From 95ceabe1baf74126e100c04f8b970e5999a7374a Mon Sep 17 00:00:00 2001 From: George V <39589642+GeorgeGedox@users.noreply.github.com> Date: Sat, 14 Aug 2021 23:05:23 +0300 Subject: [PATCH] website/docs: Forward authentication proxy and Grafana considerations (#1254) * docs: Updated forward authentication proxy nginx buffer config, grafana oauth integration considerations * docs: Cover edge-case when default grafana org id is not 1 --- website/docs/integrations/services/grafana/index.mdx | 11 +++++++++++ website/docs/providers/proxy/forward_auth.mdx | 10 +++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/website/docs/integrations/services/grafana/index.mdx b/website/docs/integrations/services/grafana/index.mdx index af2640075..5b6d2aa4e 100644 --- a/website/docs/integrations/services/grafana/index.mdx +++ b/website/docs/integrations/services/grafana/index.mdx @@ -95,3 +95,14 @@ contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana ``` For more information on group/role mappings, see [Grafana's docs](https://grafana.com/docs/grafana/latest/auth/generic-oauth/#role-mapping). + +### Grafana Configuration Considerations + +Make sure in your configuration that `root_url` is set correctly, otherwise your redirect url might get processed incorrectly. For example, if your grafana instance is running on the default configuration and is accesible behind a reverse proxy at `https://grafana.company`, your redirect url will end up looking like this, `https://grafana.company:3000`. +If you get `user does not belong to org` error when trying to log into grafana for the first time via OAuth, check if you have an organization with the ID of `1`, if not, then you have to add the following to your grafana config: + +```ini +[users] +auto_assign_org = true +auto_assign_org_id = +``` \ No newline at end of file diff --git a/website/docs/providers/proxy/forward_auth.mdx b/website/docs/providers/proxy/forward_auth.mdx index eec89465b..b8634ca5a 100644 --- a/website/docs/providers/proxy/forward_auth.mdx +++ b/website/docs/providers/proxy/forward_auth.mdx @@ -58,6 +58,13 @@ server { ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; + # Increase buffer size for large headers + # This is needed only if you get 'upstream sent too big header while reading response header from upstream' error when trying to access an application protected by goauthentik + proxy_buffers 8 16k; + proxy_buffer_size 32k; + fastcgi_buffers 16 16k; + fastcgi_buffer_size 32k; + location / { # Put your proxy_pass to your application here # proxy_pass http://localhost:5000; @@ -80,9 +87,6 @@ server { proxy_set_header Host $host; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; - # Increase buffer size for large headers - proxy_buffers 8 16k; - proxy_buffer_size 16k; } # Special location for when the /auth endpoint returns a 401,