install/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
Christoph
2024-12-22 16:31:06 +01:00
commit 2a851e14c4
6 changed files with 326 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

113
README.nginx Normal file
View File

@@ -0,0 +1,113 @@
# ---
# type:
#
# 1. Adjust variables 'grafana_host_name' and 'grafana_port' and if not a
# standard installation also nginx concerning variables
#
# 2. source README.nginx
#
# ---
grafana_host_name="grafana.ndneu.de"
grafana_port=3002
nginx_path_sites_available="/etc/nginx/sites-available"
nginx_path_sites_enabled="/etc/nginx/sites-enabled"
nginx_config_file="${nginx_path_sites_available}/${grafana_host_name}.conf"
cat << EOF > ${nginx_config_file}
# This is required to proxy Grafana Live WebSocket connections.
map \$http_upgrade \$connection_upgrade {
default upgrade;
'' close;
}
upstream grafana {
server localhost:${grafana_port};
}
server {
listen 80;
listen [::]:80;
server_name ${grafana_host_name};
return 301 https://\$server_name\$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name grafana.ndneu.de;
# Include location directive for Let's Encrypt ACME Challenge
#
# Needed for (automated) updating certificate
#
include snippets/letsencrypt-acme-challenge.conf;
# Use Mozilla's guidelines for SSL/TLS settings
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_certificate /var/lib/dehydrated/certs/grafana.ndneu.de/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/grafana.ndneu.de/privkey.pem;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
#
# To generate a dhparam.pem file, run in a terminal
# openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048
#
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Speeds things up a little bit when resuming a session
ssl_session_timeout 1d;
#ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
root /usr/share/nginx/html;
index index.html index.htm;
location / {
proxy_set_header Host \$host;
proxy_pass http://grafana;
}
# Proxy Grafana Live WebSocket connections.
location /api/live/ {
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection \$connection_upgrade;
proxy_set_header Host \$host;
proxy_pass http://grafana;
}
}
EOF
# Delete existin symlink
#
if [[ -f "${nginx_path_sites_enabled}/$(basename "${nginx_config_file}")" ]] ; then
rm "${nginx_path_sites_enabled}/$(basename "${nginx_config_file}")"
fi
# Activate site
#
ln -s "../sites-available/$(basename "${nginx_config_file}")" \
"${nginx_path_sites_enabled}/$(basename "${nginx_config_file}")"