From a72b5f00d21a27ee004f3251726ae59ae455c03d Mon Sep 17 00:00:00 2001
From: hailin <hailin.zhao@gdzx.xyz>
Date: Thu, 4 Dec 2025 22:31:59 -0800
Subject: [PATCH] fix(api-gateway): update Nginx reverse proxy headers for
 Grafana 10+ compatibility

- Change Host header from $host to $http_host for correct host forwarding
- Add X-Forwarded-Host and X-Forwarded-Port headers
- Add Origin header ($scheme://$host) critical for Grafana 10+ CORS validation
- Disable proxy buffering for better real-time updates
- Update README with manual Nginx configuration update instructions for existing installations

Resolves 'origin not allowed' error when accessing Grafana through Nginx reverse proxy with SSL.
---
 backend/api-gateway/README.md                 | 26 +++++++++++++++++++
 .../api-gateway/scripts/install-monitor.sh    | 14 +++++++++-
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/backend/api-gateway/README.md b/backend/api-gateway/README.md
index 7b7153ea..2f0cf648 100644
--- a/backend/api-gateway/README.md
+++ b/backend/api-gateway/README.md
@@ -337,6 +337,32 @@ openssl rand -base64 24
 - 如果看到 "origin not allowed" 错误，说明 `GRAFANA_ROOT_URL` 与实际访问地址不匹配
 - 修改 `.env` 后必须重启容器才能生效
 
+**如果之前已安装 Nginx，需要更新配置**：
+
+如果你之前运行过 `install-monitor.sh`，需要手动更新 Nginx 配置文件以支持 Grafana 10+：
+
+```bash
+# 1. 编辑 Nginx 配置文件
+sudo nano /etc/nginx/sites-available/monitor.szaiai.com.conf
+
+# 2. 在 Grafana location / 块中添加以下 headers:
+#    proxy_set_header Host $http_host;
+#    proxy_set_header X-Forwarded-Host $host;
+#    proxy_set_header X-Forwarded-Port $server_port;
+#    proxy_set_header Origin $scheme://$host;
+#    proxy_buffering off;
+
+# 3. 测试并重载 Nginx
+sudo nginx -t
+sudo systemctl reload nginx
+```
+
+或者重新运行安装脚本（会使用更新后的配置）：
+```bash
+cd ~/rwadurian/backend/api-gateway
+sudo ./scripts/install-monitor.sh monitor.szaiai.com
+```
+
 ## 生产环境部署
 
 ### 部署前检查清单
diff --git a/backend/api-gateway/scripts/install-monitor.sh b/backend/api-gateway/scripts/install-monitor.sh
index b1271882..336d6b54 100644
--- a/backend/api-gateway/scripts/install-monitor.sh
+++ b/backend/api-gateway/scripts/install-monitor.sh
@@ -169,14 +169,26 @@ server {
     location / {
         proxy_pass http://127.0.0.1:$GRAFANA_PORT;
         proxy_http_version 1.1;
+
+        # WebSocket support
         proxy_set_header Upgrade \$http_upgrade;
         proxy_set_header Connection 'upgrade';
-        proxy_set_header Host \$host;
+
+        # Standard proxy headers
+        proxy_set_header Host \$http_host;
         proxy_set_header X-Real-IP \$remote_addr;
         proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto \$scheme;
+        proxy_set_header X-Forwarded-Host \$host;
+        proxy_set_header X-Forwarded-Port \$server_port;
+
+        # Grafana 10+ 反向代理支持
+        proxy_set_header Origin \$scheme://\$host;
+
+        # 缓存和超时
         proxy_cache_bypass \$http_upgrade;
         proxy_read_timeout 86400;
+        proxy_buffering off;
     }
 
     # Prometheus (仅内网)