How to use influx client with apache reverse proxy and ssl

Dear all - this is my first post here - exiting! I installed InfluxDB on a web server, to put measurements into it later.

I can run the “influx” client successfully on the servers CLI. Then I set up a user and a pasword and succeeded also to use “influx” from a different pc in my home network like

$ influx -host "ahost" -username "auser" -password "apassword".

Since I want to store and display the data on a this web server with HTTPS / letsencrypt, I went next step and installed grafana on the machine and set a reverse proxy, so I can reach grafana via https://myserverdomain/grafana. Apache’s ssl config needs to have like

ProxyPass "/grafana" "http://localhost:3000"

for this and adjusting grafana.ini.

Since influxDB has no visible web frontend (I guess?) I wonder how I can test my setup for it:

ProxyPass /influx http://localhost:8086/

From the Internet I got a tip with curl:

$ curl -sL -I l https://myserver.no-ip.biz/influx/ping

this gives me back a success (204) as I learned:

HTTP/1.1 204 No Content
Date: Sat, 14 Nov 2020 18:33:46 GMT
Server: Apache
X-XSS-Protection: 1; mode=block
x-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *
Referrer-Policy: strict-origin
Content-Type: application/json
Request-Id: ee8f37ea-26a7-11eb-800a-bc5ff4abbd9d
X-Influxdb-Build: OSS
X-Influxdb-Version: 1.8.3
X-Request-Id: ee8f37ea-26a7-11eb-800a-bc5ff4abbd9d

So my questions are: From the internet, (how) can I run a command line with “influx …” and access the database as I would locally in my LAN?

And how to feed data from node-red into it? When I tried, it says (debug output of the influxDB node:)

Error: A 301 Moved Permanently error occurred: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://myserver.no-ip.biz/influx:443/write?db=mydb&amp;p=apassword&amp;precision=n&amp;rp=&amp;u=auser">here</a>.</p>
</body></html>

Thanks in advance!

Hello @loeten,
Welcome! InfluxDB has a visible web frontend for 2.x https://docs.influxdata.com/influxdb/v2.0/visualize-data/ 8086
and for 1.x
https://docs.influxdata.com/chronograf/v1.8/ 8888

Influxdb 2.0 does indeed have a frontend which I can view at localhost…

How can it be seen reverse proxied through apache though? With chronograf the base_path variable is set, but I cannot for the life of me get this to work for InfluxDb 2.0 OSS. I am left with a blank browser screen on every attempt.

1 Like

I have the same problem… When I set up the reverse proxy I end up on a blanket site

I gave up on trying 2 months ago. I reverted to version 1.8.x, which is unfortunate. I was a bit surprised that no on else said anything, because surely others are running on something other than localhost. If you have any luck, please update me.

About the influx connection, I used curl (instead of the NodeRed node) from the remote location to see what happens, and also to update - never used any graphic frontend.

About the reverse proxy issues (also with Grafana) I found that it disliked some security headers, that were delivered by default by my web server. After disabling it and step by step enabling it back, I was able to identify the problematic one and have an influx and grafana (docker) running on reverse proxy and apache2 as planned originally.

Thank you for sharing your solution. I also have been using and enjoy grafana for observability. I still wanted to give the new influxdb gui a shot to tinker with Flux more regularly and directly. But, yes… serving grafana through apache via reverse proxy is nice and straightforward from my expérience. Chronograf was also double with a little extra effort.

Using a reverse proxy (nginx) to forward 443 traffic to Influxdb 2.0 port 8086 worked flawlessly for me.

I use InfluxDB internally, on influx.local.mytld.com. I wanted to use my Split-DNS Let’s Encrypt Wildcard Certs and also did not want to always apply :8086 when opening the web interface.

This is my nginx conf:

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name influx.local.mytld.com;

        ssl      on;
        ssl_certificate     /etc/nginx/ssl/wildcard.local.mytld.com.fullchain;
        ssl_certificate_key /etc/nginx/ssl/wildcard.local.mytld.com.key;

        ssl_protocols           TLSv1.2 TLSv1.3;
        ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;

        location / {
                proxy_pass http://localhost:8086;
                proxy_redirect off;
                proxy_http_version 1.1;
                proxy_max_temp_file_size 10m;
                proxy_connect_timeout 20;
                proxy_send_timeout 20;
                proxy_read_timeout 20;
                proxy_set_header Host $host;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection keep-alive;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto http;
                proxy_set_header X-Original-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Original-Proto https;
                proxy_cache_bypass $http_upgrade;
        }

}

Now, when I go to https://influx.local.mytld.com,
the InfluxDB frontend opens.

Note that all metric collectors must be configured to use port 443 instead of 8086, and they must also have the current SSL certs avialable. In Telegraf, you must use ssl:// for the output plugin. I also tested this with other tools, e.g. the native InfluxDB Metric Collector in Proxmox, works without issues so far.

1 Like

I haven’t had a chance to try again. I cannot run nginx for more primary use case. But, i will definitely be reviewing your config for my own local instance. Thank you.

I am trying to do the same thing with reverse proxy and influxdb. The web UI works fine at localhost:8086.

I used @Grom config but still got a black page. I plan to access influx web UI by https://my.domain/influx so my config is like:

location /influx/ {
                proxy_pass http://localhost:8086;
                proxy_redirect off;
                proxy_http_version 1.1;
                proxy_max_temp_file_size 10m;
                proxy_connect_timeout 20;
                proxy_send_timeout 20;
                proxy_read_timeout 20;
                proxy_set_header Host $host;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection keep-alive;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto http;
                proxy_set_header X-Original-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Original-Proto https;
                proxy_cache_bypass $http_upgrade;
        }