"401: Unauthorized" iframe CARD of Grafana not working

You can’t include iframes from Grafana from Ingress, this is not an add-on limitation and can therefore not be fixed via an add-on update.

The version re-instates direct access to grafana, which can provide access without ingress.

so to be clear no chance to resolve it for the hassio users here?

Hi Frenck,
can it maybe be done if i allow anonymous login? I don’t have any problems with that since grafana and home assistant is only accesable from within my LAN.
If so, how can i change the settings in grafana? I’m trying all day to change the settings (in the grafana.ini), via env variables and stuff, but can’t seem to find a way that works.
Greetings,
Joost

Okay, I’m able to make the iframe working like this. AFAIK, you can’t get ingress to work, so it won’t pass through nabu casa when you don’t have direct access. To remedy this, you’d have to punch a whole in your firewall for the port you define and use your external ip and port in the URL. Probably you only need anyonymous and embedding, but I just copy pasted that from elsewhere.

I just showed up to this issue and wanted to chime in. On my internal network, on mac safari 14, sometimes works and other times not, on the iOS HA app it always give an error - I get 401: Unauthorized on Grafana iframe card, but on Google Chrome, it always works on the mac but never on the iPhone. could there be some other way to integrate Grafana into lovelace besides the iframe card?

1 Like

Yes just to chime in this is the 1M$ question… What is the right way of displaying Grafana dashboards in Lovelace? Any support appreciated. And if it is not possible at all then I don’t really get the point of having a Grafana addon…

3 Likes

any solution to this? All charts are now showing 401: Unauthorized

Solved! Got it working by doing mainly two things:

On my settings I changed:
grafana_ingress_user: anonymous

And on the shared link to the plot, I changed the url port to 3000, like below:

http://192.168.1.6:3000/api/hassio_ingress/whatevertoken/d-solo/7Tl95WoGz/server-stats?orgId=1&refresh=1m&from=now-1h&to=now&panelId=3"

Since then, no “Unauthorized access”

3 Likes

Thank you for solution. What about accessing from another network (actually from world wide)? Do i have to port forward somehow that port 3000 ?

Hi, can you tell me where this setting is please?

Supervisor - grafana - configuration

As i understand, with this config i cant get assess from outside. Any advice to make it work thrue original dns?

Funny part is that i can see on my mobile HA app the grafana dashboard through wi-fi, although webcard is through ddns, but on local instance (with web browser) of HA in lovelace i see 401:unauthorised

Any news for solve this problem??

If you are using Grafana in supervisor:
These settings work for me…


plugins:
  - grafana-worldmap-panel
env_vars:
  - name: GF_INGRESS_USER
    value: anonymous
  - name: GF_DEFAULT_INSTANCE_NAME
    value: Hassio
  - name: GF_AUTH_ANONYMOUS_ENABLED
    value: 'true'
  - name: GF_SECURITY_ALLOW_EMBEDDING
    value: 'true'
  - name: GF_SECURITY_COOKIE_SAMESITE
    value: none
  - name: GF_SECURITY_COOKIE_SECURE
    value: 'true'
  - name: GF_SECURITY_LOGIN_REMEMBER_DAYS
    value: '365'
  - name: GF_AUTH_BASIC_ENABLED
    value: 'true'
ssl: false
certfile: fullchain.pem
keyfile: privkey.pem
log_level: info

I also changed to port 3000:

The webpage panel card link in lovelace frontend: http://192.168.1.4:3000/api/hassio_ingress/blah/blah

2 Likes

Does it also work externally then? Via nabu casa? They do not forward port 3000 do they?

Canne help with Nabu Casa as I don’t use it. Sorry.

But it does work “externally” via VPN which is in essence “local”.
(I don’t use https and don’t expose HA direct to web)

Its pretty quick to just pop on an OPENVPN connection on a mobile or laptop to check into HA when out and about.
It’s also good to pop the VPN on when on an unknown WIFI (Instead of NORD or something similar you pay for) so your web browsing goes via the home internet.

Telegram messenger is also integrated into HA with a chat bot (RedBot Nodes) to send commands to HA and to report stuff back to users in a chat without putting VPN on.

Someone else may be able to test the Nabu Casa element for you…

Hm… obviously adding a separate port to the container and enabling anonymous access solve the issue… but this mean indeed that internally it is solved (which includes vpn acces to your internal).
And also pinning a hole in the firewall to that port enables “local”/“direct” access to the container.

But al these options are not really “handy” to do and ton maintain. The best would be to access the container internally which makes it work locally and remote (via 8123 and nabucasa)…

having the same problem myself. I’ve tried exposing the container port and enabling anonymous and of course that works. However I don’t want to expose grafana port to the world and having anybody able to connect to it. Is there any way we can make it working on hassio standard port?
I’d be fine having to generate a token once every year that’s why I tried with a config like this

plugins: []
env_vars:
  - name: GF_SECURITY_ALLOW_EMBEDDING
    value: 'true'
  - name: GF_AUTH_ANONYMOUS_ENABLED
    value: 'false'
  - name: GF_AUTH_TOKEN_ROTATION_INTERVAL_MINUTES
    value: '525600'
  - name: GF_AUTH_LOGIN_MAXIMUM_INACTIVE_LIFETIME_DAYS
    value: '365'
  - name: GF_AUTH_LOGIN_MAXIMUM_LIFETIME_DAYS
    value: '365'
ssl: true
certfile: fullchain.pem
keyfile: privkey.pem

but unfortunately it doesn’t do the job :frowning:

Yeah exposing anon login for grafana to the world isn’t something I’d do on my firewall.

Hence using VPN for remote access.

Sorry it wasn’t of any use pal. But someone else may find it of use.

I’m sure someone will fix the :8123 port issue in time :+1:

simple workaround:

  • set grafana graphics from dashboards with external url ;
  • at first instance when u try to view grafana, steb in grafana add-on sidebar for this to authenticate ;
  • after grafana loads there u can go your whole session in that webpage or companion and graphics will be there