Close proxy API access

Hi community,

Grafana 8.2.5

We have a Grafana system 8.2.5. He had a security audit, where the API access is criticized. We have enabled an anonymous acess for users without login.

[auth.anonymous]
enabled =true
org_name = IT.NRW
org_role = Viewer

When I try to access the Grafana like:

curl http://<fqdn>:3000/api/datasources   -> {"message":"Permission denied"}

curl http://admin:<password>@<fqdn>:3000/api/datasources -> a valid json object with the datasource etc....

But the security audit found also the access to the datasource proxy? API.

curl http://<fqdn>:3000/api/datasources/proxy/3/query?db=<db>\&q=SELECT+*+FROM+<ts>\&epoch=ms

So I can query with or without credentials ALWAYS the API.

Security audit: a Denial of Service (DoS) is possible, maybe some SQL injection. I don't want discuss this topic here.

I have to close the access through the API. At least from other network segments.

Any hints?

Thanks in advance.

Solution

I'm a grafana beginner!

I do not complain, the security audit listed the two topics (DoS/SQL injection). I didn't found any configuration possibilities (grafana.ini) about closing the proxy API interface (only data_source_whitelist-ing).

So, I added some rules into the NGIX config in front of the grafana server to forbid the proxy API access -> throw 40x error. Now the web UI is not able anymore to fetch and render the data in the UI.

My conclusion:

the grafana architecture define: the proxy API will be used by the web UIs.
with or without credentials: a user can fire a query (DoS) using the proxy API
with or without credentials: the query is pass through the proxy API to the datasource, potential sql injection is possible