I’m testing out Metabase and trying to figure out how to secure it properly. The main Jetty port on localhost is fine, but I’m seeing a 2nd high-numbered port that is listening on 0.0.0.0. How do I prevent that from happening? Is there an MB_ environment variable to control this 2nd IP? What is the purpose of the 2nd LISTEN port?
1 Like
What’s the 2nd port number? It’s probably just the H2 DB server. Are you using H2 as the Metabase DB, or have you specially configured Metabase to use Postgres/MySQL?
It’s a different number every time it starts. 30000 - 45000 range so far. I’m connecting to a MySQL instance. This odd port isn’t used by anything I’m doing. I can just see it when I run netstat.
Edit: I’m using H2 for the question storage, but why would that start up on a random port?
Here’s an example of what I see in netstat:
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:35219 0.0.0.0:* LISTEN 493 89354652 30663/java
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN 493 89354633 30663/java
493 is the UID of the user running metabase.
We’re running H2 in auto-server mode which means the first process to connect to the H2 DB spins up a local server. Otherwise H2 explodes in a fit of rage if a second process tries to access the same DB file
I can’t have this thing running on a random public port. Any way to force it to bind localhost instead?
The H2 server process enforces authentication so only processes with access to the secret key, stored in a file in the same dir as the H2 DB file, can connect. You can specify which port H2 should use by including AUTO_SERVER_PORT in the H2 connection string. e.g. start Metabase with MB_DB_FILE=/path/to/metabase.db;AUTO_SERVER_PORT=40000 and then block that port in your firewall (or better yet, whitelist only the ports you want).
For production instances it’s probably better to use MySQL or Postgres as your backing DB anyway.
At any rate less open ports are still better so we’ll probably change this behavior in the future, but you can take the above steps in the meantime if you want.
OK. So there’s no AUTO_SERVER_HOST variable I can set to 127.0.0.1 or “localhost”?
Unfortunately it doesn’t look like there is 
OK. Not having read all the available docs, I apologize if this is already listed somewhere… Is there a way to migrate the H2 data we already have stored to MySQL?
Yup we have a guide available here http://www.metabase.com/docs/latest/operations-guide/start.html#migrating-from-using-the-h2-database-to-mysql-or-postgres
Excellent. Thanks for the assistance!
We found a small edge case with that process so if you run into any issues with foreign key constraints the fix will ship as part of our upcoming 0.18 release within the next week. But hopefully it will work as-is now 
I’ll watch out for that. Thanks.