system-config/playbooks/roles/grafana/templates/grafana.vhost.j2

<VirtualHost *:80>
  ServerName {{ inventory_hostname }}
  ServerAlias grafana.opendev.org

  ServerAdmin webmaster@openstack.org

  ErrorLog ${APACHE_LOG_DIR}/grafana-error.log

  LogLevel warn

  CustomLog ${APACHE_LOG_DIR}/grafana-access.log combined

  Redirect / https://grafana.opendev.org/

</VirtualHost>

<VirtualHost *:443>
  ServerName {{ inventory_hostname }}
  ServerAlias grafana.opendev.org

  ServerAdmin webmaster@openstack.org

  AllowEncodedSlashes On

  ErrorLog ${APACHE_LOG_DIR}/grafana-ssl-error.log

  LogLevel warn

  CustomLog ${APACHE_LOG_DIR}/grafana-ssl-access.log combined

  SSLEngine on
  SSLProtocol All -SSLv2 -SSLv3
  # Note: this list should ensure ciphers that provide forward secrecy
  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
  SSLHonorCipherOrder on

  SSLCertificateFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.cer
  SSLCertificateKeyFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key
  SSLCertificateChainFile /etc/letsencrypt-certs/{{ inventory_hostname }}/ca.cer

  # NOTE(ianw) 2021-02-19
  # This was for a security issue fixed in 7.4.2
  # where anonymous users could cause a write to disk, fixed
  # with
  #  https://github.com/grafana/grafana/pull/31263/
  # We leave it because we don't use the API, but if we need
  # it, we can remove this.
  RewriteEngine on
  RewriteRule "^/api/snapshots(.*?)$" "-" [F]

  # This is for the websocket endpoint /api/live/ws
  RewriteCond %{HTTP:Upgrade} websocket [NC]
  RewriteCond %{HTTP:Connection} upgrade [NC]
  RewriteRule ^/?(.*) "ws://localhost:3000/$1" [P,L]

  ProxyPass  / http://localhost:3000/ retry=0
  ProxyPassReverse / http://localhost:3000/

</VirtualHost>