 80 will be auto-forwarded to port 443 and using the SSL certificate. For this to work, both port 80 and 443 should be open for incoming connections to your server.
Note that depending on your cloud provider, you may need to allow incoming TCP connections on port 80 and 443 using the firewall options supplied. E.g., on AWS you'd need to add inbound rules for 80 and 443 to your servers' security group.
On Digital Ocean, Hetzner and other cloud providers, there may be no firewall blocking ports by default, so port 80 and 443 should allow incoming connections by default.
After ensuring ports 80 and 443 work, it is now ok the block port 3000 for external connections if you no longer want it. You can use the iptables command to manually manage which IP ports are enabled/disabled on your server.
The below commands allow localhost TCP connections to port 3000 (required by the Nginx proxy pass), but block all external requests to it.
Note
IPTables is a very precise science, to avoid problems setting up the exercises in the course, you can ignore these steps. However, if working in a production environment, ensure your firewalls are managed.
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 3000 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP
After making the above changes, you verify the rules are set.
iptables -L
Note that if you restart your server, IPTables rules may need to be re-enabled. See this page on persisting IPTables rules for more information.
Grafana Cloud
If you use your own Grafana Cloud deployment, then you will already have an SSL certificate bound to your domain.
While it is important to know the inner details of managing your own Grafana server, it can later be more strategic for your business to outsource the many aspects of it. Visit Grafana Cloud to start the process.
Benefits,
- Upgraded 28-day trial to Grafana Pro (vs. the standard 14-days)
- 3 users
- 10k metrics
- 50GB logs
- 50GB traces
- Automatic updates
- 30 notifications for OnCall
- 14-day retention
Sign up at Grafana Cloud
Grafana 10 and Ubuntu 22.04 Notes
When I last checked the Certbot website, it didn't have an option for Nginx on Ubuntu 22, so I used the Ubuntu 20 option, and it still worked as shown in the video.
Also be aware that Certbot will try to verify your domain name by making a request to your servers IP on port 80. Depending on which ever cloud provider you use, you may need to create a security rule to open the firewall for port 80 to allow the incoming request. I didn't need to do this when using my Digital Ocean setup as I've so far shown in my videos.