Access to the Grafana interface

MITIGATOR comes with Grafana which can be used to create custom dashboards. See the Grafana documentation to understand exactly how to do this.

To gain access to the Grafana web interface, you need to set up the service, which is disabled by default. You can temporarily do this with the following command:

docker-compose up -d --scale grafana=1 grafana

To enable grafana permanently, you need to change scale from 0 to 1 in docker-compose.yml.

services:
  ...
  grafana:
    ...
    scale: 1
    ...

After configuration, you need to raise the Grafana container:

docker-compose up -d grafana

Now you can access the web interface using the forwarded port: http://mitigator.local:3000 (mitigator.local is the server address here and below). The default username and password are admin:admin. Grafana will ask you to change your password the first time you log in.

When using a cluster, you must explicitly set the address of Graphite inside the VPN to Grafana:

All changes made through the Grafana interface, including dashboards, are saved in its internal database, which is stored in the /var/lib/docker/volumes/mitigator_grafana/_data directory.

Warning

With these settings, Grafana is available on all server IPs, that is, if the IP is public, it is available on the entire Internet. The options to secure Grafana are given below.

Option 1: SSH port forwarding

If Grafana users can connect to the server via SSH, you can only allow local connections to Grafana and forward the port.

Binding to an address (after that, you need to recreate the container again):

version: "2.2"
services:
  gateway:
    ports:
    - "127.0.0.1:3000:3000"

SSH port forwarding:

ssh -L 3000:127.0.0.1:3000 mitigator.local

Address for accessing the Grafana interface: http://localhost:3000

Option 2: local network

If the IP of the internal trusted network is used, you can bind a port to it in the same way as in option 1. The address for accessing the Grafana interface will be http://mitigator.local:3000.

Option 3: firewall

Configure any necessary firewall restrictions on the server itself or on the network perimeter. Refer to the distribution and/or ITU documentation for instructions.