7 Powerful Steps to Install Grafana on Ubuntu

Introduction

In this article, I’m setting up Grafana on Ubuntu and wiring it behind Nginx with SSL.
Grafana is a visualization tool that focuses on dashboards, charts, and metrics. In practice, many people like it because dashboards are simply clearer and easier to read than what you often get in Kibana 🙂

This is the second article in my Elastic series. In the first one, I installed Elasticsearch and Kibana. Now I want something lighter and more dashboard-oriented to visualize data and logs without overthinking it.

Just to be clear: this is not a hardcore production setup. But for local testing, small apps, side projects, or personal log aggregation, it’s more than good enough 👍
I’m doing everything on the same Ubuntu server where Kibana is already running.

Installation

I start with the official Grafana repository. Nothing fancy here – just the recommended way so updates work normally.

First, I install required packages and add the Grafana APT repo:

sudo apt-get install -y apt-transport-https software-properties-common wget
sudo mkdir -p /etc/apt/keyrings/
wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor | sudo tee /etc/apt/keyrings/grafana.gpg > /dev/null
echo "deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com stable main" | sudo tee -a /etc/apt/sources.list.d/grafana.list
sudo apt-get update
sudo apt-get install grafana

sudo apt-get install -y apt-transport-https software-properties-common wget
sudo mkdir -p /etc/apt/keyrings/
wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor | sudo tee /etc/apt/keyrings/grafana.gpg > /dev/null
echo "deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com stable main" | sudo tee -a /etc/apt/sources.list.d/grafana.list
sudo apt-get update
sudo apt-get install grafana

After this step, Grafana is installed but not yet exposed or properly configured.

Configuration

Now I tweak the basic Grafana config.
I open the main config file:

nano /etc/grafana/grafana.ini

nano /etc/grafana/grafana.ini

Key things I change here:

• I move Grafana to another port (3030)
• I set the public URL
• I configure SMTP so Grafana can send emails (alerts, password reset, etc.)

Example configuration:

http_port = 3030
root_url = https://grafana.domain.com/

[smtp]
enabled = true
host = smtp.domain.pl:587
user = grafana@domain.com
password = """<PASS_HERE_IN_TRIPLE_QUOTES>"""
from_address = grafana@domain.com
from_name = Grafana

http_port = 3030
root_url = https://grafana.domain.com/

[smtp]
enabled = true
host = smtp.domain.pl:587
user = [email protected]
password = """<PASS_HERE_IN_TRIPLE_QUOTES>"""
from_address = [email protected]
from_name = Grafana

Triple quotes for the password are important if it contains special characters. This saves time later 😅

[Extra] Certbot Preparation

Before touching Nginx, I make sure Certbot is available.
On Ubuntu, Snap is the easiest way.

apt-get install snapd
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

apt-get install snapd
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

At this point, I don’t run Certbot yet. First, Nginx needs to be ready.

Installing Nginx

Grafana will run locally on port 3030, and Nginx will handle HTTPS and proxying.

sudo apt install nginx -y
sudo nano /etc/nginx/sites-available/grafana

sudo apt install nginx -y
sudo nano /etc/nginx/sites-available/grafana

My Nginx config looks like this:

# /etc/nginx/sites-available/grafana
server {
    listen 443 ssl http2;
    server_name grafana.domain.pl;

    # SSL certificate (self-signed for Cloudflare or temporary cert before Certbot)
    ssl_certificate /etc/ssl/certs/kibana-for-cloudflare.crt;
    ssl_certificate_key /etc/ssl/private/kibana-for-cloudflare.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    access_log /var/log/nginx/grafana-access.log;
    error_log  /var/log/nginx/grafana-error.log;

    location / {
        proxy_pass http://127.0.0.1:3030;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_cache_bypass $http_upgrade;
    }
}

# /etc/nginx/sites-available/grafana
server {
    listen 443 ssl http2;
    server_name grafana.domain.pl;

    # SSL certificate (self-signed for Cloudflare or temporary cert before Certbot)
    ssl_certificate /etc/ssl/certs/kibana-for-cloudflare.crt;
    ssl_certificate_key /etc/ssl/private/kibana-for-cloudflare.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    access_log /var/log/nginx/grafana-access.log;
    error_log  /var/log/nginx/grafana-error.log;

    location / {
        proxy_pass http://127.0.0.1:3030;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_cache_bypass $http_upgrade;
    }
}

Then I enable the site and check everything:

sudo ln -s /etc/nginx/sites-available/grafana /etc/nginx/sites-enabled/grafana
sudo nginx -t
sudo systemctl enable nginx
sudo systemctl start nginx

sudo ln -s /etc/nginx/sites-available/grafana /etc/nginx/sites-enabled/grafana
sudo nginx -t
sudo systemctl enable nginx
sudo systemctl start nginx

[Certbot] Final Step

Now that Nginx is running, I let Certbot do its job:

sudo certbot --nginx

sudo certbot --nginx

Certbot automatically replaces the temporary SSL config with a proper Let’s Encrypt certificate.
After this step, HTTPS is fully handled and auto-renewal is set up 🔐

Activating Grafana

Time to actually start Grafana.

sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable grafana-server
sudo /bin/systemctl start grafana-server

sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable grafana-server
sudo /bin/systemctl start grafana-server

At this point, Grafana should be reachable via your domain.

If You Use CrowdSec

Since I already use CrowdSec, I want it to watch Grafana traffic as well.

I edit the acquisition config:

nano /etc/crowdsec/acquis.yaml

nano /etc/crowdsec/acquis.yaml

And add:

filenames:
  - /var/log/nginx/grafana-access.log
  - /var/log/nginx/grafana-error.log

filenames:
  - /var/log/nginx/grafana-access.log
  - /var/log/nginx/grafana-error.log

Then restart CrowdSec:

systemctl restart crowdsec

systemctl restart crowdsec

Done. Grafana is now part of the security pipeline 🛡️

Finish

Finally, I open Grafana in the browser, log in with:

• login: admin
• password: admin

Grafana immediately asks me to change the password – which I do right away.

From here, dashboards, data sources, and alerts are just a few clicks away 📊

Summary

I installed Grafana on Ubuntu, put it behind Nginx with HTTPS, enabled email support, and integrated it with CrowdSec.
This setup is simple, clean, and perfect for small projects or personal infrastructure – exactly what I needed 👍

Buy coffee for:

15 zł (~5 USD) 40 zł (~10 USD) 80 zł (~20 USD)