Skip to content

Instantly share code, notes, and snippets.

@arikfr arikfr/README.md
Last active Aug 30, 2019

Embed
What would you like to do?
Setting up HTTPS with LetsEncrypt for Redash Docker Deployment
  1. Make sure the domain you picked points at the IP of your Redash server.
  2. Switch to the root user (sudo su).
  3. Create a folder named nginx in /opt/redash.
  4. Create in the nginx folder two additional folders: certs and certs-data.
  5. Create the file /opt/redash/nginx/nginx.conf and place the following in it: (replace example.redashapp.com with your domain name)
    upstream redash {
        server redash:5000;
    }
    
    server {
        listen      80;
        listen [::]:80;
        server_name example.redashapp.com;
    
        location ^~ /ping {
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
    
            proxy_pass       http://redash;
        }
    
        location / {
            rewrite ^ https://$host$request_uri? permanent;
        }
    
        location ^~ /.well-known {
            allow all;
            root  /data/letsencrypt/;
        }
    }
    
  6. Edit /opt/redash/docker-compose.yml and update the nginx service to look like the following:
    nginx:
     image: nginx:latest
     ports:
       - "80:80"
       - "443:443"
     depends_on:
       - server
     links:
       - server:redash
     volumes:
       - /opt/redash/nginx/nginx.conf:/etc/nginx/conf.d/default.conf
       - /opt/redash/nginx/certs:/etc/letsencrypt
       - /opt/redash/nginx/certs-data:/data/letsencrypt
     restart: always
    
  7. Update Docker Compose: docker-compose up -d.
  8. Generate certificates: (remember to change the domain name)
    docker run -it --rm \
       -v /opt/redash/nginx/certs:/etc/letsencrypt \
       -v /opt/redash/nginx/certs-data:/data/letsencrypt \
       deliverous/certbot \
       certonly \
       --webroot --webroot-path=/data/letsencrypt \
       -d example.redashapp.com
    
  9. Assuming the previous step was succesful, update the nginx config to include the SSL configuration:
    upstream redash {
        server redash:5000;
    }
    
    server {
        listen      80;
        listen [::]:80;
        server_name example.redashapp.com;
    
        location ^~ /ping {
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
    
            proxy_pass       http://redash;
        }
    
        location / {
            rewrite ^ https://$host$request_uri? permanent;
        }
    
        location ^~ /.well-known {
            allow all;
            root  /data/letsencrypt/;
        }
    }
    
    server {
     listen      443           ssl http2;
     listen [::]:443           ssl http2;
     server_name               example.redashapp.com;
    
     add_header                Strict-Transport-Security "max-age=31536000" always;
    
     ssl_session_cache         shared:SSL:20m;
     ssl_session_timeout       10m;
    
     ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
     ssl_prefer_server_ciphers on;
     ssl_ciphers               "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
    
     ssl_stapling              on;
     ssl_stapling_verify       on;
     resolver                  8.8.8.8 8.8.4.4;
    
     ssl_certificate           /etc/letsencrypt/live/example.redashapp.com/fullchain.pem;
     ssl_certificate_key       /etc/letsencrypt/live/example.redashapp.com/privkey.pem;
     ssl_trusted_certificate   /etc/letsencrypt/live/example.redashapp.com/chain.pem;
    
     access_log                /dev/stdout;
     error_log                 /dev/stderr info;
    
     # other configs
    
     location / {
         proxy_set_header Host $http_host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
    
         proxy_pass       http://redash;
     }
    }    
    
  10. Restart nginx: docker-compose restart nginx.
  11. All done, your Redash instance should be available via HTTPS now. 👏

To renew the certificate in the future, you can use the following command:

$ docker run -t --rm \
       -v certs:/etc/letsencrypt \
       -v certs-data:/data/letsencrypt \
       deliverous/certbot \
       renew \
       --webroot --webroot-path=/data/letsencrypt
$ docker-compose kill -s HUP nginx
upstream redash {
server redash:5000;
}
server {
listen 80;
listen [::]:80;
server_name example.redashapp.com;
location ^~ /ping {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_pass http://redash;
}
location / {
rewrite ^ https://$host$request_uri? permanent;
}
location ^~ /.well-known {
allow all;
root /data/letsencrypt/;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.redashapp.com;
add_header Strict-Transport-Security "max-age=31536000" always;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
ssl_certificate /etc/letsencrypt/live/example.redashapp.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.redashapp.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.redashapp.com/chain.pem;
access_log /dev/stdout;
error_log /dev/stderr info;
# other configs
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_pass http://redash;
}
}
@0latency

This comment has been minimized.

Copy link

commented Dec 2, 2018

Worked for me for redash v5.0.2, thanks @arikfr
Small typo though: location of nginx.conf is different in instructions vs as mentioned in docker file.
/opt/redash/nginx.conf should be /opt/redash/nginx/nginx.conf

@itayo155

This comment has been minimized.

Copy link

commented Dec 5, 2018

Worked for me as well.
One clarification (took me a while to fix): under the live certificates files (ssl_certificate, ssl_certificate_key, ssl_trusted_certificate), use the subdomain / server name, not the top domain. i.e. replace example.com with example.redashapp.com, not with redashapp.com.

@justmobilize

This comment has been minimized.

Copy link

commented Jan 16, 2019

I might also recommend changing the 80 block to:

server {
    if ($host = example.redashapp.com) {
        return 301 https://$host$request_uri;
    }


    server_name example.redashapp.com;
    listen 80;
    return 404;
}

Certbot does this as well

@arikfr

This comment has been minimized.

Copy link
Owner Author

commented Jan 20, 2019

Thanks! I updated the Gist to reflect your comment.

@SankarMittapally

This comment has been minimized.

Copy link

commented Feb 5, 2019

@arikfr It's not working properly with the latest version of Redash. after 7th step redash, the web page is not coming and 8th step keeps on failing.

@davidnetten

This comment has been minimized.

Copy link

commented Apr 4, 2019

In step 8, I believe:
nginx: image: nginx:latest

should be:

nginx: image: redash/nginx:latest

@sidkongara

This comment has been minimized.

Copy link

commented Apr 6, 2019

this works, but my public links do not pick up https://example.redash.com by default, instead coming up as http://
what am i missing here?

@sanhardik

This comment has been minimized.

Copy link

commented Apr 21, 2019

Renew Command provided in the documentation didnt work.
docker run -t --rm -v certs:/etc/letsencrypt -v certs-data:/data/letsencrypt deliverous/certbot renew --webroot --webroot-path=/data/letsencrypt

I had to change it to
docker run -t --rm -v /opt/redash/nginx/certs:/etc/letsencrypt -v /opt/redash/nginx/certs-data:/data/letsencrypt deliverous/certbot renew --webroot --webroot-path=/data/letsencrypt

@GAV1N

This comment has been minimized.

Copy link

commented Apr 23, 2019

Thank you @sanhardik, I was pulling my hair out until I saw your comment!

@kouya0219

This comment has been minimized.

Copy link

commented Jun 5, 2019

if you change MULTI_ORG=true, add proxy_set_header X-Forwarded-Proto $scheme; to line 61

I got a mixed content error with that

@chongeu

This comment has been minimized.

Copy link

commented Jun 11, 2019

Thank you @arikfr this is so useful!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.