proxy-to-grafana command

tailscale.com – tailscale.com/cmd/proxy-to-grafana

proxy-to-grafana command

proxy-to-grafana is a reverse proxy which identifies users based on their originating Tailscale identity and maps them to corresponding Grafana users, creating them if needed.

It uses Grafana's AuthProxy feature: https://grafana.com/docs/grafana/latest/auth/auth-proxy/

Set the TS_AUTHKEY environment variable to have this server automatically join your tailnet, or look for the logged auth link on first start.

Use this Grafana configuration to enable the auth proxy:

[auth.proxy]
enabled = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = true
whitelist = 127.0.0.1
headers = Email:X-Webauth-User, Name:X-Webauth-Name, Role:X-Webauth-Role
enable_login_token = true

You can use grants in Tailscale ACL to give users different roles in Grafana. For example, to give group:eng the Editor role, add the following to your ACLs:

 "grants": [
		{
			"src": ["group:eng"],
			"dst": ["tag:grafana"],
			"app": {
				"tailscale.com/cap/proxy-to-grafana": [{
					"role": "editor",
				}],
			},
		},
 ],

If multiple roles are specified, the most permissive role is used.

Version: v1.84.2 (latest)
Published: Jun 9, 2025
Platform: linux/amd64
Imports: 14 packages
Last checked: 17 minutes ago –

Tools for package owners.

?	: This menu
/	: Search site
f	: Jump to identifier
g then g	: Go to top of page
g then b	: Go to end of page
G	: Go to end of page
g then i	: Go to index
g then e	: Go to examples

proxy-to-grafana command

Keyboard shortcuts