ServerName {{ inventory_hostname }} ServerAdmin webmaster@openstack.org ErrorLog ${APACHE_LOG_DIR}/grafana-error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/grafana-access.log combined Redirect / https://grafana.opendev.org/ ServerName {{ inventory_hostname }} ServerAdmin webmaster@openstack.org AllowEncodedSlashes On ErrorLog ${APACHE_LOG_DIR}/grafana-ssl-error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/grafana-ssl-access.log combined SSLEngine on SSLProtocol All -SSLv2 -SSLv3 # Note: this list should ensure ciphers that provide forward secrecy SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP SSLHonorCipherOrder on SSLCertificateFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.cer SSLCertificateKeyFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key SSLCertificateChainFile /etc/letsencrypt-certs/{{ inventory_hostname }}/ca.cer # NOTE(ianw) 2021-02-19 # This was for a security issue fixed in 7.4.2 # where anonymous users could cause a write to disk, fixed # with # https://github.com/grafana/grafana/pull/31263/ # We leave it because we don't use the API, but if we need # it, we can remove this. RewriteEngine on RewriteRule "^/api/snapshots(.*?)$" "-" [F] ProxyPass / http://localhost:3000/ retry=0 ProxyPassReverse / http://localhost:3000/