bldrdash · August 14, 2024 00:34
diff --git a/grafana.ini b/grafana.ini
 # Settings are in addition or replacement to default config
 [server]
 protocol = https
 domain = fqdn.com
 root_url = %(protocol)s://%(domain)s/grafana/
 serve_from_sub_path = true
diff --git a/nginx.conf b/nginx.conf
 # nginx.conf
 # Settings are in addition or replacement to default settings 

 events {
  worker_connections 1000;
 }

 http {
  gzip off;  # For SSL
  map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
  }
 }
diff --git a/prometheus.service b/prometheus.service
 # systemctl edit --full prometheus.service
 # Key addition is the --web.external-url command line option
 [Unit]
  Description=Prometheus Monitoring
  Wants=network-online.target
  After=network-online.target

 [Service]
  User=prometheus
  Group=prometheus
  Type=simple
  ExecStart=/usr/local/sbin/prometheus \
  --web.external-url=/prometheus/ \
  --web.enable-admin-api \
  --config.file /etc/prometheus/prometheus.yml \
  --storage.tsdb.path /var/lib/prometheus/ \
  --storage.tsdb.retention.time 1000d \
  --web.console.templates=/etc/prometheus/consoles \
  --web.console.libraries=/etc/prometheus/console_libraries
  ExecReload=/bin/kill -HUP $MAINPID

 [Install]
  WantedBy=multi-user.target
diff --git a/proxy.conf b/proxy.conf
 # Place in /etc/nginx/sites-available then
 # ln -s /etc/nginx/sites-available /etc/nginx/sites-enabled/proxy.conf

 upstream @prometheus {
    server localhost:9090;
 }

 upstream @grafana {
  server localhost:3000;
 }

 server {
  listen 80 default_server;
  listen [::]:80 default_server;

  location / {
    return 301 https://$host$request_uri;
  }
 }
 server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;

    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    # openssl dhparam -out dhparam.pem 2048
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers off;

    location /grafana/ {
      proxy_set_header Host $http_host;
      proxy_pass http://@grafana/grafana/;
    }
    # Proxy Grafana Live WebSocket connections.
    location /grafana/api/live/ {
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $connection_upgrade;
      proxy_set_header Host $http_host;
      proxy_pass http://@grafana/grafana/;
    }

    location /prometheus {
      proxy_pass http://@prometheus/prometheus/;
      proxy_http_version 1.1;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
 }
	# Settings are in addition or replacement to default config
	[server]
	protocol = https
	domain = fqdn.com
	root_url = %(protocol)s://%(domain)s/grafana/
	serve_from_sub_path = true
	# nginx.conf
	# Settings are in addition or replacement to default settings

	events {
	worker_connections 1000;
	}

	http {
	gzip off; # For SSL
	map $http_upgrade $connection_upgrade {
	default upgrade;
	'' close;
	}
	}
	# systemctl edit --full prometheus.service
	# Key addition is the --web.external-url command line option
	[Unit]
	Description=Prometheus Monitoring
	Wants=network-online.target
	After=network-online.target

	[Service]
	User=prometheus
	Group=prometheus
	Type=simple
	ExecStart=/usr/local/sbin/prometheus \
	--web.external-url=/prometheus/ \
	--web.enable-admin-api \
	--config.file /etc/prometheus/prometheus.yml \
	--storage.tsdb.path /var/lib/prometheus/ \
	--storage.tsdb.retention.time 1000d \
	--web.console.templates=/etc/prometheus/consoles \
	--web.console.libraries=/etc/prometheus/console_libraries
	ExecReload=/bin/kill -HUP $MAINPID

	[Install]
	WantedBy=multi-user.target
	# Place in /etc/nginx/sites-available then
	# ln -s /etc/nginx/sites-available /etc/nginx/sites-enabled/proxy.conf

	upstream @prometheus {
	server localhost:9090;
	}

	upstream @grafana {
	server localhost:3000;
	}

	server {
	listen 80 default_server;
	listen [::]:80 default_server;

	location / {
	return 301 https://$host$request_uri;
	}
	}
	server {
	listen 443 ssl default_server;
	listen [::]:443 ssl default_server;

	ssl_certificate /etc/nginx/ssl/server.crt;
	ssl_certificate_key /etc/nginx/ssl/server.pem;
	ssl_session_timeout 1d;
	ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
	ssl_session_tickets off;

	# openssl dhparam -out dhparam.pem 2048
	ssl_dhparam /etc/ssl/certs/dhparam.pem;

	# intermediate configuration
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
	ssl_prefer_server_ciphers off;

	location /grafana/ {
	proxy_set_header Host $http_host;
	proxy_pass http://@grafana/grafana/;
	}
	# Proxy Grafana Live WebSocket connections.
	location /grafana/api/live/ {
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection $connection_upgrade;
	proxy_set_header Host $http_host;
	proxy_pass http://@grafana/grafana/;
	}

	location /prometheus {
	proxy_pass http://@prometheus/prometheus/;
	proxy_http_version 1.1;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
	}