Cloudron v6.2.4 - Nginx Access-Control-Allow-Origin Policy blocks Grafana to access Prometheus

BrutalBirdie

Tested on Cloudron v6.2.4:

Install Grafana, install Prometheus.
Add Prometheus in Grafana as Datasource.
Get:

Unknown error during query transaction. Please check JS console logs.

> Access to fetch at 'https://prometheus.domain.tld./login?redirect=/api/v1/query?query=1%2B1&time=1615638775.765' (redirected from 'https://grafana.domain.tld/api/datasources/proxy/5/api/v1/query?query=1%2B1&time=1615638775.765') from origin 'https://grafana.domain.tld' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
> tti-polyfill.js:4 GET https://prometheus.domain.tld/login?redirect=/api/v1/query?query=1%2B1&time=1615638775.765 net::ERR_FAILED

Testing this on Cloudron v.6.1.2 with no problems.

BrutalBirdie

I tried looking into the diff of Box v6.1.2 and v6.2.4

https://git.cloudron.io/cloudron/box/-/compare/v6.1.2...v6.2.4

Found this line

https://git.cloudron.io/cloudron/box/-/compare/v6.1.2...v6.2.4#65b4484c1d799a34df752a8f7b9be90aca54aef6_98_98

- add_header Referrer-Policy "same-origin";
+ proxy_hide_header Referrer-Policy;

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

Then I tried to edit /etc/nginx/applications/default.conf and the both apps from Grafana and Prometheus to add cors:

https://enable-cors.org/server_nginx.html

Nothing worked, I am clueless.

girish

@brutalbirdie CORS headers are set by the app, it shouldn't be platform related. So, if Grafana cannot access prometheus, it's because prometheus needs some CORS setting.

girish

It seems one can set --web.cors.origin as per https://manpages.debian.org/unstable/prometheus/prometheus.1.en.html . I guess we have to fix the Cloudron package to have CLI args.

BrutalBirdie

@girish
My problem with that is, both Grafana and Prometheus did not get updated for 2 weeks on the v6.2.4 instance.
Grafana 7.4.3 and Prometheus Server 2.25.0
They did not change but the version of Cloudron got upgraded from v6.1.2 => v6.2.4 that's the only thing that changed.

girish

@brutalbirdie Nothing has changed in the reverse proxy configs other than referrer-policy. So, I am surprised that it worked before. I can only think of some app update causing a problem.

BrutalBirdie

@girish Yes I'm also very confused about this issue.
And also that no one else reported this so far.

Did you test said issue and could replicate it @girish?

girish

@brutalbirdie I haven't tried this yet. Do you know if this setup requires basic auth to work in the apps?

BrutalBirdie

@girish Good question.
Since prometheus does use proxyAuth and grafana tries to auth via basic auth.
Could this be a problem? I think I've read something on the forum about a problem with proxyAuth?

girish

@brutalbirdie yes, that is most likely the issue. Let me try to push a fix.

girish

@brutalbirdie I have enabled it in package v1.4.1 . Can you please try?

BrutalBirdie

@girish On it.

---

Neat! This fixed it. Big thanks for the uddate.