Grafana website unsecure with default docker-compose.yml

[sp33dm3]

Hi guys,

I am new to TeslaMate and Grafana, but I was able to set it up quite quickly.
I do however have 1 small issue.

My Teslamate website is secure, but my Grafana website isn't secure.
It gives me the default Treafik default certificate.

How can I make Grafana also secure ?

My docker-compose.yml (which is simply the one taken from the documentation website with Treafik set up).

version: "3"
services:
teslamate:
image: teslamate/teslamate:latest
restart: always
depends_on:
- database
environment:
- DATABASE_USER=${TM_DB_USER}
- DATABASE_PASS=${TM_DB_PASS}
- DATABASE_NAME=${TM_DB_NAME}
- DATABASE_HOST=database
- MQTT_HOST=mosquitto
- VIRTUAL_HOST=${FQDN_TM}
- CHECK_ORIGIN=true
- TZ=${TM_TZ}
volumes:
- ./import:/opt/app/import
labels:
- "traefik.enable=true"
- "traefik.port=4000"
- "traefik.http.middlewares.redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.teslamate-auth.basicauth.realm=teslamate"
- "traefik.http.middlewares.teslamate-auth.basicauth.usersfile=/auth/.htpasswd"
- "traefik.http.routers.teslamate-insecure.rule=Host(${FQDN_TM})"
- "traefik.http.routers.teslamate-insecure.middlewares=redirect"
- "traefik.http.routers.teslamate-ws.rule=Host(${FQDN_TM}) && Path(/live/websocket)"
- "traefik.http.routers.teslamate-ws.entrypoints=websecure"
- "traefik.http.routers.teslamate-ws.tls"
- "traefik.http.routers.teslamate.rule=Host(${FQDN_TM})"
- "traefik.http.routers.teslamate.middlewares=teslamate-auth"
- "traefik.http.routers.teslamate.entrypoints=websecure"
- "traefik.http.routers.teslamate.tls.certresolver=tmhttpchallenge"
cap_drop:
- all
database:
image: postgres:13
restart: always
environment:
- POSTGRES_USER=${TM_DB_USER}
- POSTGRES_PASSWORD=${TM_DB_PASS}
- POSTGRES_DB=${TM_DB_NAME}
volumes:
- teslamate-db:/var/lib/postgresql/data
grafana:
image: teslamate/grafana:latest
restart: always
environment:
- DATABASE_USER=${TM_DB_USER}
- DATABASE_PASS=${TM_DB_PASS}
- DATABASE_NAME=${TM_DB_NAME}
- DATABASE_HOST=database
- GRAFANA_PASSWD=${GRAFANA_PW}
- GF_SECURITY_ADMIN_USER=${GRAFANA_USER}
- "traefik.http.routers.teslamate-ws.tls"
- "traefik.http.routers.teslamate.rule=Host(${FQDN_TM})"
- "traefik.http.routers.teslamate.middlewares=teslamate-auth"
- "traefik.http.routers.teslamate.entrypoints=websecure"
- "traefik.http.routers.teslamate.tls.certresolver=tmhttpchallenge"
cap_drop:
- all
database:
image: postgres:13
restart: always
environment:
- POSTGRES_USER=${TM_DB_USER}
- POSTGRES_PASSWORD=${TM_DB_PASS}
- POSTGRES_DB=${TM_DB_NAME}
volumes:
- teslamate-db:/var/lib/postgresql/data
grafana:
image: teslamate/grafana:latest
restart: always
environment:
- DATABASE_USER=${TM_DB_USER}
- DATABASE_PASS=${TM_DB_PASS}
- DATABASE_NAME=${TM_DB_NAME}
- DATABASE_HOST=database
- GRAFANA_PASSWD=${GRAFANA_PW}
- GF_SECURITY_ADMIN_USER=${GRAFANA_USER}
- GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_PW}
- GF_AUTH_ANONYMOUS_ENABLED=false
- GF_SERVER_DOMAIN=${FQDN_TM}
- GF_SERVER_ROOT_URL=%(protocol)s://%(domain)s/grafana
- GF_SERVER_SERVE_FROM_SUB_PATH=true
volumes:
- teslamate-grafana-data:/var/lib/grafana
labels:
- "traefik.enable=true"
- "traefik.port=3000"
- "traefik.http.middlewares.redirect.redirectscheme.scheme=https"
- "traefik.http.routers.grafana-insecure.rule=Host(${FQDN_TM})"
- "traefik.http.routers.grafana-insecure.middlewares=redirect"
- "traefik.http.routers.grafana.rule=Path(/grafana) || PathPrefix(/grafana/)"
- "traefik.http.routers.grafana.entrypoints=websecure"
- "traefik.http.routers.grafana.tls.certresolver=tmhttpchallenge"
mosquitto:
image: eclipse-mosquitto:1.6
restart: always
ports:
- 127.0.0.1:1883:1883
volumes:
- mosquitto-conf:/mosquitto/config
- mosquitto-data:/mosquitto/data
proxy:
image: traefik:v2.3
restart: always
command:
- "--global.sendAnonymousUsage=false"
- "--providers.docker"
- "--providers.docker.exposedByDefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.tmhttpchallenge.acme.httpchallenge=true"
- "--certificatesresolvers.tmhttpchallenge.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.tmhttpchallenge.acme.email=${LETSENCRYPT_EMAIL}"
- "--certificatesresolvers.tmhttpchallenge.acme.storage=/etc/acme/acme.json"
ports:
- 80:80
- 443:443
volumes:
- ./.htpasswd:/auth/.htpasswd
- ./acme/:/etc/acme/
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
teslamate-db:
teslamate-grafana-data:
mosquitto-conf:
mosquitto-data:

Please be patient with me, as I am not Linux experienced (but very willing to learn everything)

[tobiasehlert]

Hi @sp33dm3

Looks to me, that you have multiple grafana services running in your configuration actually.
I think that lines 45-70 should be removed, since they are not correct and half redundant..

What about trying to do a fresh docker-compose.yml file instead based on https://docs.teslamate.org/docs/guides/traefik#docker-composeyml instructions.. I think that it will basically work right away for you, since your parameters are stored in your .env file.

Regards,
Tobias

[sp33dm3]

Hi @tobiasehlert ,

Thank you for replying.

Thanks to you I have found the problem, by digging a little deeper.
Problem was not related to my docker-compose.yml file, because the one on my server had only 1 entry for Grafana.
(probably I made a little mistake creating this post and copy/pasting the content of docker-compose.yml).

The solution was in my teslamate web interface, under settings the URL for the Grafana dashboards was wrong.
I entered https://my domain name/grafana
Where it should say https://teslamate.my domain name/grafana

Once I changed that, it directly worked like a charm.

Thanks again.

[tobiasehlert]

Alright @sp33dm3 nice to hear that you got it to work. And yes, something seems to have went wrong when creating the configuration, but good it was solved :-D