Using https with the ami install


#1

Issue Summary

Hello, I’m using the latest redash ami instance. I’m using this guide to add https. I’ve changed the paths, but nothing happens. As in the http connection works, but the https connection doesn’t. I’m wondering if the documentation is up to date, since the nginx docker file doesn’t point to this configuration file.

So how can I use https for a self installed redash instance?

Technical details:

  • Redash Version: 5.0.2
  • Browser/OS:
  • How did you install Redash: ami for eu-central-1 ami-026f66c6ba3cedf99

#2

This is what I did to get the https working. I would love to hear if there is a easier way.

What I’ve done is:

  • create a nginx docker file that copies my own config file
  • edit the env file
  • edited the docker-compose.yml

This is my directory structure of /opt/redash

  • cert (directory with certificates)
  • env
  • postgres-data
  • docker-compose.yml
  • nginx (the nginx docker file)
  • redash.conf (the nginx config file)

Contents of nginx docker file

FROM nginx:1.9.10
ADD redash.conf /etc/nginx/conf.d/default.conf
COPY ./cert/certificate.crt /etc/nginx/certificate.crt
COPY ./cert/certificate.key /etc/nginx/certificate.key

Changes in env file

REDASH_HOST=https://mysite.com
REDASH_COOKIE_SECRET=someRandomValue
REDASH_ENFORCE_HTTPS=true

Contents of redash.conf

upstream redash_servers {
  server 172.19.0.4:5000;
}

server {
  listen 80;

  # Allow accessing /ping without https. Useful when placing behind load balancer.
  location /ping {
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass       http://redash_servers;
  }

  location / {
    # Enforce SSL.
    return 301 https://$host$request_uri;
  }
}

server {
  listen 443 ssl;

  # Make sure to set paths to your certificate .pem and .key files.
  ssl on;
  ssl_certificate /etc/nginx/certificate.crt; # or crt
  ssl_certificate_key /etc/nginx/certificate.key;

  # Specifies that we don't want to use SSLv2 (insecure) or SSLv3 (exploitable)
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  # Uses the server's ciphers rather than the client's
  ssl_prefer_server_ciphers on;
  # Specifies which ciphers are okay and which are not okay. List taken from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

  access_log /var/log/nginx/redash.access.log;

  gzip on;
  gzip_types *;
  gzip_proxied any;

  location / {
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass       http://redash_servers;
    proxy_redirect   off;
  }
}

Changes in docker-compose.yml

 nginx:
    build:
      context: .
      dockerfile: nginx
    ports:
      - "80:80"
      - "443:443"
    depends_on:
      - server
    links:
      - server:redash
    restart: always

A few remarks, it looks like the redash server has a fixed ip, in case it doesn’t work use
“docker network inspect redash_default” to find out the actual ip address. Update the upstream section in redash.conf with the ip address.

To start this use docker-compose up -d --build


#3

Thank you for sharing this!

Two notes:

  1. I would use Docker Volumes to share the certificate with the nginx container, so it’s easier to update it.
  2. You can use the hostname server or redash in the nginx config to avoid setting the IP.

#4

I think we can produce new instructions for LetsEncrypt + Redash using this guide:


#5

I noticed the same issues when following the guide. I’ve booted the us-west-2 AMI and cannot use HTTPS. Looking at the docker-compose.yml it obviously isn’t supported.

Just my +1 to update the AMIs and documentation!