Grafana and InfluxDB with SSL inside a Docker Container
Self-signed SSL certificates
On the host, create a directory for storing the self signed SSL certificates. This directory will be mounted in the Grafana container as well as in the InfluxDB container to /var/ssl. Create the self signed SSL certificates as follows:
mkdir -p /docker/ssl
cd /docker/ssl/
# Generate a private key
openssl genrsa -des3 -out server.key 1024
# Generate CSR
openssl req -new -key server.key -out server.csr
# Remove password
openssl rsa -in server.key -out server.key
# Generate self signed cert
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
# Set permissions
sudo chmod 644 server.crt
sudo chmod 600 server.key
Next, create a config directory and create individual configuration files for Grafana and InfluxB: mkdir conf
Grafana
In the file ./conf/grafana/defaults.ini set the protocol to https and provide the paths to the mounted ssl directory in the container.
#################################### Server ##############################
[server]
# Protocol (http, https, socket)
protocol = https
...
...
# https certs & key file
cert_file = /var/ssl/server.crt
cert_key = /var/ssl/server.key
...```
## InfluxDB
The file ./conf/influxdb/influxdb.conf is also pretty simple. Add a [http] category and add the settings:
[meta] dir = “/var/lib/influxdb/meta” [data] dir = “/var/lib/influxdb/data” engine = “tsm1” wal-dir = “/var/lib/influxdb/wal” [http] https-enabled = true https-certificate =”/var/ssl/server.crt” https-private-key =”/var/ssl/server.key”
## Environment
You can set environment variables in <span class="lang:default decode:true crayon-inline ">env files</span> for the services.
### env.grafana
GF_INSTALL_PLUGINS=grafana-clock-panel,briangann-gauge-panel,natel-plotly-panel,grafana-simple-json-datasource
### env.influxdb
INFLUXDB_REPORTING_DISABLED=true INFLUXDB_DB= INFLUXDB_HTTP_AUTH_ENABLED=true INFLUXDB_ADMIN_USER=admin INFLUXDB_ADMIN_PASSWORD= INFLUXDB_USER= INFLUXDB_USER_PASSWORD= INFLUXDB_WRITE_USER= INFLUXDB_WRITE_USER_PASSWORD=
## Docker Compose
Now you can launch the service by using <span class="lang:default decode:true crayon-inline ">docker-compose up</span> for the following file. Note
version: ‘2’
services: influxdb: image: influxdb:latest container_name: influxdb ports: - “8083:8083” - “8086:8086” - “8090:8090” env_file: - ‘env.influxdb’ volumes: - data-influxdb:/var/lib/influxdb - /docker/ssl:/var/ssl - /docker/conf/influxdb/influxdb.conf:/etc/influxdb/influxdb.conf
grafana:
image: grafana/grafana:latest
container_name: grafana
ports:
- "3000:3000"
links:
- influxdb
env_file:
- 'env.grafana'
volumes:
- data-grafana:/var/lib/grafana
- /docker/ssl:/var/ssl
- /docker/conf/grafana/defaults.ini:/usr/share/grafana/conf/defaults.ini
volumes: data-influxdb: data-grafana:```
Lets Encrypt Setup
If you require valid certificates, you can also use certificates from lets encrypt.
First, create the certificates on the host:
certbot certonly --standalone --preferred-challenges http --renew-by-default -d iot.example.org```
Then use this docker-compose file.
version: ‘2’
services: influxdb: image: influxdb:latest container_name: influxdb ports: - “8083:8083” - “8086:8086” - “8090:8090” env_file: - ‘env.influxdb’ volumes: - data-influxdb:/var/lib/influxdb - /etc/letsencrypt/live/iot.example.org/fullchain.pem:/var/ssl/server.crt - /etc/letsencrypt/live/iot.example.org/privkey.pem:/var/ssl/server.key - /docker/conf/influxdb/influxdb.conf:/etc/influxdb/influxdb.conf
grafana:
image: grafana/grafana:latest
container_name: grafana
ports:
- "3000:3000"
links:
- influxdb
env_file:
- 'env.grafana'
volumes:
- data-grafana:/var/lib/grafana
- /etc/letsencrypt/live/iot.example.org/fullchain.pem:/var/ssl/server.crt
- /etc/letsencrypt/live/iot.example.org/privkey.pem:/var/ssl/server.key
- /docker/conf/defaults.ini:/usr/share/grafana/conf/defaults.ini
volumes: data-influxdb: data-grafana:```