Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/supabase/cloudflare-access-grafana

Small proxy for automatically login users from Cloudflare Access into Grafana
https://github.com/supabase/cloudflare-access-grafana

Last synced: about 2 months ago
JSON representation

Small proxy for automatically login users from Cloudflare Access into Grafana

Host: GitHub
URL: https://github.com/supabase/cloudflare-access-grafana
Owner: supabase
License: apache-2.0
Fork: true (jorgelbg/cloudflare-access-grafana)
Created: 2021-04-08T10:20:30.000Z (over 3 years ago)
Default Branch: master
Last Pushed: 2024-03-13T21:07:39.000Z (6 months ago)
Last Synced: 2024-04-15T02:15:11.324Z (5 months ago)
Language: Go
Homepage:
Size: 55.7 KB
Stars: 8
Watchers: 2
Forks: 3
Open Issues: 2
Metadata Files:
- Readme: README.md
- License: LICENSE.txt

Awesome Lists containing this project

README

# cloudflare-access-grafana

![Docker pulls](https://badgen.net/docker/pulls/jorgelbg/cloudflare-access-grafana?icon=docker&color=purple)

cloudflare-access-grafana is an HTTP proxy implemented to run as transparently behind [Cloudflare
Access](https://teams.cloudflare.com/access/) and forward the email of the signed-in user to Grafana.
Running this small proxy between Cloudflare Access and your Grafana instance allows you to
automatically sign in the authenticated user from Cloudflare Access into Grafana.

## 📥 Installation / Getting started

To accomplish this Grafana has to run in with the [Auth Proxy
Authentication](https://grafana.com/docs/grafana/latest/auth/auth-proxy/) mode enabled. This will
delegate the authentication to another component: Cloudflare Access + cloudflare-access-grafana in
this case.

A minimal `grafana.ini` config could look like this:

```ini
[users]
allow_sign_up = false
auto_assign_org = true
auto_assign_org_role = Editor

[auth.proxy]
enabled = true
header_name = X-WEBAUTH-USER
header_property = email
auto_sign_up = true
```

Running a Grafana docker container with the previous configuration can be done with the following command:

```shell
$ docker run --rm --name grafana -i -p 3000:3000 -v $(pwd)/grafana.ini:/etc/grafana/grafana.ini --name grafana grafana/grafana
```

In this case, the `header_property` set to `email` is important because the email is the claim
that we get from the JWT token provided by Cloudflare Access. `header_name` can be configured to any
desired value and will need to match the `FORWARDHEADER` environment variable passed into
cloudflare-access-grafana.

You can copy the template from [.env.template](.env.template) into your environment file and adjust
the required values. Now you can run the cloudflare-access-grafana container with the following command:

```
$ cp .env.template .env
$ docker run --rm -d --env-file $(pwd)/.env --name cloudflare-proxy -p 3001:3001 jorgelbg/cloudflare-access-grafana
```

This will start the proxy on the specified address and it will start to listen for incoming requests.
When a new HTTP request is received it will validate the JWT token, extract the `email` claim from
the token and forward to the specified host the header with the email address. Grafana will then
automatically signup/sign in (depending on the configuration) the user.

> Additional configuration on the Cloudflare Access is required to route your subdomain/DNS entry
> into the cloudflare-access-grafana instance. Grafana doesn't need to be accessible externally since
> all requests will go through the proxy.

## 👾 Known Issues

Since the authentication is no longer on the Grafana side, the logout action will not work as
expected. Although it will execute normally, you will find yourself logged in again. This happens
because the current user has not been logged out of Cloudflare Access.

## 🛠 Configuration

All the configuration options are passed to cloudflare-access-proxy as environment variables:

* `AUTHDOMAIN`: This is your cloudflare authentication domain. Normally in the form of `https://.cloudflareaccess.com`.
* `POLICYAUD`: Application Audience (AUD) Tag.
* `FORWARDHEADER`: The header to be forwarded to Grafana to indicate which user is currently logged in.
* `FORWARDHOST`: URL where the Grafana instance (with `auth.proxy` enabled) is running.
* `ADDR`: Address where the cloudflare-access-proxy will listen for incoming connections.

## 👨🏻‍💻 Developing

```shell
git clone https://github.com/jorgelbg/cloudflare-access-grafana
cd cloudflare-access-grafana/
make
```

This will build a binary placed in `bin/github.com/jorgelbg/cloudflare-access-grafana` for your native platform.

If you want to build a new Docker image use the following command:

```shell
make docker
```

## 🤚🏻 Contributing

If you'd like to contribute, please fork the repository and use a feature
branch. Pull requests are warmly welcome.

## 🚀 Links

- The project logo is based on [Cloudflare icon](https://icons8.com/icons/set/cloudflare) by [Icons8](https://icons8.com). And the [Grafana icon](https://grafana.com/).