table of content
Table Of Content

    Setup Grafana on Ubuntu VPS with Subdomain

    Share

    Grafana is renowned as a powerful tool for effortlessly monitoring services, including Apache2. By integrating Grafana with data sources like Prometheus, InfluxDB, or Graphite, you can visualize Apache2 metrics such as requests per second, response time, server status, and more.

    I. Installing Grafana Service on Ubuntu

    To begin installing Grafana Service on Ubuntu, first update the list of available software packages from the configured repositories on the system using either `apt-get update -y` or `sudo apt-get update -y`.

    $ apt-get update -y
    Hit:1 http://ap-southeast-1.ec2.archive.ubuntu.com/ubuntu focal InRelease
    Get:2 http://ap-southeast-1.ec2.archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
    Hit:3 http://ap-southeast-1.ec2.archive.ubuntu.com/ubuntu focal-backports InRelease      
    Hit:4 http://autoinstall.plesk.com/pool/PSA_18.0.59_14022 focal InRelease                
    Hit:5 http://autoinstall.plesk.com/PHP74_17 focal InRelease                              
    Hit:6 http://autoinstall.plesk.com/PHP80_17 focal InRelease                              
    Hit:7 http://autoinstall.plesk.com/PHP82_17 focal InRelease                              
    Hit:8 http://autoinstall.plesk.com/pool/WPB_18.0.55_74 all InRelease                     
    Hit:9 https://autoinstall.plesk.com/grafana/deb stable InRelease                         
    Hit:10 https://autoinstall.plesk.com/DRWEB_6.0.2.9 focal InRelease                       
    Hit:11 http://security.ubuntu.com/ubuntu focal-security InRelease
    Fetched 114 kB in 1s (102 kB/s)
    Reading package lists... Done
    

    Next, install several essential packages necessary for performing various tasks on Ubuntu and other Debian-based Linux distributions.

    apt-get install wget curl gnupg2 apt-transport-https software-properties-common -y
    
    Note: Assuming our location is /var/www/vhosts/<domain>/grafana/, we will use `chmod -R 777` to set permissions for the new folder named grafana, and then download the repository inside it.

    Conduct download Grafana's GPG (GNU Privacy Guard) key from the specified URL and then add it to the list of trusted keys used by the Advanced Package Tool (APT) on Debian-based systems.

    wget -q -O - https://packages.grafana.com/gpg.key | apt-key add -
    

    Next, add the Grafana repository to APT with the following command:

    echo "deb https://packages.grafana.com/oss/deb stable main" | tee -a /etc/apt/sources.list.d/grafana.list
    

    Once the repository has been added to your system, you can update it using the following command:

    apt-get update -y
    

    Now, you can install Grafana by executing the following command:

    /grafana$ sudo apt-get install grafana -y
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    grafana is already the newest version (10.1.5).
    0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.
    

    After installing the Grafana package, verify the Grafana version using the following command:

    /grafana$ grafana-server -v
    Version 10.1.5 (commit: 849c612fcb, branch: HEAD)
    

    As you can see, setting up Grafana affects `/lib/systemd/system` rather than `/etc/systemd/system`. You will find the grafana-server.service file in `/lib/systemd/system`. Now, start the Grafana service and set it to start automatically when the system reboots:

    systemctl start grafana-server
    systemctl enable grafana-server
    

    You can now verify the status of Grafana by using the following command:

    /$ systemctl status grafana-server
    ● grafana-server.service - Grafana instance
         Loaded: loaded (/lib/systemd/system/grafana-server.service; enabled; vendor preset: >
         Active: active (running) since Fri 2024-04-05 06:57:59 UTC; 1 weeks 5 days ago
           Docs: http://docs.grafana.org
       Main PID: 2027718 (grafana)
          Tasks: 22 (limit: 4686)
         Memory: 107.6M
         CGroup: /system.slice/grafana-server.service
                 ├─2027718 /usr/share/grafana/bin/grafana server --config=/etc/grafana/grafan>
                 └─2027725 /var/lib/grafana/plugins/plesk-json-backend-datasource/dist/gpx_pl>
    
    
    Apr 16 06:26:38 flagtickhostwebsite systemd[1]: /lib/systemd/system/grafana-server.servic>
    Apr 16 06:31:44 flagtickhostwebsite systemd[1]: /lib/systemd/system/grafana-server.servic>
    Apr 16 06:31:44 flagtickhostwebsite systemd[1]: /lib/systemd/system/grafana-server.servic>
    Apr 16 06:31:45 flagtickhostwebsite systemd[1]: /lib/systemd/system/grafana-server.servic>
    Apr 16 06:31:45 flagtickhostwebsite systemd[1]: /lib/systemd/system/grafana-server.servic>
    Apr 16 06:31:45 flagtickhostwebsite systemd[1]: /lib/systemd/system/grafana-server.servic>
    Apr 16 06:31:46 flagtickhostwebsite systemd[1]: /lib/systemd/system/grafana-server.servic>
    Apr 17 11:41:05 flagtickhostwebsite systemd[1]: /lib/systemd/system/grafana-server.servic>
    Apr 17 11:41:05 flagtickhostwebsite systemd[1]: /lib/systemd/system/grafana-server.servic>
    Apr 17 11:41:05 flagtickhostwebsite systemd[1]: /lib/systemd/system/grafana-server.servic>
    lines 1-21/21 (END)
    

    II. Launch Grafana With Specific Port

    In practice, the port used by Grafana may conflict with other services like Redmine or Elasticsearch. Let us use this command to search through plain-text data sets for lines containing the string http_port.

    /$ grep -i http_port /etc/grafana/grafana.ini
    http_port = 3030
    
    # The full public facing url you use in browser, used for redirects and emails
    # If you use reverse proxy and sub path specify full url (with sub path)
    root_url = https://grafana.flagtickgroup.com/
    
    # Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons.
    serve_from_sub_path = true
    
    # https certs & key file
    cert_file = /opt/psa/var/certificates/scfu6Xa3R
    cert_key = /opt/psa/var/certificates/scfNJGnJT
    
    Note: We will cover generating the `cert_file` and `cert_key` parameters using free SSL self-certification from the Plesk panel for subdomain in next section.

    Let verify whether the Uncomplicated Firewall (UFW) package is installed on the system. If UFW is installed, the command will display information about the package, indicating its presence. Conversely, if UFW is not installed, the command will produce no output.

    dpkg -l | grep ufw
    

    Then, check whether the firewall service is enabled on a Linux system.

    ufw status
    

    In some cases, if you haven't installed firewall for Linux yet, you can use these commands to install and enable it.

    apt -y install ufw
    ufw enable
    

    If the firewall blocks port 3030, it impacts execution of curl command to connect to resources on that port. Thus, it is necessary to check ufw. Thus, we should open the port on the firewall.

    sudo ufw allow 3030/tcp
    

    Now, Grafana is up and running, and it is listening on port 3030. You can recognize this by using the following command:

    $ ss -antpl | grep 3030
    LISTEN 0      4096                                 127.0.0.1:3030       0.0.0.0:* 
    

    In the other hand, you can use curl to check with 127.0.0.1:3030.

    $ curl --verbose 127.0.0.1:3030
    *   Trying 127.0.0.1:3030...
    * TCP_NODELAY set
    * Connected to 127.0.0.1 (127.0.0.1) port 3030 (#0)
    > GET / HTTP/1.1
    > Host: 127.0.0.1:3030
    > User-Agent: curl/7.68.0
    > Accept: */*
    > 
    * Mark bundle as not supporting multiuse
    < HTTP/1.1 302 Found
    < Cache-Control: no-store
    < Content-Type: text/html; charset=utf-8
    < Location: /modules/grafana/service/login
    < Set-Cookie: redirect_to=%2Fmodules%2Fgrafana%2Fservice%2F; Path=/modules/grafana/service; HttpOnly; SameSite=Lax
    < X-Content-Type-Options: nosniff
    < X-Xss-Protection: 1; mode=block
    < Date: Wed, 17 Apr 2024 14:24:51 GMT
    

    It indicates that the requested resource at 127.0.0.1:3030 has been temporarily moved to `/modules/grafana/service/login`, and the client should follow the redirection specified in the Location header.

    $ curl --verbose https://grafana.flagtickgroup.com/modules/grafana/service/login
    
    Note: If you are not using service like curl to access it, you can disable port 3030 and avoid making it public. Instead, you can run it as proxy with subdomain for end users to access.

    III. Setting Up Subdomain On Web Hosting

    Here, we will be using the Plesk control panel as our hosting management tool to create subdomain under the main domain flagtickgroup.com. If you are using different control panel like cPanel, you can follow similar steps.

    In some situations, Content Delivery Network (CDN) serves as an intermediary between the original server and the client, managing tasks such as caching and advanced configurations. For this purpose, we will be using Cloudflare as our CDN provider. Therefore, you may need to set up an IP address for this subdomain.

    Use the nslookup command to query DNS servers and retrieve information about domain names, including IP addresses, specifically for the created subdomain.

    $ nslookup grafana.flagtickgroup.com
    Server:127.0.0.53
    Address:127.0.0.53#53
    
    Non-authoritative answer:
    Name:grafana.flagtickgroup.com
    Address: xxx.xxx.xxx.xxx
    Name:grafana.flagtickgroup.com
    Address: xxx.xxx.xxx.xxx
    Name:grafana.flagtickgroup.com
    Address: xxxx:xxxx:xxxx::xxxx:xxxx
    Name:grafana.flagtickgroup.com
    Address: xxxx:xxxx:xxxx::xxxx:xxxx
    

    Grafana not serving any content when accessed through subdomain without files in the directory, you can set up reverse proxy configuration in your web server (e.g., Apache or Nginx).

    sudo a2enmod proxy
    sudo a2enmod proxy_http
    sudo a2enmod proxy_balancer
    sudo a2enmod lbmethod_byrequests
    

    Update the virtual host configuration file for your subdomain to include the reverse proxy directives. For example, if using Apache, edit the virtual host configuration file:

    /etc/apache2/sites-available$ ls -a
    .                 000-default.conf.save           nano.save
    ..                default-ssl.conf                000-default.conf  grafana.flagtickgroup.com.conf
    

    Let us proceed to modify the file grafana.flagtickgroup.com.conf as follows:

    <VirtualHost *:80>
        ServerName grafana.flagtickgroup.com
    
        ProxyPass / http://localhost:3030/
        ProxyPassReverse / http://localhost:3030/
    
        ErrorLog ${APACHE_LOG_DIR}/redmine_error.log
        CustomLog ${APACHE_LOG_DIR}/redmine_access.log combined
    </VirtualHost>
    
    Note: Since Grafana doesn't serve any content from a specific directory like traditional web servers, there is no need to include DocumentRoot or Directory directives in its configuration file. Instead, the proxy directives are used to forward requests to the Grafana server.

    Activate the virtual host configuration and then restart Apache to ensure the changes take effect.

    sudo systemctl reload apache2
    sudo a2ensite subdomain.conf
    sudo systemctl restart apache2
    

    When setting up Grafana to run on port 3030 within the subdomain grafana.flagtickgroup.com, you may need to refer to the file located at /etc/apache2/plesk.conf.d/vhosts/grafana.flagtickgroup.com.conf. This file is often used to configure Apache's virtual host settings, including proxy rules and directives for forwarding requests from port 80 (HTTP) or port 443 (HTTPS) to Grafana running on port 3030.

    <IfModule mod_ssl.c>
    
           <VirtualHost 172.26.1.162:7081 >
           ServerName "grafana.flagtickgroup.com"
           ServerAlias "www.grafana.flagtickgroup.com"
           ServerAlias "ipv4.grafana.flagtickgroup.com"
           UseCanonicalName Off
           ProxyPreserveHost On
           ProxyPass / http://localhost:3030/
           ProxyPassReverse / http://localhost:3030/
    
           CustomLog /var/www/vhosts/system/grafana.flagtickgroup.com/logs/access_ss>
           ErrorLog "/var/www/vhosts/system/grafana.flagtickgroup.com/logs/error_log"
    
           DocumentRoot "/var/www/vhosts/flagtickgroup.com/grafana"
    

    Check if grafana.flagtickgroup.com exists, list all files and directories, including hidden ones, in the directory `/var/www/vhosts/system/`.

    ls -a /var/www/vhosts/system/
    

    After restarting Apache with sudo systemctl restart apache2, the configuration changes will be saved in `/var/www/vhosts/system/grafana.flagtickgroup.com/conf/httpd.conf`.

    $ sudo cat /var/www/vhosts/system/grafana.flagtickgroup.com/conf/httpd.conf
    #ATTENTION!
    #
    #DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
    #SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
    #IF YOU REQUIRE TO APPLY CUSTOM MODIFICATIONS, PERFORM THEM IN THE FOLLOWING FILES:
    #/var/www/vhosts/system/grafana.flagtickgroup.com/conf/vhost.conf
    #/var/www/vhosts/system/grafana.flagtickgroup.com/conf/vhost_ssl.conf
    <IfModule mod_ssl.c>
    
         <VirtualHost 172.26.1.162:7081 >
         ServerName "grafana.flagtickgroup.com"
         ServerAlias "www.grafana.flagtickgroup.com"
         ServerAlias "ipv4.grafana.flagtickgroup.com"
         UseCanonicalName Off
         ProxyPreserveHost On
         ProxyPass / http://localhost:3030/
         ProxyPassReverse / http://localhost:3030/
    
         CustomLog /var/www/vhosts/system/grafana.flagtickgroup.com/logs/access_ssl_log plesklog
    
         ErrorLog "/var/www/vhosts/system/grafana.flagtickgroup.com/logs/error_log"
    
         DocumentRoot "/var/www/vhosts/flagtickgroup.com/grafana"
    

    Open your web browser and navigate to the grafana.flagtickgroup.com subdomain to confirm that Grafana is accessible as expected.

    Some times, you may encounter "TOO MANY REQUESTS" errors due to SSL-related issues. To avoid this problem, you can use self-signed SSL certificate to secure the integration of the subdomain grafana.flagtickgroup.com. This helps prevent such errors from occurring.

    Press the Reissue Certificate button to install a free basic certificate provided by Let's Encrypt.

    Select the option Secure the wildcard domain (including www and webmail), including the www subdomain.

    Started issuing a wildcard SSL/TLS certificate from Let's Encrypt for the domain grafana.flagtickgroup.com.

    Here are the results after securing the domain and its www subdomain for the subdomain grafana.flagtickgroup.com.

    You can view the details of this certificate and Plesk panel by examining it in plain text as follows:

    Moreover, you can execute the command $ sudo cat /var/www/vhosts/system/grafana.flagtickgroup.com/conf/httpd.conf to inspect all configurations and verify if the self-signed SSL certificate has been set up and configured for use with Apache.

    <IfModule mod_ssl.c>
    <VirtualHost 172.26.1.162:7081 >
    	ServerName "grafana.flagtickgroup.com"
    	ServerAlias "www.grafana.flagtickgroup.com"
    	ServerAlias "ipv4.grafana.flagtickgroup.com"
    	UseCanonicalName Off
    	ProxyPreserveHost On
    	ProxyPass / http://localhost:3030/
    	ProxyPassReverse / http://localhost:3030/
    
    	CustomLog /var/www/vhosts/system/grafana.flagtickgroup.com/logs/access_ssl_log plesklog
    	ErrorLog "/var/www/vhosts/system/grafana.flagtickgroup.com/logs/error_log"
    
    	DocumentRoot "/var/www/vhosts/flagtickgroup.com/grafana"
    
    	<IfModule mod_suexec.c>
    		SuexecUserGroup "flagtick" "psacln"
    	</IfModule>
    
    	<IfModule mod_userdir.c>
    		UserDir "/var/www/vhosts/flagtickgroup.com/web_users/*"
    	</IfModule>
    
    	<IfModule mod_sysenv.c>
    		SetSysEnv PP_VHOST_ID "4e78ba52-16fb-4c30-9cb9-fffa22b17566"
    	</IfModule>
    
    	Alias "/plesk-stat" "/var/www/vhosts/system/grafana.flagtickgroup.com/statistics"
    	<Location  /plesk-stat/>
    		Options +Indexes
    	</Location>
    	<Location  /plesk-stat/logs/>
    		Require valid-user
    	</Location>
    	Alias /webstat /var/www/vhosts/system/grafana.flagtickgroup.com/statistics/webstat
    	Alias /webstat-ssl /var/www/vhosts/system/grafana.flagtickgroup.com/statistics/webstat-ssl
    	Alias /ftpstat /var/www/vhosts/system/grafana.flagtickgroup.com/statistics/ftpstat
    	Alias /anon_ftpstat /var/www/vhosts/system/grafana.flagtickgroup.com/statistics/anon_ftpstat
    	Alias /awstats-icon /usr/share/awstats/icon
    
    	SSLEngine on
    	SSLVerifyClient none
    	SSLCertificateFile /opt/psa/var/certificates/scfu6Xa3R
    	SSLCACertificateFile /opt/psa/var/certificates/scfNJGnJT
    
    	<Directory /var/www/vhosts/flagtickgroup.com/grafana>
    

    Thus, setting up SSL for Apache configuration can be achieved with just three lines, as shown below:

    SSLEngine on
    SSLCertificateFile /opt/psa/var/certificates/scfu6Xa3R
    SSLCACertificateFile /opt/psa/var/certificates/scfNJGnJT
    

    In some cases, missing proper folder permissions, ownership, or correct web server configurations can lead to a 403 Forbidden error when accessing the subdomain.

    Navigate to the File Manager to access the Grafana folder, which is the directory pointed to by our subdomain. Here, you can examine the ownership settings for this folder.


    Additionally, we can use the command ls -l to check the ownership of the Grafana folder.

    $ ls -l /var/www/vhosts/flagtickgroup.com
    ...
    drwxrwxrwx  2 ubuntu   ubuntu  4096 Apr 18 03:36 grafana
    ...
    

    In Grafana, there are various authentication methods available, some of which also support syncing user permissions and organization memberships. We will dive deep into this further in the next section.

    IV. Exploring Authentication Configuration in Grafana

    Start by disabling all authentication methods except Basic authentication in Grafana. Access and modify the grafana.ini configuration file using a text editor or command-line tools like `cat /etc/grafana/grafana.ini`.

    #################################### GitHub Auth ##########################
    [auth.github]
    ;name = GitHub
    ;icon = github
    ;enabled = false
    #################################### GitLab Auth #########################
    [auth.gitlab]
    ;name = GitLab
    ;icon = gitlab
    ;enabled = false
    #################################### Google Auth ##########################
    [auth.google]
    ;name = Google
    ;icon = google
    ;enabled = false
    #################################### Grafana.com Auth ####################
    [auth.grafana_com]
    ;name = Grafana.com
    ;icon = grafana
    ;enabled = false
    #################################### Azure AD OAuth #######################
    [auth.azuread]
    ;name = Microsoft
    ;icon = microsoft
    ;enabled = false
    ;allow_sign_up = true
    #################################### Okta OAuth #######################
    [auth.okta]
    ;name = Okta
    ;enabled = false
    #################################### Generic OAuth ##########################
    [auth.generic_oauth]
    ;enabled = false
    #################################### Basic Auth ##########################
    [auth.basic]
    enabled = true
    #################################### Auth Proxy ##########################
    [auth.proxy]
    ;enabled = false
    #################################### Auth JWT ##########################
    [auth.jwt]
    ;enabled = true
    #################################### Auth LDAP ##########################
    [auth.ldap]
    ;enabled = false
    

    When you visit https://grafana.flagtickgroup.com/login, you're directed to the Grafana interface, but no login form appears.

    To display the login form, you will need to set `disable_login_form` to false in `grafana.ini`. After making this change, restart the Grafana server using systemctl restart grafana-server to apply the updates.

    [auth]
    # Login cookie name
    login_cookie_name = plesk_grafana_session
    
    # Disable usage of Grafana build-in login solution.
    ;disable_login = false
    
    # The maximum lifetime (duration) an authenticated user can be inactive before being required to login at next visit. Default is 7 days>
    ;login_maximum_inactive_lifetime_duration =
    
    # The maximum lifetime (duration) an authenticated user can be logged in since login time before being required to login. Default is 30>
    ;login_maximum_lifetime_duration =
    
    # How often should auth tokens be rotated for authenticated users when being active. The default is each 10 minutes.
    ;token_rotation_interval_minutes = 10
    
    # Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false
    disable_login_form = false
    
    # Set to true to disable the sign out link in the side menu. Useful if you use auth.proxy or auth.jwt, defaults to false
    ;disable_signout_menu = false
    
    Note: For more information, you can visit the following URL: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/grafana/.

    Access your SQL database and reset the admin password using an SQL update query. Set the new password to admin.

    sudo sqlite3 /var/lib/grafana/grafana.db
    sqlite> update user set password = '59acf18b94d7eb0694c61e60ce44c110c7a683ac6a8f09580d626f90f4a242000746579358d77dd9e570e83fa24faa88a8a6', salt = 'F3FAxVm33R' where login = 'admin';
    sqlite> .exit
    

    Once you log in with the username/password is admin/admin, you will be prompted with Update your password screen, where you can request to change your password as shown below:

    Finally, here is the Grafana dashboard after successfully changing the password.

    V. Conclusion

    Our article has shared practical insights on how to use Grafana for monitoring CPU, Disk, Memory, Network, Overview, and Services. We've included a detailed example of setting up Grafana on Ubuntu, covering installation, port configuration, and linking to a subdomain for easy browser access. If you encounter any issues while following our guide, don't hesitate to ask questions or share your concerns in the comments section.

    Flagtick Group
    Flagtick Group The individual is sociable and enjoys making friends, often sharing knowledge across various fields. |1 second ago
    Flagtick Group The individual is sociable and enjoys making friends, often sharing knowledge across various fields. 1 second ago
    You need to login to do this manipulation!