Accessing Grafana with BrowZer

Introduction

This guide is a walkthrough to set up a BrowZer application to access Grafana. 

To learn more about BrowZer see Getting started with BrowZer

Prerequisites

  • A Cloud Ziti Network is up and running.
  • Having a Grafana instance up and running with an edge router. We use the Ubuntu 22.04 setup. Please follow the Appendix instructions to install the Grafana instance and autonomous edge router. In this example document, the edge router is named Grafana-er.
  • In this example, the Grafana server uses the default port 3000. Make sure that the same port is used to configure the Ziti services. 

 

Deployment 

Part 1: Setup Needed Items to Support a BrowZer Application

Architecture diagram:

In this section:

In the Console, create a NetFoundry Hosted Edge Router with the WSS Listener enabled. BrowZer requires at least one Edge Router with the WSS Listener enabled.  Launching an NF Hosted is recommended. 

In the Console, Create an Edge Router Policy to ensure this router is available for your Identities.

Create Service

In the Console, Create the Service that you want to access Grafana. We recommend using an advanced service. 

  • For the case of docker-compose, the forward address uses the docker Container IP or container name. In my case, I use the docker container name grafana. Use any FQDN to intercept IP.
  • The PORT will be the default port on the Grafana server. In our example, use port 3000.
  • Identities are the edge router Grafana-er.
  • Leave the default check yes to Forward Protocol/Port. 

 

Service Policy

In the Console, Create a Service Policy(AppWan) to allow access to the specified clients that we’ll create later.

Part 2: Auth0 & JWT Signer

In this section:

This tutorial follows the Auth0 settings. Other IDPs must have their own settings. If you don't already have an account you can sign up for a free account at https://auth0.com/signup

Adding a new Application in Auth0

Once you have an account setup you can add a new "Application":

mceclip2.png

 

Then click on the "Create Application":

mceclip3.png

Then Create a "Single Page Web Application":

Adding the callback & logout URL to your BrowZer App(s) you created

All BrowZer Apps have the following template:

https://<APP_NAME>.<NET_NAME>.browzer.cloudziti.io

where:

  • APP_NAME, is the name we’ll assign to the BrowZer app we’ll create.
  • NET_NAME, is the name we’ll assign the first time you click on “BrowZer Apps”.

In Auth0, under the Application/Settings you'll find "Allowed Callback URLs" & "Allowed Logout URLs"

You can add one callback URL for all apps created under the same NET_NAME In this case, NET_NAME=solarapp.  The URL needs to be in this format: https://*.<NET_NAME>.browzer.cloudziti.io

For example:

 https://*.solarapp.browzer.cloudziti.io

For Example:

Put the same URLs under the "Allowed Logout URLs" also.

Create an API

Now you can add a new "API":

 

Click on Create API

Auth0 Applications

Fill out the form using the URL

https://<APP_NAME>.<NET_NAME>.browzer.cloudziti.io

 Create a custom trigger

Under Actions select "Triggers":

Click on "post-login":
Auth0 Applications

Click on the + symbol & select "Build from Scratch":
Auth0 Applications Auth0 Applications

 

Name the a new Action "Add Email to Access Token":

Auth0 Applications

Remove the prefilled out content & past the following:

/**
* Handler called during a PostLogin flow.
*
* @param {Event} event - Details about the user and the
* context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be
* used to change the behavior of the login.
*/
exports.onExecutePostLogin = async (event, api) => {

if (event.authorization) {
api.accessToken.setCustomClaim(`email`, event.user.email);
}
};

then click on "Deploy":

Auth0 Applications

 

Return to "post-login" & click on "Custom"

Auth0 Applications

 

Click and drag your Add Email to Access Token Action onto the Trigger, then drop it into place, then click Apply in the top right.

Auth0 Applications

Gathering Information from Auth0

To set up the new JWT Signer we'll need to get some information from the new Auth0 Application that was just created.

 

From the Application, we’ll require a few things we’ll need to write down. From the basic Information, we’ll gather the “Domain” and “ClientID

Scroll down to the Advanced Settings and click on Endpoints

You’ll also need to write down the OAuth Token URL that will be used on the BrowZer App creation and the JSON Web Key Set.

 

 

Adding a JWT Signer & Authentication Policy

Create the JWT

In the Console, Create a new JWT Signer

Using the values from Auth0 fill out the information in the new JWT Signer dialog.

For the ISSUER, use the “Domain” value.

https://<Domain>/ 

(Please make sure to add the trailing slash).

For the Audience, use the Identifier you used when creating the API above.

For the JWKS Endpoint, use the "JSON Web Key Set URL" value.

For the External Auth URL, use the "OAUTH Token URL" value.

Finally set the JWT Claim "email" & the Identities to "External Id".

Create the Authentication Policy

In the Console, Create a new Authentication Policy

In this example, we disable the certificate options & only use the JWT Signer as the Authenticator.

 

Create or Assign Identities(Endpoints) to the Authentication Policy

In the Console, Create or update the Identities(Endpoints) that will have access to BrowZer. Please ensure you have added the necessary attributes you define in your Service Policy(AppWan) to the Identities(Endpoints) so it’ll have access to the service.

Finally, make sure it has an Authentication Policy you created for BrowZer

 

Part 3: The BrowZer Application

In this section:

Make sure to complete the BrowZer Getting Started by clicking on the BrowZer Apps in the navigation menu.

Create a BrowZer Application

In the MOP Console, Create a new BrowZer Application.

For the App Entry, Select the service you created in Part 1.

For the Public URL, you’ll set a name for your app (APP_NAME), this name creates the whole URL you’ll use to access your service securely. In this case, APP_NAME=private-app, and the URL is

For example:

https://grafana.solarapp.browzer.cloudziti.io

Set the OIDC Base URL to the “Domain” value from Auth0 in Part2, in the format:

https://<domain> 

(This time without any slash at the end)

Set the ClientID to the "ClientId" value you got from Auth0 in Part 2.

Access your Application

The URL access is the one you got in the previous step. For this tutorial, the URL is:
https://grafana.solarapp.browzer.cloudziti.io
After the authentication with the Google email that is set up in the endpoint authentication policy, you will be connected to the Grafana landing page.  If this is your first time connecting to the page, you will be presented with the following screen. 
continue with Google and choose the Gmail ID

Accessing the Browzer-based Grafana using TLS:

Follow the appendix to install the https-based configuration to access the Grafana.
Enable the following options in the Browzer app to access the TLS-based Grafana URL.

APPENDIX

Create Your Own Grafana Instance

  • First, we need to update the instance.
sudo apt update && sudo apt upgrade
sudo apt install docker-compose
  • Clone the docker repo for Grafana.
git clone https://github.com/ninadingole/docker-images
  • Go to the Grafana docker directory (cd ./docker-images/prometheus-grafana/) for the Grafana instance. We’ll call this directory WORK_DIR.
  • You can find the Gafana login details in the file ./grafana/config.monitoring
  • create a directory: ziti_router
  • Modify the docker-compose file (docker-compose.yaml) under your WORK_DIR to include the netfoundry edge router image.

docker-compose.yaml

...

autonomous-er:
container_name: netfoundry-er
image: netfoundry/autonomous-router:latest
pull_policy: always
restart: unless-stopped
environment:
- VERBOSE=1
- REG_KEY=<registration_key from console>
volumes:
- ./ziti_router:/etc/netfoundry

The container netfoundry-er holds the environment: REG_KEY, which is the registration key for the edge router. You need to create a customer-hosted edge router on the CloudZiti console and enter the registration key (REG_KEY) into the docker-compose.yaml file.

Please follow this guide for detailed information on how to deploy an edge router.

After you have created the file, start your Grafana instance with the command:

docker-compose up -d

Install TLS/SSL certificate to access using HTTPS/443(Optional):

Create a cert and key file in the path /docker-images/prometheus-grafana/grafana

mkdir cert
cd cert
sudo openssl genrsa -out grafana.key 2048   # press enter for default value
sudo openssl req -new -key grafana.key -out grafana.csr
sudo openssl x509 -req -days 365 -in grafana.csr -signkey grafana.key -out grafana.crt
sudo chown grafana:grafana grafana.crt
sudo chown grafana:grafana grafana.key
sudo chmod 400 grafana.key grafana.crt
cd ..
sudo docker cp grafana:/etc/grafana/grafana.ini .

Modify the existing grafana.ini with the following changes in the server section

[server]
# Protocol (http, https, h2, socket)
protocol = https

# https certs & key file
cert_file = /etc/grafana/cert/grafana.crt
cert_key = /etc/grafana/cert/grafana.key

Modify the existing docker-compose.yaml with the following changes in volume

grafana:
container_name: grafana
image: grafana/grafana
user: '472'
restart: always
environment:
GF_INSTALL_PLUGINS: 'grafana-clock-panel,grafana-simple-json-datasource'
volumes:
- grafana_data:/var/lib/grafana
- ./grafana/provisioning/:/etc/grafana/provisioning/
- ./grafana/:/etc/grafana/

Restart the docker-compose

docker-compose down

docker-compose up -d

Was this article helpful?
0 out of 0 found this helpful