This article is outdated and may not work correctly for current operating systems or software.
Grafana is an open-source software that transforms multiple feeds from systems such as Graphite, Telegraf, and InfluxDB into beautiful metrics in a centralized dashboard.
This tutorial will cover the process of installing the Grafana web interface.
An Ubuntu 16.04 LTS x64 server instance.
Optional: A DNS name (for use with Let's Encrypt certificates)
Update your system before installing Grafana.
apt-get update && apt-get upgrade
First letâs harden the image a little bit. Letâs also check if the image that has been provisioned has ufw
enabled.
root@vultr:~# ufw status
Status: inactive
By default it's disabled, so we will need to add a few rules:
Rule 1: ssh: TCP port 22
Rule 2: http: TCP port 3000 (default Grafana port)
Execute the following commands one by one.
ufw allow 22/tcp
ufw allow 3000/tcp
Enable the firewall services.
ufw enable
The firewall will prompt a dialog to accept changes. Just press Y.
Command may disrupt existing ssh connections. Proceed with operation (y|n)?
By default, Grafana is not in the repositories. Add the repo key and packages.
curl https://packagecloud.io/gpg.key | sudo apt-key add -
Next, add the "packagecloud" repository to your repositories.
add-apt-repository "deb https://packagecloud.io/grafana/stable/debian/ stretch main"
Update apt
to fetch the latest information from our newly added "packagecloud" repo.
apt-get update
Now we can install Grafana.
apt-get install grafana
Once Grafana has been installed, start it with systemctl
.
systemctl start grafana-server
This will show a working Grafana service.
systemctl status grafana-server
Start the Grafana service on boot.
systemctl enable grafana-server
Out of the box, Grafana allows visitors to create user accounts and preview dashboards without registering. This means we are exposing Grafana to the public internet. But not to worry, let's find and disable these settings.
First open Grafana's configuration file.
nano /etc/grafana/grafana.ini
Locate the allow_sign_up
settings under the [users]
heading.
[users]
# disable user signup / registration
;allow_sign_up = true
By default it is set to true
, so change it to false
and uncomment the line.
[users]
# disable user signup / registration
allow_sign_up = false
Next, verify that anonymous access is disabled. This can be found under the [auth.anonymous]
settings.
[auth.anonymous]
# enable anonymous access
;enabled = false
Change it to false
and uncomment the line.
[auth.anonymous]
enabled = false
Exit nano
and save the file.
To activate the changes, restart Grafana.
systemctl restart grafana-server
Now verify that everything is working by checking Grafana's service status.
systemctl status grafana-server
The Grafana daemon listens to port 3000
. In order to visit the Grafana Dashboard, point your browser to http://192.168.0.1:3000
(replace this IP with your actual server IP), and use the default login credentials below.
Username: admin
Password: admin
This is an optional step. If we have a configured DNS name, we can use Let's encrypt to enable HTTPS
for our new Grafana installation.
To achieve this, we will be using Nginx, as this software is capable of using Let's Encrypt certificates.
Start by installing Nginx.
apt-get install nginx
Once installed, edit the default configuration.
nano /etc/nginx/sites-available/default
Replace the default configuration with the following configuration.
server {
listen 0.0.0.0:80;
proxy_request_buffering off;
proxy_buffering off;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
This will create a proxy for the website running at port 80
. Restart Nginx, and enable it at boot.
systemctl restart nginx
systemctl enable nginx
Ensure everything is working.
systemctl status nginx
Disable the old Grafana port 3000
and allow traffic on port 80
.
ufw allow 80/tcp
ufw delete allow 3000/tcp
Before we can use certbot, we need to add the correct PPA to the system containing our certbot packages.
add-apt-repository ppa:certbot/certbot
Press ENTER to accept the configuration change.
Update apt
to gather the new packages.
apt-get update
Next install the Nginx module for assigning the certificates.
apt-get -y install python-certbot-nginx
Configure the firewall to allow the HTTPS
through the firewall.
ufw allow 443/tcp
Before we can request new certificates, we need a DNS name.
nano /etc/nginx/sites-available/default
Add the following server_name
setting. This is our DNS name.
server_name grafana.example.com;
Change the configuration to reflect this new setting.
server {
server_name grafana.example.com;
listen 0.0.0.0:80;
proxy_request_buffering off;
proxy_buffering off;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
Ensure we didn't make any errors and restart Nginx.
nginx -t
systemctl restart nginx
Now request a certificate with certbot.
certbot --nginx -d grafana.example.com
Provide your email and agree to questions asked by installer. You can safely say "No" to sharing your email. Certbot will automatically ask what to do with HTTPS
. We will be using option 2: redirect to HTTPS.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Let's encrypt certificates require renewal. Luckily we can create a cron job for this. Start by editing the crontab.
crontab -e
Add the following line.
05 2 * * * /usr/bin/certbot renew --quiet
This will check at 2:05 AM if any certificates require a renewal and will renew them.
Grafana will be running on HTTPS
now. One last thing is to change the admin password. Visit your installation at https://grafana.example.net
. By default, the credentials for logging in are 'admin/admin'.
To change the admin username, click on the cog icon on the left, go to "Configuration", then "Server Admin" and click the admin username.