proxy-to-grafana

command
v1.84.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 9, 2025 License: BSD-3-Clause Imports: 14 Imported by: 0

Documentation

Overview

proxy-to-grafana is a reverse proxy which identifies users based on their originating Tailscale identity and maps them to corresponding Grafana users, creating them if needed.

It uses Grafana's AuthProxy feature: https://grafana.com/docs/grafana/latest/auth/auth-proxy/

Set the TS_AUTHKEY environment variable to have this server automatically join your tailnet, or look for the logged auth link on first start.

Use this Grafana configuration to enable the auth proxy: 

[auth.proxy]
enabled = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = true
whitelist = 127.0.0.1
headers = Email:X-Webauth-User, Name:X-Webauth-Name, Role:X-Webauth-Role
enable_login_token = true

You can use grants in Tailscale ACL to give users different roles in Grafana. For example, to give group:eng the Editor role, add the following to your ACLs: 

 "grants": [
		{
			"src": ["group:eng"],
			"dst": ["tag:grafana"],
			"app": {
				"tailscale.com/cap/proxy-to-grafana": [{
					"role": "editor",
				}],
			},
		},
 ],

If multiple roles are specified, the most permissive role is used.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.