"401: Unauthorized" iframe CARD of Grafana not working

Thank you for solution. What about accessing from another network (actually from world wide)? Do i have to port forward somehow that port 3000 ?

Hi, can you tell me where this setting is please?

Supervisor - grafana - configuration

As i understand, with this config i cant get assess from outside. Any advice to make it work thrue original dns?

Funny part is that i can see on my mobile HA app the grafana dashboard through wi-fi, although webcard is through ddns, but on local instance (with web browser) of HA in lovelace i see 401:unauthorised

Any news for solve this problem??

If you are using Grafana in supervisor:
These settings work for me…


plugins:
  - grafana-worldmap-panel
env_vars:
  - name: GF_INGRESS_USER
    value: anonymous
  - name: GF_DEFAULT_INSTANCE_NAME
    value: Hassio
  - name: GF_AUTH_ANONYMOUS_ENABLED
    value: 'true'
  - name: GF_SECURITY_ALLOW_EMBEDDING
    value: 'true'
  - name: GF_SECURITY_COOKIE_SAMESITE
    value: none
  - name: GF_SECURITY_COOKIE_SECURE
    value: 'true'
  - name: GF_SECURITY_LOGIN_REMEMBER_DAYS
    value: '365'
  - name: GF_AUTH_BASIC_ENABLED
    value: 'true'
ssl: false
certfile: fullchain.pem
keyfile: privkey.pem
log_level: info

I also changed to port 3000:

The webpage panel card link in lovelace frontend: http://192.168.1.4:3000/api/hassio_ingress/blah/blah

2 Likes

Does it also work externally then? Via nabu casa? They do not forward port 3000 do they?

Canne help with Nabu Casa as I don’t use it. Sorry.

But it does work “externally” via VPN which is in essence “local”.
(I don’t use https and don’t expose HA direct to web)

Its pretty quick to just pop on an OPENVPN connection on a mobile or laptop to check into HA when out and about.
It’s also good to pop the VPN on when on an unknown WIFI (Instead of NORD or something similar you pay for) so your web browsing goes via the home internet.

Telegram messenger is also integrated into HA with a chat bot (RedBot Nodes) to send commands to HA and to report stuff back to users in a chat without putting VPN on.

Someone else may be able to test the Nabu Casa element for you…

Hm… obviously adding a separate port to the container and enabling anonymous access solve the issue… but this mean indeed that internally it is solved (which includes vpn acces to your internal).
And also pinning a hole in the firewall to that port enables “local”/“direct” access to the container.

But al these options are not really “handy” to do and ton maintain. The best would be to access the container internally which makes it work locally and remote (via 8123 and nabucasa)…

having the same problem myself. I’ve tried exposing the container port and enabling anonymous and of course that works. However I don’t want to expose grafana port to the world and having anybody able to connect to it. Is there any way we can make it working on hassio standard port?
I’d be fine having to generate a token once every year that’s why I tried with a config like this

plugins: []
env_vars:
  - name: GF_SECURITY_ALLOW_EMBEDDING
    value: 'true'
  - name: GF_AUTH_ANONYMOUS_ENABLED
    value: 'false'
  - name: GF_AUTH_TOKEN_ROTATION_INTERVAL_MINUTES
    value: '525600'
  - name: GF_AUTH_LOGIN_MAXIMUM_INACTIVE_LIFETIME_DAYS
    value: '365'
  - name: GF_AUTH_LOGIN_MAXIMUM_LIFETIME_DAYS
    value: '365'
ssl: true
certfile: fullchain.pem
keyfile: privkey.pem

but unfortunately it doesn’t do the job :frowning:

Yeah exposing anon login for grafana to the world isn’t something I’d do on my firewall.

Hence using VPN for remote access.

Sorry it wasn’t of any use pal. But someone else may find it of use.

I’m sure someone will fix the :8123 port issue in time :+1:

simple workaround:

  • set grafana graphics from dashboards with external url ;
  • at first instance when u try to view grafana, steb in grafana add-on sidebar for this to authenticate ;
  • after grafana loads there u can go your whole session in that webpage or companion and graphics will be there

Try to add additional parameters here, near of "GF_AUTH_ANONYMOUS_ENABLED" in Grafana configuration:

  - name: GF_AUTH_ANONYMOUS_ENABLED
    value: 'true'
  - name: GF_AUTH_ANONYMOUS_ORG_NAME
    value: canBeAnyNameHere

Now it’s working better in my Hassio, but only if connecting to it from same host

I had the same Issue (401 unauthorized) in the iFrame in a dashboard. Activating Grafana from the toolbar on the left and switching back to the dashboard helps for the second. On a mobile device on same network I always got 401 error.

The solution was to change the port in the embed addresse from default 8123 to the one you define in Grafanas settings (3000 on my setup). Credits to @joaofl

3 Likes

please can you post a screenshot where I can find in my setup yours 3000 address?

Supervisor -> Grafana -> Configuration -> Network

1 Like

Thanks
mine is like this… I don’t know why… grafana is working… is there a way to fix this?

image

I guess there is a way :wink: simply type “3000” (or whaterever 4digit number you like) instead “disabled” like I did

this will probably work. Now I suppose to add my credentials (username + password) and I don’t remember them :frowning:

Cheers. Do you embed internal address or external one with https?