Is hosting grafana on http a security concern?

Grafana dashboard hosted on one of one of the cardano node relays , is available to browse with http , also the default credentials are very easy to guess . Isnt that a security concern

You should be changing the default credentials immediately. Good point about the http, there should be a way to enforce https.

Please update this post if you do find a way to enforce https

There are guides like this Grafana: How to configure SSL HTTPS in Grafana - turbogeek that might be useful.

thanks, will try this out

It’s a concern if you use HTTP from a public network as someone could easily sniff the password.

Additionally, you could add a server firewall rule to allow incoming connections from a specific IP only.

If you have more free time to spend securing everything, you could have a VPN server running at that IP so when you connect from another place you would connect to that VPN and than access Grafana… or running the VPN server on the internet… (the digital ocean machine costs 5$/month but requires technical skills to configure)

If you go for the VPN approach you may consider using Wireguard. This is an easy way which does not require a dedicated server for it.

Thanks Mcrio will explore this option in future.

1 Like

Thanks Zwirny - I am not using wireguard for now. But will explore more in future

I used wireguard for a while, but setup and port forwarding are tricky. Now, I use Tailscale (recommended by WCat). It has a very straightforward configuration that only requires a simple download and authentication.

curl -fsSL https://tailscale.com/install.sh | sh

I hadn’t heard of Tailscale before so I just looked at it briefly. The first thing I looked for was “Is tailscale open source?”. See this page. Here they make lots of comments about how they love open source, but then they say this:

A closed source coordination server.

I stopped reading after that. I don’t know what this coordination server is used for but it sounds like, well, “coordination”. So to me this means you are sending your meta data about which end points you are communicating with to their “coordination server”.

Consequently I thought it necessary to add this post so that anyone reading might think twice.

You don’t need to do that with wireguard which is what Tailscale is using under the hood. It might be better to invest the time to get wireguard working properly because it is a fantastic tool that works flawlessly and then you don’t need to send your private metadata to someone you don’t know.

1 Like

You could get a free tier cloud instance and set up a nginx proxy with ssl certs. :wink: