grafana/sample/apache_ldap.conf

# Courtesy of https://github.com/sgzijl
# config.js includes elasticsearch:    "https://"+window.location.hostname+":443",

<VirtualHost 1.2.3.4:80>
  ServerName your.domain.tld
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} 
</VirtualHost>
 
<VirtualHost 1.2.3.4:443>
  ServerName your.domain.tld
 
  SSLEngine on
  SSLCertificateFile      /path/to/public.crt
  SSLCertificateKeyFile   /path/to/private.key
 
  DocumentRoot /path/to/kibana3
  <Directory /path/to/kibana3>
    Allow from all
    Options -Multiviews
  </Directory>
 
  LogLevel debug
  ErrorLog /path/to/logs/error_log
  CustomLog /path/to/logs/access_log combined
 
  # Set global proxy timeouts
  <Proxy http://127.0.0.1:9200>
    ProxySet connectiontimeout=5 timeout=90
  </Proxy>
 
  # Proxy for _aliases and .*/_search
  <LocationMatch "^/(_nodes|_aliases|_search|.*/_search|_mapping|.*/_mapping)$">
    ProxyPassMatch http://127.0.0.1:9200/$1
    ProxyPassReverse http://127.0.0.1:9200/$1
  </LocationMatch>

  # Proxy for kibana-int/{dashboard,temp} stuff (if you don't want auth on /, then you will want these to be protected)
  <LocationMatch "^/(kibana-int/dashboard/|kibana-int/temp)(.*)$">
    ProxyPassMatch http://127.0.0.1:9200/$1$2
    ProxyPassReverse http://127.0.0.1:9200/$1$2
  </LocationMatch>
 
  # Optional disable auth for a src IP (eg: your monitoring host or subnet)
  <Location />
    Allow from 5.6.7.8
    Deny from all
    Satisfy any
 
    AuthLDAPBindDN "CN=_ldapbinduser,OU=Users,DC=example,DC=com"
    AuthLDAPBindPassword "ldapbindpass"
    AuthLDAPURL "ldaps://ldap01.example.com ldap02.example.com/OU=Users,DC=example,DC=com?sAMAccountName?sub?(objectClass=*)"
    AuthType Basic
    AuthBasicProvider ldap
    AuthName "Please authenticate for Example dot com"
    AuthLDAPGroupAttributeIsDN on
    require valid-user
  </Location>
 
</VirtualHost>