Skip to content

Instantly share code, notes, and snippets.

@hom3chuk

hom3chuk/README.md

Last active June 1, 2019 15:05
Show Gist options
  • Save hom3chuk/4a0a624c27a7ed05c20df62d449d979f to your computer and use it in GitHub Desktop.
Save hom3chuk/4a0a624c27a7ed05c20df62d449d979f to your computer and use it in GitHub Desktop.
Download ZIP
Self-hosted Redash TLS setup @ EC2
Raw
README.md

Fixed https://gist.github.com/arikfr/64c9ff8d2f2b703d4e44fe9e45a7730e

  1. Connect to your redash EC2 (use ubuntu as username, rather than root proposed by AWS):
ssh -i ~/Downloads/your-ec2-cert.pem [email protected]
  1. sudo su
  2. mkdir /opt/redash/nginx
  3. mkdir /opt/redash/nginx/certs
  4. mkdir /opt/redash/nginx/certs-data
  5. nano /opt/redash/nginx/nginx.conf, put this in there (replace your hostname):
upstream redash {
    server redash:5000;
}

server {
    listen      80;
    listen [::]:80;
    server_name example.redashapp.com;

    location ^~ /ping {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;

        proxy_pass       http://redash;
    }

    location / {
        rewrite ^ https://$host$request_uri? permanent;
    }

    location ^~ /.well-known {
        allow all;
        root  /data/letsencrypt/;
    }
}
  1. nano /opt/redash/docker-compose.yml, edit nginx section to look like this (most lilely, you'll need to add port 443 and volumes):
nginx:
 image: nginx:latest
 ports:
   - "80:80"
   - "443:443"
 depends_on:
   - server
 links:
   - server:redash
 volumes:
   - /opt/redash/nginx/nginx.conf:/etc/nginx/conf.d/default.conf
   - /opt/redash/nginx/certs:/etc/letsencrypt
   - /opt/redash/nginx/certs-data:/data/letsencrypt
 restart: always
  1. cd /opt/redash/
  2. docker-compose up -d
  3. Generate certificates (put your domain instead of example.redashapp.com):
docker run -it --rm -v /opt/redash/nginx/certs:/etc/letsencrypt -v /opt/redash/nginx/certs-data:/data/letsencrypt deliverous/certbot certonly --webroot --webroot-path=/data/letsencrypt -d example.redashapp.com

You should see something like that, but with your domain name

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.redashapp.com/fullchain.pem
  1. Time to change nginx config once again nano /opt/redash/nginx/nginx.conf, add this section (replace your hostname at server_name and three occurences in ssl_ options):
server {
 listen      443           ssl http2;
 listen [::]:443           ssl http2;
 server_name               example.redashapp.com;

 add_header                Strict-Transport-Security "max-age=31536000" always;

 ssl_session_cache         shared:SSL:20m;
 ssl_session_timeout       10m;

 ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_ciphers               "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";

 ssl_stapling              on;
 ssl_stapling_verify       on;
 resolver                  8.8.8.8 8.8.4.4;

 ssl_certificate           /etc/letsencrypt/live/example.redashapp.com/fullchain.pem;
 ssl_certificate_key       /etc/letsencrypt/live/example.redashapp.com/privkey.pem;
 ssl_trusted_certificate   /etc/letsencrypt/live/example.redashapp.com/chain.pem;

 access_log                /dev/stdout;
 error_log                 /dev/stderr info;

 # other configs

 location / {
     proxy_set_header Host $http_host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;

     proxy_pass       http://redash;
 }
}
  1. docker-compose restart nginx
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment