Application Study Tool: Make Grafana Listen on HTTPS

The Application Study Tool (AST) from F5 is a powerful utility for monitoring and observing your BIG-IP ecosystem. Its primary interface is the Grafana dashboard, which provides valuable insights into the performance of your BIG-IPs, the applications delivered, traffic patterns, and potential threats.

The default installation instructions are quick and easy to set up, enabling you to achieve observability quickly. However, the Grafana dashboard, by default, can only be accessed via HTTP (unencrypted), not HTTPS. This means that any data sent to the dashboard, including passwords, can potentially be intercepted by anyone sniffing traffic between you and the AST host. (Note that connections between AST and BIG-IPs are always encrypted over HTTPS, so your BIG-IP credentials are secure.)

This guide will walk you through configuring Grafana to serve HTTPS, thereby encrypting traffic between your web browser and the AST Grafana dashboard.

Apply or Generate the Certificate

Before encrypting traffic, you’ll need a certificate and key. This can either be a CA-signed certificate or a self-signed certificate. Both encrypt traffic in transit, but only CA-signed certificates establish the authenticity of the server endpoint (in this case, Grafana). Many organizations opt for self-signed certificates for internal-only connections where man-in-the-middle attacks are unlikely. However, CA-signed certificates remain the more secure option.

Using a CA-Signed Certificate

If you have a CA-signed certificate available, copy the cert and key files to the ./services/grafana/ directory within the AST installation directory. Make note of the certificate and key file names. (This guide was tested with .crt and .pem extensions, but Grafana also supports other formats.)

If you need to generate a CA-signed certificate, you can follow the instructions on the Grafana website for creating a CA certificate using Let’s Encrypt:
https://grafana.com/docs/grafana/latest/setup-grafana/set-up-https/#obtain-a-signed-certificate-from-letsencrypt .

Using a Self-Signed Certificate

If you prefer to use a self-signed certificate, you can generate one using the following commands:

$ sudo openssl genrsa -out services/grafana/grafana.key 2048
$ sudo openssl req -new -key services/grafana/grafana.key -out services/grafana/grafana.csr

(Answer the questions about location, organization, name, email address, etc., as prompted.)

$ sudo openssl x509 -req -days 365 -in services/grafana/grafana.csr -signkey services/grafana/grafana.key -out services/grafana/grafana.crt

Set the correct file permissions after generating the files:

$ sudo chmod 440 services/grafana/grafana.key services/grafana/grafana.crt

Additional documentation on this process is available on Grafana’s website:
https://grafana.com/docs/grafana/latest/setup-grafana/set-up-https/#generate-a-self-signed-certificate .

 

Configure Grafana to Listen on HTTPS

The next step is to create a configuration file for Grafana, named grafana.ini. Create this file under the ./services/grafana directory (e.g., ~/application-study-tool/services/grafana/grafana.ini).

The following is an example configuration. Update the values to fit your environment. If your key and certificate files have names other than grafana.key and grafana.crt, modify the cert_key and cert_file paths accordingly. Note that /etc/grafana/ in the example below is the path within the container.

This example uses port 3000. You can configure Grafana to listen on port 443 (the default HTTPS port), but elevated permissions are required in most environments.

[server]
http_addr =
http_port = 3000
domain = mysite.com
root_url = https://subdomain.mysite.com:3000
cert_key = /etc/grafana/grafana.key
cert_file = /etc/grafana/grafana.crt
enforce_domain = False
protocol = https

Find more details on each variable here:
https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#server .

 

Configure AST to Point to grafana.ini

To enable the Application Study Tool to recognize the new grafana.ini file, you need to update the Docker Compose configuration. Locate the "grafana" service section in docker-compose.yaml. Comment out the existing provisioning mount line:

# - ./services/grafana/provisioning/:/etc/grafana/provisioning

Then add the following line to mount the updated directory:

- ./services/grafana/:/etc/grafana/

Your updated Grafana service configuration should look like this:

grafana:
  image: grafana/grafana:11.2.0
  container_name: grafana
  restart: unless-stopped
  ports:
    - 3000:3000
  volumes:
    - grafana:/var/lib/grafana
    # - ./services/grafana/provisioning/:/etc/grafana/provisioning
    - ./services/grafana/:/etc/grafana/
  env_file: ".env"
  networks:
    - 7lc_network

 

Restart AST and Access Grafana via HTTPS

Restart Docker Compose with the following commands:

$ sudo docker compose down
$ sudo docker compose up

That's it! Once restarted, the Grafana dashboard will be available over https. Browse to https://localhost:3000/ (be sure to include https) to try it out.

If you used a self-signed certificate, your browser may display a warning message such as “This site is unsafe” or “This Connection Is Not Private.” This is expected behavior for self-signed certificates.

Now, all web traffic to your Grafana dashboard will be securely encrypted.

Published Jun 05, 2025
Version 1.0
application delivery
No CommentsBe the first to comment