Skip to content

Instantly share code, notes, and snippets.

@arikfr
Last active August 29, 2024 05:28
Show Gist options
  • Save arikfr/64c9ff8d2f2b703d4e44fe9e45a7730e to your computer and use it in GitHub Desktop.
Save arikfr/64c9ff8d2f2b703d4e44fe9e45a7730e to your computer and use it in GitHub Desktop.
Setting up HTTPS with LetsEncrypt for Redash Docker Deployment
  1. Make sure the domain you picked points at the IP of your Redash server.
  2. Switch to the root user (sudo su).
  3. Create a folder named nginx in /opt/redash.
  4. Create in the nginx folder two additional folders: certs and certs-data.
  5. Create the file /opt/redash/nginx/nginx.conf and place the following in it: (replace example.redashapp.com with your domain name)
    upstream redash {
        server redash:5000;
    }
    
    server {
        listen      80;
        listen [::]:80;
        server_name example.redashapp.com;
    
        location ^~ /ping {
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
    
            proxy_pass       http://redash;
        }
    
        location / {
            rewrite ^ https://$host$request_uri? permanent;
        }
    
        location ^~ /.well-known {
            allow all;
            root  /data/letsencrypt/;
        }
    }
    
  6. Edit /opt/redash/docker-compose.yml and update the nginx service to look like the following:
    nginx:
     image: nginx:latest
     ports:
       - "80:80"
       - "443:443"
     depends_on:
       - server
     links:
       - server:redash
     volumes:
       - /opt/redash/nginx/nginx.conf:/etc/nginx/conf.d/default.conf
       - /opt/redash/nginx/certs:/etc/letsencrypt
       - /opt/redash/nginx/certs-data:/data/letsencrypt
     restart: always
    
  7. Update Docker Compose: docker-compose up -d.
  8. Generate certificates: (remember to change the domain name)
    docker run -it --rm \
       -v /opt/redash/nginx/certs:/etc/letsencrypt \
       -v /opt/redash/nginx/certs-data:/data/letsencrypt \
       deliverous/certbot \
       certonly \
       --webroot --webroot-path=/data/letsencrypt \
       -d example.redashapp.com
    
  9. Assuming the previous step was succesful, update the nginx config to include the SSL configuration:
    upstream redash {
        server redash:5000;
    }
    
    server {
        listen      80;
        listen [::]:80;
        server_name example.redashapp.com;
    
        location ^~ /ping {
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
    
            proxy_pass       http://redash;
        }
    
        location / {
            rewrite ^ https://$host$request_uri? permanent;
        }
    
        location ^~ /.well-known {
            allow all;
            root  /data/letsencrypt/;
        }
    }
    
    server {
     listen      443           ssl http2;
     listen [::]:443           ssl http2;
     server_name               example.redashapp.com;
    
     add_header                Strict-Transport-Security "max-age=31536000" always;
    
     ssl_session_cache         shared:SSL:20m;
     ssl_session_timeout       10m;
    
     ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
     ssl_prefer_server_ciphers on;
     ssl_ciphers               "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
    
     ssl_stapling              on;
     ssl_stapling_verify       on;
     resolver                  8.8.8.8 8.8.4.4;
    
     ssl_certificate           /etc/letsencrypt/live/example.redashapp.com/fullchain.pem;
     ssl_certificate_key       /etc/letsencrypt/live/example.redashapp.com/privkey.pem;
     ssl_trusted_certificate   /etc/letsencrypt/live/example.redashapp.com/chain.pem;
    
     access_log                /dev/stdout;
     error_log                 /dev/stderr info;
    
     # other configs
    
     location / {
         proxy_set_header Host $http_host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
    
         proxy_pass       http://redash;
     }
    }    
    
  10. Restart nginx: docker-compose restart nginx.
  11. All done, your Redash instance should be available via HTTPS now. 👏

To renew the certificate in the future, you can use the following command:

$ docker run -t --rm -v /opt/redash/nginx/certs:/etc/letsencrypt \ 
                     -v /opt/redash/nginx/certs-data:/data/letsencrypt \ 
                     deliverous/certbot renew --webroot --webroot-path=/data/letsencrypt

$ docker-compose kill -s HUP nginx
@justmobilize
Copy link

I might also recommend changing the 80 block to:

server {
    if ($host = example.redashapp.com) {
        return 301 https://$host$request_uri;
    }


    server_name example.redashapp.com;
    listen 80;
    return 404;
}

Certbot does this as well

@arikfr
Copy link
Author

arikfr commented Jan 20, 2019

Thanks! I updated the Gist to reflect your comment.

@SankarMittapally
Copy link

@arikfr It's not working properly with the latest version of Redash. after 7th step redash, the web page is not coming and 8th step keeps on failing.

@davidnetten
Copy link

davidnetten commented Apr 4, 2019

In step 8, I believe:
nginx: image: nginx:latest

should be:

nginx: image: redash/nginx:latest

@sidkongara
Copy link

this works, but my public links do not pick up https://example.redash.com by default, instead coming up as http://
what am i missing here?

@sanhardik
Copy link

Renew Command provided in the documentation didnt work.
docker run -t --rm -v certs:/etc/letsencrypt -v certs-data:/data/letsencrypt deliverous/certbot renew --webroot --webroot-path=/data/letsencrypt

I had to change it to
docker run -t --rm -v /opt/redash/nginx/certs:/etc/letsencrypt -v /opt/redash/nginx/certs-data:/data/letsencrypt deliverous/certbot renew --webroot --webroot-path=/data/letsencrypt

@GAV1N
Copy link

GAV1N commented Apr 23, 2019

Thank you @sanhardik, I was pulling my hair out until I saw your comment!

@kouya0219
Copy link

kouya0219 commented Jun 5, 2019

if you change MULTI_ORG=true, add proxy_set_header X-Forwarded-Proto $scheme; to line 61

I got a mixed content error with that

@chongeu
Copy link

chongeu commented Jun 11, 2019

Thank you @arikfr this is so useful!

@grimalschi
Copy link

@sanhardik thank you

@orangepeelbeef
Copy link

This doesn't seem to work with google oauth, the redirect_uri always comes back http:// not https://

@orangepeelbeef
Copy link

I found this issue: getredash/redash#4048 and used $scheme which appeared to have fixed the problem.

@arikfr
Copy link
Author

arikfr commented Feb 10, 2020

I updated the gist one more time based on your comments. Thanks!

@tk120404
Copy link

Looks like renewal command is invalid

@KangYoosam
Copy link

@tk120404
do you mean you can't run docker-compose kill -s HUP nginx command?
if so, you should move to directory where docker-compose.yml file exists(maybe /opt/redash?), and run the command.

@vikasprogrammer
Copy link

vikasprogrammer commented Jun 4, 2020

Looks like renewal command is invalid

use this docker run -t --rm -v /opt/redash/nginx/certs:/etc/letsencrypt -v /opt/redash/nginx/certs-data:/data/letsencrypt deliverous/certbot renew --webroot --webroot-path=/data/letsencrypt

Thanks to @sanhardik

@chintanp
Copy link

The renewal command currently, as is, worked for me. We just have to make sure that the server is accessible over port 80 and 443 from all IPs.

@sedhha
Copy link

sedhha commented Oct 16, 2020

The renewal command currently, as is, worked for me. We just have to make sure that the server is accessible over port 80 and 443 from all IPs.

I am facing this issue. Does anyone know what changes to make in GCP ? I am using :port but I wan to access it using .

@menendea
Copy link

menendea commented Jan 8, 2021

Hello,

After follow the steps I can't enter to redash anymore. The server reject que request from port 80 and 443. Can you help me please?

@sedhha
Copy link

sedhha commented Jan 8, 2021

Hello,

After follow the steps I can't enter to redash anymore. The server reject que request from port 80 and 443. Can you help me please?

Hmm did you try: domain:80? For example if your domain is www.google.com then try using www.google.com:80

@shahiddev
Copy link

shahiddev commented May 5, 2021

I had issues renewing recently, one of the culprits was the use of the deliverous/certbot image which is quite old, swapping in the official certbot image worked

Change

docker run -t --rm -v /opt/redash/nginx/certs:/etc/letsencrypt \ 
                     -v /opt/redash/nginx/certs-data:/data/letsencrypt \ 
                     deliverous/certbot renew --webroot --webroot-path=/data/letsencrypt

to

docker run -t --rm -v /opt/redash/nginx/certs:/etc/letsencrypt \ 
                     -v /opt/redash/nginx/certs-data:/data/letsencrypt \ 
                     certbot/certbot renew --webroot --webroot-path=/data/letsencrypt

@chanwinghoi
Copy link

My Redash instance is hosted with private IP, and not able to get through step 8 to get the certificates. Is there any way to work around that?

@a-romero
Copy link

a-romero commented Jan 7, 2022

Great call @shahiddev - that also helped generating the cert with letsencrypt in the first place as the deliverous image wasn't working correctly:

docker run -it --rm -v /opt/redash/nginx/certs:/etc/letsencrypt -v /opt/redash/nginx/certs-data:/data/letsencrypt certbot/certbot certonly --webroot --webroot-path=/data/letsencrypt -d redash.example.com

@bastisk
Copy link

bastisk commented Jan 27, 2022

With a new installation using the setup.sh script from here: https://github.com/getredash/setup, we had to change the following lines in the nginx configuration:

upstream redash {
    server redash:5000;
}

to

upstream redash {
    server server:5000;
}

I am not quite sure why that is, because normally the link property in the docker-compose.yml should make the "server" container available under alias "redash". However the nginx container always returned "502 - Bad Gateway" when using redash:5000. Using server:5000 works just as good, because by default all containers within the same network are reachable by service name without specifying a link.

Redash Version 8.0.0

@matangover
Copy link

I would suggest to add the following config, inside the last server directive:

  gzip on;
  gzip_types *;
  gzip_proxied any;

For us this dramatically improved dashboard loading times due to query results jsons now being sent compressed using gzip.
@arikfr

@kinshuksunil
Copy link

kinshuksunil commented Apr 25, 2023

I cannot seem to issue the certs.. constantly getting:
Failed authorization procedure. example.redashapp.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: <public_ip>: Fetching http://example.redashapp.com/.well-known/acme-challenge/SATw8dD0OvZPoVhXa3PeXEuOr3gLP1o08H8hPXWgpI4: Connection refused

Of course, I replaced example.redashapp.com with my own subdomain information. It seems that the port is not getting forwarded to 5000. Help!

@fedeostrit
Copy link

hi everyone, is there a way to do this using the community helm chart that currently uses the redash image 10.0.0.b50363? There is some parameter to raise Nginx in this version since it is not enabled and it has a gunicorn in front of the flask and this causes that if you raise an AWS NLB in front of the solution as a balancer and the communication goes through Https until the NLB but then goes through http Redash forwards the communication by Http so the solution with Google Oauth does not work

@rohitchillar
Copy link

Worked like a charm..

@Hamma111
Copy link

Here is a cronjob command to run at the first of every month to automatically renew the SSL

0 0 1 * * docker run -t --rm -v /opt/redash/nginx/certs:/etc/letsencrypt -v /opt/redash/nginx/certs-data:/data/letsencrypt deliverous/certbot  renew  --webroot --webroot-path=/data/letsencrypt && docker-compose$

@ycytai
Copy link

ycytai commented Apr 26, 2024

It works. tks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment