From 746cd8e35eec2b1c4e5df8f801c62f02394a83f0 Mon Sep 17 00:00:00 2001 From: hailin Date: Thu, 4 Dec 2025 22:23:04 -0800 Subject: [PATCH] fix(api-gateway): add Grafana 10+ CORS configuration for reverse proxy access MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 添加 Grafana 10+ 的 CORS/跨域配置,解决通过 Nginx 反向代理访问时的 "origin not allowed" 错误。 Changes: - docker-compose.monitoring.yml: 添加 Grafana 安全配置 - GF_SECURITY_ALLOW_EMBEDDING=true: 允许嵌入和反向代理访问 - GF_SECURITY_COOKIE_SAMESITE=none: 允许跨域 Cookie - GF_SECURITY_COOKIE_SECURE=true: HTTPS 下安全传输 Cookie - GF_AUTH_ANONYMOUS_ENABLED=false: 保持安全性,禁用匿名访问 - .env.example: 添加重启提示说明 - 强调修改 GRAFANA_ROOT_URL 后必须重启监控服务 - README.md: 新增 "Grafana 通过 Nginx/域名访问配置" 章节 - 详细说明配置步骤 - 提供验证方法 - 列出常见错误和解决方案 问题根因: Grafana 10+ 引入了更严格的安全策略,要求显式配置 CORS 相关参数才能通过反向代理访问。 仅配置 GF_SERVER_ROOT_URL 不足以解决跨域问题。 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- backend/api-gateway/.env.example | 2 ++ backend/api-gateway/README.md | 25 +++++++++++++++++++ .../api-gateway/docker-compose.monitoring.yml | 5 ++++ 3 files changed, 32 insertions(+) diff --git a/backend/api-gateway/.env.example b/backend/api-gateway/.env.example index 9839d18e..9d792269 100644 --- a/backend/api-gateway/.env.example +++ b/backend/api-gateway/.env.example @@ -49,6 +49,8 @@ GRAFANA_ADMIN_PASSWORD=admin123 # GRAFANA_ROOT_URL=https://monitor.szaiai.com # # Common mistake: Setting localhost when accessing via domain causes "origin not allowed" error! +# After changing this value, you MUST restart monitoring services: +# ./deploy.sh monitoring down && ./deploy.sh monitoring up GRAFANA_ROOT_URL=http://localhost:3030 # Docker network name for monitoring services diff --git a/backend/api-gateway/README.md b/backend/api-gateway/README.md index 16457141..7b7153ea 100644 --- a/backend/api-gateway/README.md +++ b/backend/api-gateway/README.md @@ -312,6 +312,31 @@ openssl rand -base64 24 - 延迟 (p50, p95, p99) - Kong 健康状态 +### Grafana 通过 Nginx/域名访问配置 + +如果使用 `install-monitor.sh` 安装了 Nginx + SSL,需要配置 Grafana 允许通过域名访问: + +1. **编辑 `.env` 文件**,设置正确的访问 URL: + ```bash + GRAFANA_ROOT_URL=https://monitor.szaiai.com + ``` + +2. **重启监控服务**使配置生效: + ```bash + ./deploy.sh monitoring down + ./deploy.sh monitoring up + ``` + +3. **验证配置**: + ```bash + docker exec rwa-grafana env | grep GF_SERVER_ROOT_URL + # 应该输出: GF_SERVER_ROOT_URL=https://monitor.szaiai.com + ``` + +**常见错误**: +- 如果看到 "origin not allowed" 错误,说明 `GRAFANA_ROOT_URL` 与实际访问地址不匹配 +- 修改 `.env` 后必须重启容器才能生效 + ## 生产环境部署 ### 部署前检查清单 diff --git a/backend/api-gateway/docker-compose.monitoring.yml b/backend/api-gateway/docker-compose.monitoring.yml index 4cf9d6db..6901241b 100644 --- a/backend/api-gateway/docker-compose.monitoring.yml +++ b/backend/api-gateway/docker-compose.monitoring.yml @@ -39,6 +39,11 @@ services: # 反向代理支持 - GF_SERVER_ROOT_URL=${GRAFANA_ROOT_URL:-http://localhost:3030} - GF_SERVER_SERVE_FROM_SUB_PATH=false + # Grafana 10+ CORS/跨域配置 - 允许通过反向代理访问 + - GF_SECURITY_ALLOW_EMBEDDING=true + - GF_SECURITY_COOKIE_SAMESITE=none + - GF_SECURITY_COOKIE_SECURE=true + - GF_AUTH_ANONYMOUS_ENABLED=false volumes: - grafana_data:/var/lib/grafana - ./grafana/provisioning:/etc/grafana/provisioning:ro