Is hosting grafana on http a security concern?

chintan1 · 27 October 2021 03:08

Grafana dashboard hosted on one of one of the cardano node relays , is available to browse with http , also the default credentials are very easy to guess . Isnt that a security concern

jeremyisme · 27 October 2021 03:32

You should be changing the default credentials immediately. Good point about the http, there should be a way to enforce https.

chintan1 · 27 October 2021 04:20

Please update this post if you do find a way to enforce https

jeremyisme · 27 October 2021 05:22

There are guides like this Grafana: How to configure SSL HTTPS in Grafana - turbogeek that might be useful.

chintan1 · 27 October 2021 15:03

thanks, will try this out

mcrio · 5 November 2021 22:38

It’s a concern if you use HTTP from a public network as someone could easily sniff the password.

Additionally, you could add a server firewall rule to allow incoming connections from a specific IP only.

If you have more free time to spend securing everything, you could have a VPN server running at that IP so when you connect from another place you would connect to that VPN and than access Grafana… or running the VPN server on the internet… (the digital ocean machine costs 5$/month but requires technical skills to configure)

Markus-VITAL · 5 November 2021 23:51

If you go for the VPN approach you may consider using Wireguard. This is an easy way which does not require a dedicated server for it.

chintan1 · 9 November 2021 05:08

Thanks Mcrio will explore this option in future.

chintan1 · 9 November 2021 05:09

Thanks Zwirny - I am not using wireguard for now. But will explore more in future

token · 8 August 2023 17:50

I used wireguard for a while, but setup and port forwarding are tricky. Now, I use Tailscale (recommended by WCat). It has a very straightforward configuration that only requires a simple download and authentication.

curl -fsSL https://tailscale.com/install.sh | sh

Terminada · 9 August 2023 22:04

I hadn’t heard of Tailscale before so I just looked at it briefly. The first thing I looked for was “Is tailscale open source?”. See this page. Here they make lots of comments about how they love open source, but then they say this:

A closed source coordination server.

I stopped reading after that. I don’t know what this coordination server is used for but it sounds like, well, “coordination”. So to me this means you are sending your meta data about which end points you are communicating with to their “coordination server”.

Consequently I thought it necessary to add this post so that anyone reading might think twice.

You don’t need to do that with wireguard which is what Tailscale is using under the hood. It might be better to invest the time to get wireguard working properly because it is a fantastic tool that works flawlessly and then you don’t need to send your private metadata to someone you don’t know.

Topic		Replies	Views
Grafana + prometheus setup Setup a Stake Pool setup	14	1628	1 February 2023
WebBrowser on relay server Operate a Stake Pool	9	441	4 August 2021
Security guide for stakepool operators Stake Pool Security	4	1062	1 June 2020
Prometheus/Grafana Operate a Stake Pool	34	1788	7 April 2021
Monitoring server specs? Operate a Stake Pool	10	399	11 October 2021

Is hosting grafana on http a security concern?

Related Topics