IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2024-11-22 00:47:38 -06:00
Code Issues Packages Projects Releases Wiki Activity

Docs: CSRF add configuration options and documentation for additional headers and origins (#50473)

Browse Source 
* added troubleshooting for "origin not allowed" messages

* include in configuration.ini

* moved doc to security

* removed enterprise congiruation

* Update conf/sample.ini

Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>

Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
This commit is contained in:
Eric Leijonmarck 2022-06-09 09:13:08 +02:00 committed by GitHub
parent 9fc889f5f6
commit b5615a1a18
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 31 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
conf/sample.ini
View File

@ -308,6 +308,12 @@
# Controls if old angular plugins are supported or not. This will be disabled by default in future release # Controls if old angular plugins are supported or not. This will be disabled by default in future release
;angular_support_enabled = true ;angular_support_enabled = true
# List of additional allowed URLs to pass by the CSRF check, separated by spaces. Suggested when authentication comes from an IdP.
;csrf_trusted_origins = example.com
# List of allowed headers to be set by the user, separated by spaces. Suggested to use for if authentication lives behind reverse proxies.
;csrf_additional_headers =
[security.encryption] [security.encryption]
# Defines the time-to-live (TTL) for decrypted data encryption keys stored in memory (cache). # Defines the time-to-live (TTL) for decrypted data encryption keys stored in memory (cache).
# Please note that small values may cause performance issues due to a high frequency decryption operations. # Please note that small values may cause performance issues due to a high frequency decryption operations.

8
docs/sources/setup-grafana/configure-grafana/_index.md
View File

@ -611,6 +611,14 @@ Current core features that will stop working:
Before we disable angular support by default we plan to migrate these remaining areas to React. Before we disable angular support by default we plan to migrate these remaining areas to React.
### csrf_trusted_origins
List of additional allowed URLs to pass by the CSRF check. Suggested when authentication comes from an IdP.
### csrf_additional_headers
List of allowed headers to be set by the user. Suggested to use for if authentication lives behind reverse proxies.
## [snapshots] ## [snapshots]
### external_enabled ### external_enabled

17
docs/sources/setup-grafana/configure-security/configure-authentication/saml.md
View File

@ -407,3 +407,20 @@ The keys you provide should look like:
... ...
-----END PRIVATE KEY----- -----END PRIVATE KEY-----
``` ```
### SAML login attempts fail with request response "origin not allowed"
When the user logs in using SAML and gets presented with "origin not allowed", the user might be issuing the login from an IdP (identity provider) service or the user is behind a reverse proxy. This potentially happens as Grafana's CSRF checks deem the requests to be invalid. For more information [CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery).
To solve this issue, you can configure either the [`csrf_trusted_origins`]({{< relref "../../configure-grafana/enterprise-configuration/#csrf-trusted-origins" >}}) or [`csrf_origin_headers`]({{< relref "../../configure-grafana/enterprise-configuration/#csrf-origin-headers" >}}) option in the SAML configuration.
Example of a configuration file:
```bash
# config.ini
...
[auth.saml]
csrf_trusted_origins = https://grafana.example.com
csrf_origin_headers = X-Forwarded-Proto X-Forwarded-Host X-Forwarded-Port
...
```