alright check it out, its a dirty hack but this how i got around this problem:
create a folder called www in your homeassistant config folder, so its /homeassistant/config/www 1a. if the folder dint exist, make sure you restart home assistant!!!
create a new html file in the new www directory, anyfilename.html
2a. the contents of anyfilename.html are:
change HASSIOingresRandomURL to what your ingress url isbroken 401 webpage card has… example would be /api/hassio_ingress/whatevertokenRandomURL/d-solo/7Tl95WoGz/server-stats Also take note of the 2000 milosecond (2s) load delay.
In your dashboard that contains a webpage (iframe) card that has a broken 401 /api/hassio_ingress/HASSIOingresRandomURL/ Change it to /local/anyfilename.html with arguments at the end. Example would be: /local/anyfilename.html?orgId=1&refresh=1m&from=now-1h&to=now&panelId=3
we will add a dummy webpage card anywhere in the dashboard tab with the following settings:
This creates an invisible card to force load grafana as if you clicked on it on the sidebar.
Now when you load the dashboard tab, grafana is loaded by the invisible webpage card and after 2 seconds your HASSIOingresRandomURL with arguments & w/e you want are loaded in.
Until home assistant fixes passing url parameters & paths to ingressURL’s on the sidebar, we have to come up with crap like this… Tested working on external URLs like CASA & Cloudflared. Anyone not logged in who accesses /local/anyfilename.html are still greeted with 401 not authorized.
You can test this faster by using desktop browser. Closing the browser completely (not just the tab) will force 401 to appear.
Actually a better way if you have a fqdn for both Graphana and Home assistant. Remove my old command and add this instead. It’s more secure, and will only allow iframe renders from the named ancestors. Vs completely disabling and allowing it to be used in an iframe anywhere.
I fixed this in Scrypted by having the add-on write a html card to config/www. The contents of that card will use an access token to create an ingress session using the web socket api, and then navigate to the ingress url after setting the ingress_session cookie.
In my example, the card is written to /config/www/scrypted_card.html and used within the Webpage frame as /local/scrypted_card.html (with access token in query string).
The access token can be found in localStorage on desktop browsers, but seemingly is unavailable in mobile apps. Thus, it’s best to provide the token in a query string.
ChatGPT is pretty awesome for coding! It even knows some node-red coding too. It can create and adapt flows and gives examples to paste in. Tho it does need a lot of correcting at times, it gives you a good base to start from!
This really works for the admin user. In my case, it doesn’t work for a normal user (non-admin user). I researched the problem and will share my experience. I have Nginx before HA for SSL termination (because for this test project I use a server in hosting with other projects). So, the admin opens Grafana in an iframe but the user does not, he have error 401: Unauthorized. I found that the admin has a cookie ingress_session=23123sadsda23123-example_string , but my user doesn’t have this cookie. After manually adding the cookie, I found that my user now works and the 401: Unauthorized error has gone away. So, I will try to add this cookie to the Nginx config like this:
Where xxxxxxxxxxx (you can get in link for you dashboard before /d/)I think it’s a location for the Grafana container. Because I see it in Grafana docker nginx config
root@a0d7b954-grafana:/# cat /etc/nginx/servers/direct.conf
server {
listen 80 default_server;
include /etc/nginx/includes/server_params.conf;
include /etc/nginx/includes/proxy_params.conf;
location / {
return 302 $scheme://$http_host/api/hassio_ingress/xxxxxxxxxxx/;
}
location /api/hassio_ingress/xxxxxxxxxxx {
rewrite ^/api/hassio_ingress/xxxxxxxxxxx/(.*) /$1 break;
proxy_pass http://backend/;
}
}
I don’t know about secure for this setup but it’s work.
P.S. First time I tried add my user admin privileges and Grafana work well, but I need that my user have only user privileges.
Maybe this information will be helpful to us for fixing this problem.
Tested this proxy_hide_header X-Frame-Options work too, and you can delete coockie)
Ok, so there is a workaround (but not the solution). I was having the same issue (Unauthorised 401) on my ipad. Once I manualy opend Grafana from the left menu, it also started working in the included iframe.
Hi for now with HAOS I create this solution.
So we have problem when we user external address like bla.com
Because we have different routes to Grafana
In Grafana addons we have 2 nginx configs that work on 80 and 1337 port.
So when you go from left_panel you will always go like admin because you in allow ip address.
You got to 1337 port and we have header X-WEBAUTH-USER = admin it’s why we always will be admin from left panel because we use different routes from home assistant OS container.
For external requests(from user we will route to 80 port)
So if you use external link you will got to listen 80 port and get X-WEBAUTH-USER ‘’ -blank (we can saw it in /etc/nginx/includes/proxy_params that includes in this config).
So I fixed it to create custom location /api/home assistant OS_ingress/6lHRgBqnsurUG39JF5Wi1bo_bla_bla/ -< you can take it from share dashboard. And open in grafana addon setting port 3000(we use external port to Grafana container that route us to 80 listen nginx)
It’s real hard to debug all this stuff.
In my case I have users that not admin. And I want to give them access to it.If a miss smth you can try to write me)
proxy_hide_header X-Frame-Options; not work in my case I don’t know why maybe smth update
Update: in the next day )This setup broke.
I just thinked and now I understand all conception how it need to work.
So you need different end point to use it like anonim and admin.
I create second proxy host on NginxProxyManager grafana.blabla.com(we use it in lovelace to create visible ui) destination to ip:3000, where ip you ip homeassistant and 3000 port for worknig grafana.
And it’s work about 3 weeks everything ok.
