Using https with the ami install

araker · October 24, 2018, 10:03am

Issue Summary

Hello, I’m using the latest redash ami instance. I’m using this guide to add https. I’ve changed the paths, but nothing happens. As in the http connection works, but the https connection doesn’t. I’m wondering if the documentation is up to date, since the nginx docker file doesn’t point to this configuration file.

So how can I use https for a self installed redash instance?

Technical details:

Redash Version: 5.0.2
Browser/OS:
How did you install Redash: ami for eu-central-1 ami-026f66c6ba3cedf99

araker · October 31, 2018, 3:54pm

This is what I did to get the https working. I would love to hear if there is a easier way.

What I’ve done is:

create a nginx docker file that copies my own config file
edit the env file
edited the docker-compose.yml

This is my directory structure of /opt/redash

cert (directory with certificates)
env
postgres-data
docker-compose.yml
nginx (the nginx docker file)
redash.conf (the nginx config file)

Contents of nginx docker file

FROM nginx:1.9.10
ADD redash.conf /etc/nginx/conf.d/default.conf
COPY ./cert/certificate.crt /etc/nginx/certificate.crt
COPY ./cert/certificate.key /etc/nginx/certificate.key

Changes in env file

REDASH_HOST=https://mysite.com
REDASH_COOKIE_SECRET=someRandomValue
REDASH_ENFORCE_HTTPS=true

Contents of redash.conf

upstream redash_servers {
  server 172.19.0.4:5000;
}

server {
  listen 80;

  # Allow accessing /ping without https. Useful when placing behind load balancer.
  location /ping {
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass       http://redash_servers;
  }

  location / {
    # Enforce SSL.
    return 301 https://$host$request_uri;
  }
}

server {
  listen 443 ssl;

  # Make sure to set paths to your certificate .pem and .key files.
  ssl on;
  ssl_certificate /etc/nginx/certificate.crt; # or crt
  ssl_certificate_key /etc/nginx/certificate.key;

  # Specifies that we don't want to use SSLv2 (insecure) or SSLv3 (exploitable)
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  # Uses the server's ciphers rather than the client's
  ssl_prefer_server_ciphers on;
  # Specifies which ciphers are okay and which are not okay. List taken from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

  access_log /var/log/nginx/redash.access.log;

  gzip on;
  gzip_types *;
  gzip_proxied any;

  location / {
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass       http://redash_servers;
    proxy_redirect   off;
  }
}

Changes in docker-compose.yml

 nginx:
    build:
      context: .
      dockerfile: nginx
    ports:
      - "80:80"
      - "443:443"
    depends_on:
      - server
    links:
      - server:redash
    restart: always

A few remarks, it looks like the redash server has a fixed ip, in case it doesn’t work use
“docker network inspect redash_default” to find out the actual ip address. Update the upstream section in redash.conf with the ip address.

To start this use docker-compose up -d --build

arikfr · October 31, 2018, 4:21pm

Thank you for sharing this!

Two notes:

I would use Docker Volumes to share the certificate with the nginx container, so it’s easier to update it.
You can use the hostname server or redash in the nginx config to avoid setting the IP.

arikfr · October 31, 2018, 4:33pm

I think we can produce new instructions for LetsEncrypt + Redash using this guide:

matt · October 31, 2018, 7:29pm

I noticed the same issues when following the guide. I’ve booted the us-west-2 AMI and cannot use HTTPS. Looking at the docker-compose.yml it obviously isn’t supported.

Just my +1 to update the AMIs and documentation!

nasmithan · November 27, 2018, 5:35am

Thank you araker and arikfr!

This worked perfectly for me. A+ solution (it worked on my first try, with server redash:5000; in redash.conf as per Arik’s suggestion)

arikfr · November 27, 2018, 12:10pm

Based on the link I shared last month, I created a guide specific to Redash:

gist.github.com

https://gist.github.com/arikfr/64c9ff8d2f2b703d4e44fe9e45a7730e

README.md

1. Make sure the domain you picked points at the IP of your Redash server.
2. Switch to the `root` user (`sudo su`).
3. Create a folder named `nginx` in `/opt/redash`.
4. Create in the nginx folder two additional folders: `certs` and `certs-data`.
5. Create the file `/opt/redash/nginx.conf` and place the following in it: (replace `example.redashapp.com` with your domain name)
   ```
   upstream redash {
       server redash:5000;
   }

This file has been truncated. show original

nginx.conf

upstream redash {
  server redash:5000;
}

server {
    listen      80;
    listen [::]:80;
    server_name example.redashapp.com;

    location ^~ /ping {

This file has been truncated. show original

I’m planning on adding this to the Knowledge Base once I have more feedback about it from other users.

▼Categories

▼Tags

Using https with the ami install

Issue Summary

Technical details: