I Broke Into My Own Grafana Stack — Here's Every Fix (HAProxy, Prometheus Auth, OpenBAO)

Description

Grafana security hardening: 6 phases, 15 fixes, every command shown. HAProxy TLS, Prometheus authentication, OpenBAO secrets management, container hardening, and the gotchas that will break your stack. Most Grafana deployments are one misconfiguration away from handing an attacker your entire infrastructure map. This is the full fix. ⚠️ EDUCATIONAL CONTENT: All testing performed against my own isolated homelab. Do not test against systems you don't own or aren't authorized to test. In Part 2, I found 15 vulnerabilities in a Grafana/Prometheus monitoring stack — default credentials, unauthenticated Prometheus API, plaintext secrets, no TLS, no session timeouts, exposed exporters. In this video, I fix all of them. Six phases, every command shown, every gotcha documented. What this covers: → HAProxy TLS termination with OpenBAO-issued certificates → Prometheus basic auth (the right way, with bcrypt) → OAuth secrets pulled from OpenBAO at runtime — never on disk → Grafana session timeouts and token rotation → Container hardening: cap_drop ALL, no-new-privileges, resource limits → Exporter lockdown: Node Exporter, cAdvisor, Blackbox — localhost only → Every fix mapped to NIST, CIS, SOC 2, and PCI-DSS controls Full written playbook (every command, copy/paste ready): https://oobskulden.com/2026/02/hardening-a-grafana-monitoring-stack-6-phases-15-fixes-and-the-gotchas-nobody-warns-you-about/ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ CHAPTERS ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 00:00:00 Intro 00:00:21 Architecture 00:04:39 Fix-01: Default/weak credentials 00:12:18 Fix-02: Unencrypted HTTP traffic 00:22:13 Fix-02a: HAProxy Not Showing Ports After Config Change 00:23:14 Fix-02b: HAProxy Redirect Loop on HTTPS 00:24:44 Fix-02c: Unencrypted HTTP traffic (continued) 00:32:48 Fix-02d: Grafana SSO Broken After Enabling SSL/TLS (Authentik OIDC) 00:38:23 Fix-03: Unauthenticated Prometheus API 00:56:16 Fix-04: Container Hardening + Resource Limits 01:01:09 Fix-05: Exporter Lockdown 01:07:49 Fix-05a: Prometheus Scrape Failing After Enabling Authentication 01:12:10 Fix-06: OpenBAO Secrets 01:31:34 Fix-06a: Docker Container Stuck in Restart Loop 01:36:22 Outro ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ TOOLS USED ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Grafana — https://grafana.com Prometheus — https://prometheus.io HAProxy — https://www.haproxy.org OpenBAO — https://openbao.org Authentik — https://goauthentik.io Docker — https://docker.com ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ RELATED ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Part 1 — I Broke Into My Own Grafana Stack (15 Vulnerabilities): [link Part 1 here] ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Published by Oob Skulden™ Security research and education — self-hosted, open source, and the attack surfaces nobody else covers. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ #grafana #prometheus #homelab #selfhosted #cybersecurity #haproxy #docker #opensourcesecurity #devsecops #openbao