MySQL SSL connection

Hello, I have a similar problem but I am running metabase with java -jar command and when logging in from the browser side, I can't find any option to allow public key retrival. When I paste the certificate key in the SSL box, it says it's incorrect.

Hi @islamthecurecom
There's a field called "Additional JDBC connection string options", which allows you to input parameters.
https://www.metabase.com/docs/latest/administration-guide/01-managing-databases.html#additional-jdbc-connection-string-options

Oh thank you soo much it finally worked out but yet I have another problem now. When I try embed the dashboard into my website, it's giving this error

Mixed Content: The page at 'https://tglsystem.com/vehicle_datebase_report' was loaded over HTTPS, but requested an insecure frame 'http://tglsystem.com:3000/public/dashboard/b97619fb-7074-4263-89d4-0857dd558ac6'. This request has been blocked; the content must be served over HTTPS.

When I change the embed link to https then it gives this error:

The connection for this site is not secure

tglsystem.com sent an invalid response.

If you could help out with this that will be superb insha'Allah!! Is this because I connected to the database without SSL? If so the problem is when I paste my SSL keys in to the box, it doesn't work.

Best,
Abdul

@islamthecurecom Read the error again: This request has been blocked; the content must be served over HTTPS
Browsers does not allow mixed content anymore.

Ok so I researched on how to serve metabase through HTTPS since HTTP will not be served over HTTPS. I came across this website Customizing Jetty Webserver (metabase.com) and configured like that. These are my configuration:
[Customizing Jetty Webserver (metabase.com)](https://www.metabase.com/docs/latest/operations-guide/customizing-jetty-webservexport MB_JETTY_SSL="true"

export MB_JETTY_SSL_PORT="8443"
export MB_JETTY_SSL_KEYSTORE="keystore.jks" # replace these values with your own
export MB_JETTY_SSL_KEYSTORE_PASSWORD="my password"
java -jar metabase.jarer.html)

Also when I generated a new keystore, this was the command:

keytool -genkeypair \
        -alias domain \
        -keyalg RSA \
        -keystore keystore.jks

But now when I go to Metabase tglsystem. com:8443/browse, it "Your connection to this site is not secure" at the top of the link. I am a newbie so if you could help me with how buy the ssl for it what steps do I take to fully serve it over HTTPS, that will be much appreciated!

@islamthecurecom It works fine, https://tglsystem.com:8443 - but it's a self-signed certificate.
Use a reverse-proxy, where you can easily integrate something like LetsEncrypt or use a service like Cloudflare.
Try searching the internet, it's not specific to Metabase:
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-20-04

Hello mate, thank you so much for the link. I followed through and also surfed around many videos and tutorials for the last 2 days and so forth. I managed to download nginx and set up a reverse proxy for port 3000 with the following configurations
# For more information on configuration, see:

* Official English Documentation: http://nginx.org/en/docs/

* Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.

include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}

http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx/access.log  main;

sendfile            on;
tcp_nopush          on;
tcp_nodelay         on;
keepalive_timeout   65;
types_hash_max_size 4096;

include             /etc/nginx/mime.types;
default_type        application/octet-stream;

# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include    

#include /etc/nginx/conf.d/*.conf;

server {
    server_name  tglsystem.com www.tglsystem.com;
  #  root         ;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    # Load configuration files for the default server block.
    #include /etc/nginx/default.d/*.conf;


    location = / {
            proxy_pass http://127.0.0.1:3000;
    }
 listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tglsystem.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tglsystem.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

}

Settings for a TLS enabled server.

server {

listen 443 ssl http2;

listen [::]:443 ssl http2;

server_name _;

#root /usr/share/nginx/html;

ssl_certificate "/etc/pki/nginx/server.crt";

ssl_certificate_key "/etc/pki/nginx/private/server.key";

ssl_session_cache shared:SSL:1m;

ssl_session_timeout 10m;

ssl_ciphers HIGH:!aNULL:!MD5;

ssl_prefer_server_ciphers on;

# Load configuration files for the default server block.

include /etc/nginx/default.d/*.conf;

error_page 404 /404.html;

location = /40x.html {

}

error_page 500 502 503 504 /50x.html;

location = /50x.html {

}

}

server {
if ($host = tglsystem.com) {
    return 301 https://$host$request_uri;
} # managed by Certbot


    listen       80;
    listen       [::]:80;
    server_name  tglsystem.com www.tglsystem.com;
return 404; # managed by Certbot

}}
but still when I go to port 3000, it shows this:


If you could help out with this, it will be really great!

@islamthecurecom If you're not familiar with webservers, then I would recommend that you just use a service like Cloudflare. Running servers requires constant maintenance and understanding how they work. Otherwise consider using Metabase Cloud https://www.metabase.com/pricing/

The entire point is to remove the port 3000, so you just access https://tglsystem.com/, which I can see is working fine with certificate, but the reverse-proxing to Metabase is not correct.

Try changing this:

    location = / {
            proxy_pass http://127.0.0.1:3000;
    }

To this:

location = / {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header x-forwarded-proto https;
    proxy_set_header x-forwarded-protocol https;
    proxy_set_header x-url-scheme https;
    proxy_set_header x-forwarded-ssl on;
    proxy_set_header front-end-https on;
    proxy_http_version 1.1;
    proxy_pass http://127.0.0.1:3000/;
}

I have taken a course in Linux and Cloudflare seems like it's the easy option, but the only thing is that I want to learn how to do it custom wise and once I find way, it will be easier insha'Allah. The only thing with securing port 3000 is that there is very little information online on it and it's frustrating.

I tried what you send over and replaced but still it doesn't work, now I changed the proxy pass to port 8443 to see if it works but even that shows as Not Secure but still runs through HTTPS. I'm sorry I took your time mate but I will try to get to the bottom of this insha'Allah, any resource you think might be hindering the application, it will be really appreicated if you share it with me!

@islamthecurecom
A course in Linux is like saying you have a course in Windows and then want to run a Windows Server. It's wildly different things.

You are doing too many things that the same time. Using a reverse-proxy is not specific to Metabase, so try searching the internet, there are many articles about it, since it's a complicated area by itself.

First you need to setup Nginx so it works for your domain, then you add certificates and validate https is working. And only then you try to reverse-proxy.
You should not use any certificates on Metabase, meaning no environment variables. Nginx will handle the secure connection between the browser and Nginx, and the reverse-proxy between Nginx and Metabase is done internally so doesn't need to be secured.