MrGeneration revised this gist . Go to revision
No changes
MrGeneration revised this gist . Go to revision
1 file changed, 1 insertion, 1 deletion
3-add-readonly-es-user-grafana.sh
| @@ -11,7 +11,7 @@ curl --insecure -uelastic:"${es_password}" -H 'Content-Type: application/json' ' | |||
| 11 | 11 | "cluster" : [ "monitor" ], | |
| 12 | 12 | "indices" : [ | |
| 13 | 13 | { | |
| 14 | - | "names" : [ "zammad_" ], | |
| 14 | + | "names" : [ "zammad_*" ], | |
| 15 | 15 | "privileges" : [ "monitor", "read", "view_index_metadata" ] | |
| 16 | 16 | } | |
| 17 | 17 | ] | |
MrGeneration revised this gist . Go to revision
1 file changed, 3 insertions
3-add-readonly-es-user-grafana.sh
| @@ -2,6 +2,9 @@ | |||
| 2 | 2 | es_password='' | |
| 3 | 3 | ro_password='' | |
| 4 | 4 | ||
| 5 | + | # List Elasticsearch indices / indexes | |
| 6 | + | curl --insecure -u "elastic:${es_password}" https://localhost:9200/_aliases?pretty=true | |
| 7 | + | ||
| 5 | 8 | # Create Elasticsearch Role | |
| 6 | 9 | # names 'zammad_' is the default prefix and might be different in your environment! | |
| 7 | 10 | curl --insecure -uelastic:"${es_password}" -H 'Content-Type: application/json' 'https://localhost:9200/_security/role/zammad_grafana_ro' -d '{ | |
MrGeneration revised this gist . Go to revision
2 files changed, 22 insertions
3-add-readonly-es-user-grafana.sh(file created)
| @@ -0,0 +1,22 @@ | |||
| 1 | + | # Set elastic user password and ReadOnly password for the to be created Grafana user | |
| 2 | + | es_password='' | |
| 3 | + | ro_password='' | |
| 4 | + | ||
| 5 | + | # Create Elasticsearch Role | |
| 6 | + | # names 'zammad_' is the default prefix and might be different in your environment! | |
| 7 | + | curl --insecure -uelastic:"${es_password}" -H 'Content-Type: application/json' 'https://localhost:9200/_security/role/zammad_grafana_ro' -d '{ | |
| 8 | + | "cluster" : [ "monitor" ], | |
| 9 | + | "indices" : [ | |
| 10 | + | { | |
| 11 | + | "names" : [ "zammad_" ], | |
| 12 | + | "privileges" : [ "monitor", "read", "view_index_metadata" ] | |
| 13 | + | } | |
| 14 | + | ] | |
| 15 | + | }' | |
| 16 | + | ||
| 17 | + | # Create Elasticsearch ReadOnly User | |
| 18 | + | curl --insecure -uelastic:"${es_password}" -H 'Content-Type: application/json' 'https://localhost:9200/_security/user/zammad_grafana' -d "{ | |
| 19 | + | \"password\" : \"${ro_password}\", | |
| 20 | + | \"full_name\" : \"Grafana ReadOnly Account for Zammad\", | |
| 21 | + | \"roles\" : [ \"zammad_grafana_ro\" ] | |
| 22 | + | }" | |
3-closed-vs-created-tickets-dashboard-sample.yml renamed to 4-closed-vs-created-tickets-dashboard-sample.yml
File renamed without changes
MrGeneration revised this gist . Go to revision
1 file changed, 1 insertion, 1 deletion
1-install-grafana.sh
| @@ -13,7 +13,7 @@ apt install grafana-enterprise | |||
| 13 | 13 | sed -i 's/;http_port = 3000/http_port = 3001/g' /etc/grafana/grafana.ini | |
| 14 | 14 | sed -i 's/;http_addr =/http_addr = 127.0.0.1/g' /etc/grafana/grafana.ini | |
| 15 | 15 | sed -i 's/;instance_name = localhost/instance_name = FQDN/g' /etc/grafana/grafana.ini | |
| 16 | - | sed -i 's/;domain = localhost = localhost/domain = FQDN/g' /etc/grafana/grafana.ini | |
| 16 | + | sed -i 's/;domain = localhost/domain = FQDN/g' /etc/grafana/grafana.ini | |
| 17 | 17 | sed -i 's/;enforce_domain = false/enforce_domain = true/g' /etc/grafana/grafana.ini | |
| 18 | 18 | sed -i 's/;root_url = %(protocol)s:\/\/%(domain)s:%(http_port)s\//root_url = %(protocol)s:\/\/%(domain)s\//g' /etc/grafana/grafana.ini | |
| 19 | 19 | sed -i 's/;content_security_policy = false/content_security_policy = true/g' /etc/grafana/grafana.ini | |
MrGeneration revised this gist . Go to revision
No changes
MrGeneration revised this gist . Go to revision
1 file changed, 1 insertion, 1 deletion
1-install-grafana.sh
| @@ -3,7 +3,7 @@ | |||
| 3 | 3 | ||
| 4 | 4 | # Add Debian repository | |
| 5 | 5 | mkdir -p /etc/apt/keyrings/ | |
| 6 | - | wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor | tee /etc/apt/keyrings/grafana.gpg > /dev/null | |
| 6 | + | curl -fsSL https://apt.grafana.com/gpg.key | gpg --dearmor | tee /etc/apt/keyrings/grafana.gpg > /dev/null | |
| 7 | 7 | echo "deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com stable main" | tee -a /etc/apt/sources.list.d/grafana.list | |
| 8 | 8 | ||
| 9 | 9 | # Install Grafana Enterprise (as suggested) | |
MrGeneration revised this gist . Go to revision
2 files changed, 16 insertions
2-apache-grafana.conf
| @@ -34,7 +34,15 @@ ServerTokens Prod | |||
| 34 | 34 | Require local | |
| 35 | 35 | </Proxy> | |
| 36 | 36 | ||
| 37 | + | <Location /api/live/ws> | |
| 38 | + | # Handle websocket connections | |
| 39 | + | ProxyPreserveHost On | |
| 40 | + | ProxyPass ws://127.0.0.1:3001/api/live/ws | |
| 41 | + | ProxyPassReverse ws://127.0.0.1:3001/api/live/ws | |
| 42 | + | </Location> | |
| 43 | + | ||
| 37 | 44 | ProxyPass / http://127.0.0.1:3001/ | |
| 45 | + | ProxyPassReverse / http://127.0.0.1:3001/ | |
| 38 | 46 | ||
| 39 | 47 | <Directory /> | |
| 40 | 48 | Options FollowSymLinks | |
2-nginx-grafana.conf
| @@ -1,5 +1,10 @@ | |||
| 1 | 1 | # vHost file for nginx | |
| 2 | 2 | ||
| 3 | + | map $http_upgrade $connection_upgrade_grafana_ssl { | |
| 4 | + | default upgrade; | |
| 5 | + | '' close; | |
| 6 | + | } | |
| 7 | + | ||
| 3 | 8 | server { | |
| 4 | 9 | listen 80; | |
| 5 | 10 | listen [::]:80; | |
| @@ -37,10 +42,13 @@ server { | |||
| 37 | 42 | ||
| 38 | 43 | location / { | |
| 39 | 44 | proxy_read_timeout 300; | |
| 45 | + | proxy_http_version 1.1; | |
| 40 | 46 | proxy_set_header Host $host; | |
| 41 | 47 | proxy_set_header CLIENT_IP $remote_addr; | |
| 42 | 48 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| 43 | 49 | proxy_set_header X-Forwarded-Proto $scheme; | |
| 50 | + | proxy_set_header Upgrade $http_upgrade; | |
| 51 | + | proxy_set_header Connection $connection_upgrade_grafana_ssl; | |
| 44 | 52 | ||
| 45 | 53 | # Adjust below port to your environemnt (Grafana default is 3000) | |
| 46 | 54 | proxy_pass http://127.0.0.1:3001; | |
MrGeneration revised this gist . Go to revision
1 file changed, 1 insertion, 1 deletion
1-install-grafana.sh
| @@ -13,7 +13,7 @@ apt install grafana-enterprise | |||
| 13 | 13 | sed -i 's/;http_port = 3000/http_port = 3001/g' /etc/grafana/grafana.ini | |
| 14 | 14 | sed -i 's/;http_addr =/http_addr = 127.0.0.1/g' /etc/grafana/grafana.ini | |
| 15 | 15 | sed -i 's/;instance_name = localhost/instance_name = FQDN/g' /etc/grafana/grafana.ini | |
| 16 | - | sed -i 's/;domain = localhostdomain = localhost/domain = FQDN/g' /etc/grafana/grafana.ini | |
| 16 | + | sed -i 's/;domain = localhost = localhost/domain = FQDN/g' /etc/grafana/grafana.ini | |
| 17 | 17 | sed -i 's/;enforce_domain = false/enforce_domain = true/g' /etc/grafana/grafana.ini | |
| 18 | 18 | sed -i 's/;root_url = %(protocol)s:\/\/%(domain)s:%(http_port)s\//root_url = %(protocol)s:\/\/%(domain)s\//g' /etc/grafana/grafana.ini | |
| 19 | 19 | sed -i 's/;content_security_policy = false/content_security_policy = true/g' /etc/grafana/grafana.ini | |
MrGeneration revised this gist . Go to revision
4 files changed, 95 insertions, 1 deletion
1-install-grafana.sh
| @@ -21,4 +21,7 @@ sed -i 's/;cookie_secure = false/cookie_secure = true/g' /etc/grafana/grafana.in | |||
| 21 | 21 | sed -i 's/;cookie_samesite = lax/cookie_samesite = strict/g' /etc/grafana/grafana.ini | |
| 22 | 22 | echo "content_security_policy_template = \"\"\"script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';frame-src: 'self'\"\"\"" >> /etc/grafana/grafana.ini | |
| 23 | 23 | sed -i 's/;allow_sign_up = true/allow_sign_up = false/g' /etc/grafana/grafana.ini | |
| 24 | - | sed -i 's/;hide_version = false/hide_version = true/g' /etc/grafana/grafana.ini | |
| 24 | + | sed -i 's/;hide_version = false/hide_version = true/g' /etc/grafana/grafana.ini | |
| 25 | + | ||
| 26 | + | # After you're done with your configuration, start and enable Grafana | |
| 27 | + | systemctl enable grafana-server --now | |
2-apache-grafana.conf(file created)
| @@ -0,0 +1,43 @@ | |||
| 1 | + | # vHost file for Apache2 | |
| 2 | + | ||
| 3 | + | # security - prevent information disclosure about server version | |
| 4 | + | ServerTokens Prod | |
| 5 | + | ||
| 6 | + | <VirtualHost *:80> | |
| 7 | + | ServerName FQDN | |
| 8 | + | Redirect permanent / https://FQDN | |
| 9 | + | </VirtualHost> | |
| 10 | + | ||
| 11 | + | <VirtualHost *:443> | |
| 12 | + | SSLEngine on | |
| 13 | + | SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 | |
| 14 | + | SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 | |
| 15 | + | SSLHonorCipherOrder off | |
| 16 | + | SSLSessionTickets off | |
| 17 | + | ||
| 18 | + | SSLCertificateFile /etc/ssl/certs/FQDN.pem; | |
| 19 | + | SSLCertificateKeyFile /etc/ssl/private/FQDN.pem; | |
| 20 | + | # only if applicable | |
| 21 | + | # SSLCertificateChainFile /etc/ssl/certs/cert-bundle.pem; | |
| 22 | + | SSLOpenSSLConfCmd DHParameters /etc/ssl/dhparam.pem | |
| 23 | + | ||
| 24 | + | ServerName FQDN | |
| 25 | + | ||
| 26 | + | HostnameLookups Off | |
| 27 | + | UseCanonicalName Off | |
| 28 | + | ServerSignature Off | |
| 29 | + | ||
| 30 | + | ProxyRequests Off | |
| 31 | + | ProxyPreserveHost On | |
| 32 | + | ||
| 33 | + | <Proxy 127.0.0.1:3001> | |
| 34 | + | Require local | |
| 35 | + | </Proxy> | |
| 36 | + | ||
| 37 | + | ProxyPass / http://127.0.0.1:3001/ | |
| 38 | + | ||
| 39 | + | <Directory /> | |
| 40 | + | Options FollowSymLinks | |
| 41 | + | AllowOverride None | |
| 42 | + | </Directory> | |
| 43 | + | </VirtualHost> | |
2-nginx-grafana.conf(file created)
| @@ -0,0 +1,48 @@ | |||
| 1 | + | # vHost file for nginx | |
| 2 | + | ||
| 3 | + | server { | |
| 4 | + | listen 80; | |
| 5 | + | listen [::]:80; | |
| 6 | + | server_name FQDN; | |
| 7 | + | access_log /var/log/nginx/access.log; | |
| 8 | + | ||
| 9 | + | location / { | |
| 10 | + | return 301 https://$host$request_uri; | |
| 11 | + | } | |
| 12 | + | } | |
| 13 | + | ||
| 14 | + | server { | |
| 15 | + | listen 443 ssl http2; | |
| 16 | + | listen [::]:443 ssl http2; | |
| 17 | + | server_name FQDN; | |
| 18 | + | server_tokens off; | |
| 19 | + | access_log /var/log/nginx/access.log; | |
| 20 | + | error_log /var/log/nginx/error.log warn; | |
| 21 | + | ||
| 22 | + | ssl_certificate /etc/ssl/certs/FQDN.pem; | |
| 23 | + | ssl_certificate_key /etc/ssl/private/FQDN.pem; | |
| 24 | + | # only if applicable | |
| 25 | + | # ssl_trusted_certificate /etc/ssl/certs/cert-bundle.pem; | |
| 26 | + | ssl_protocols TLSv1.2 TLSv1.3; | |
| 27 | + | ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; | |
| 28 | + | ssl_prefer_server_ciphers off; | |
| 29 | + | ssl_dhparam /etc/nginx/dhparam.pem; | |
| 30 | + | ssl_session_cache shared:SSL:10m; | |
| 31 | + | ssl_session_timeout 10m; | |
| 32 | + | ssl_stapling on; | |
| 33 | + | ssl_stapling_verify on; | |
| 34 | + | ||
| 35 | + | add_header Strict-Transport-Security "max-age=63072000" always; | |
| 36 | + | # Content Security, frame and Type is generated by Grafana already | |
| 37 | + | ||
| 38 | + | location / { | |
| 39 | + | proxy_read_timeout 300; | |
| 40 | + | proxy_set_header Host $host; | |
| 41 | + | proxy_set_header CLIENT_IP $remote_addr; | |
| 42 | + | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| 43 | + | proxy_set_header X-Forwarded-Proto $scheme; | |
| 44 | + | ||
| 45 | + | # Adjust below port to your environemnt (Grafana default is 3000) | |
| 46 | + | proxy_pass http://127.0.0.1:3001; | |
| 47 | + | } | |
| 48 | + | } | |
2-closed-vs-created-tickets-dashboard-sample.yml renamed to 3-closed-vs-created-tickets-dashboard-sample.yml
File renamed without changes