I tried your config, it fails the same way. Metabase specific assets are 404. To address some of your specific points:
I spent a long time in Support. I get it, all users lie - whether intentionally or by not understanding or forgetting something important. I'm trying to be as thorough as I can, but I can't promise I'm finding everything relevant. Hence, I've provided a full terminal session below, with netstat and firewall output. Please tell me if something seems amiss or forgotten.
Why wouldn't it be directly accessible? Isn't the reverse-proxy basically just playing the middle man between the client browser and the Jetty server? What would nginx serve up if MB wasn't available on port 3000? I opened the port on purpose for testing and will close it when I'm done testing, but as long as the port is open this is exactly the expected behavior, isn't it?
My first configuration used a subpath. That failed. I took out the subpath. That failed too, in the exact same way. The new config you just gave me also fails in the exact same way. No matter what I put in proxy_pass or MB_SITE_URL, my client can not resolve some of the /app/* assets. I did not forget to restart the service. See the terminal session below. Does that clear up the confusion?
I'm going to do that, but please understand my point of view - This is a brand new install of ubuntu 18.04 (arguably the most well supported Linux OS), with a brand new download of MB 0.37.7 with nginx v 1.14 (a fairly popular piece of software in its space) with the second-most basic of "reverse-proxy" configs and Metabase doesn't work. Other software does.
The last time I tried to deploy Metabase managing the certificates itself. It became a brittle hacky mess of manually creating keystores and importing keys, not to mention had a bug where the SSO didn't work quite right & I still have to manually create an account for anyone that wants to log in. At the time you told me to "make my life easier" by setting it up behind a reverse proxy.
I'm trying to follow your advice, but it's still problematic, and despite the previous known bugs that did the exact same thing and customers who let you know that they'd "noticed a few issues like the lack of proxy awareness for site.manifest", you're telling me to go somewhere else for help.
We're going to be spending money on a BI solution sometime in the next year or so. I really want to like Metabase, but these experiences are not making my life easier, and definitely not helping me make an argument that Metabase would be a better choice than the other popular BI tool that people are championing.
Here's the terminal from the session I just ran, you can see if I restarted the services or forgot any other step. I'm going to go elsewhere in search of a magic incantation to get this to work, starting with that guy from issue #12722. I'm hoping that googling "proxy aware site.manifest" will yield some clues. That seems promising.
root@my-dev:/etc/nginx/sites-enabled# ufw status
Status: active
To Action From
-- ------ ----
127.0.0.1 80/tcp ALLOW 127.0.0.1
443 ALLOW Anywhere
22 ALLOW Anywhere
127.0.0.1 ALLOW 127.0.0.1
Nginx Full ALLOW Anywhere
4180 ALLOW Anywhere
3000 ALLOW Anywhere
443 (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
4180 (v6) ALLOW Anywhere (v6)
3000 (v6) ALLOW Anywhere (v6)
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled# netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6049/nginx: master
tcp 0 0 127.0.0.1:4180 0.0.0.0:* LISTEN 894/oauth2-proxy
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 819/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 996/sshd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 6049/nginx: master
tcp 0 356 192.168.0.18:22 192.168.0.8:63770 ESTABLISHED 2386/sshd: fritz [p
tcp 0 0 192.168.0.18:22 192.168.0.8:49580 ESTABLISHED 3835/sshd: fritz [p
tcp 0 0 192.168.0.18:22 192.168.0.8:63605 ESTABLISHED 1580/sshd: fritz [p
tcp6 0 0 :::33060 :::* LISTEN 1118/mysqld
tcp6 0 0 :::3306 :::* LISTEN 1118/mysqld
tcp6 0 0 :::80 :::* LISTEN 6049/nginx: master
tcp6 0 0 :::22 :::* LISTEN 996/sshd
tcp6 0 0 :::3000 :::* LISTEN 6009/java
tcp6 0 0 :::443 :::* LISTEN 6049/nginx: master
tcp6 0 0 127.0.0.1:3306 127.0.0.1:58000 ESTABLISHED 1118/mysqld
tcp6 0 0 127.0.0.1:58004 127.0.0.1:3306 ESTABLISHED 6009/java
tcp6 0 0 127.0.0.1:58002 127.0.0.1:3306 ESTABLISHED 6009/java
tcp6 0 0 127.0.0.1:3306 127.0.0.1:58002 ESTABLISHED 1118/mysqld
tcp6 0 0 127.0.0.1:3306 127.0.0.1:58004 ESTABLISHED 1118/mysqld
tcp6 0 0 127.0.0.1:58000 127.0.0.1:3306 ESTABLISHED 6009/java
tcp6 0 0 127.0.0.1:3306 127.0.0.1:57998 ESTABLISHED 1118/mysqld
tcp6 0 0 127.0.0.1:57998 127.0.0.1:3306 ESTABLISHED 6009/java
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled# pwd
/etc/nginx/sites-enabled
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 my-dev my.server.com
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled# cat default
server {
server_name my.server.com;
listen 80;
listen [::]:80;
return 301 https://$server_name$request_uri;
}
server {
server_name my.server.com;
listen 443 ssl http2;
listen [::]:443 ssl http2;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;
include snippets/general.conf;
location / {
proxy_pass http://127.0.0.1:3000/;
}
}
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled# nginx -t
nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/ssl/certs/nginx-selfsigned.crt"
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@my-dev:/etc/nginx/sites-enabled# systemctl restart metabase
root@my-dev:/etc/nginx/sites-enabled# systemctl restart nginx
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled# systemctl status metabase
● metabase.service - Metabase server
Loaded: loaded (/etc/systemd/system/metabase.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2021-01-27 22:09:57 UTC; 1min 32s ago
Main PID: 6009 (java)
Tasks: 52 (limit: 4915)
CGroup: /system.slice/metabase.service
└─6009 /usr/bin/java -jar /opt/metabase/metabase.jar
Jan 27 22:10:28 my-dev:metabase[6009]: 2021-01-27 22:10:28,348 INFO metabase.task :: Initializing task SendAnonymousUsageStats 📆
Jan 27 22:10:28 my-dev:metabase[6009]: 2021-01-27 22:10:28,388 INFO metabase.task :: Initializing task SendAbandomentEmails 📆
Jan 27 22:10:28 my-dev:metabase[6009]: 2021-01-27 22:10:28,427 INFO metabase.task :: Initializing task SendPulses 📆
Jan 27 22:10:28 my-dev:metabase[6009]: 2021-01-27 22:10:28,484 INFO metabase.task :: Initializing task SendFollowUpEmails 📆
Jan 27 22:10:28 my-dev:metabase[6009]: 2021-01-27 22:10:28,532 INFO metabase.task :: Initializing task TaskHistoryCleanup 📆
Jan 27 22:10:28 my-dev:metabase[6009]: 2021-01-27 22:10:28,589 INFO metabase.core :: Looks like this is a new installation ... pr
Jan 27 22:10:28 my-dev:metabase[6009]: 2021-01-27 22:10:28,601 INFO metabase.core :: Please use the following URL to setup your M
Jan 27 22:10:28 my-dev:metabase[6009]: http://localhost:3000/setup/
Jan 27 22:10:28 my-dev:metabase[6009]:
Jan 27 22:10:28 my-dev:metabase[6009]: 2021-01-27 22:10:28,623 INFO metabase.core :: Metabase Initialization COMPLETE
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled# systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2021-01-27 22:10:03 UTC; 1min 57s ago
Docs: man:nginx(8)
Process: 6035 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS)
Process: 6047 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 6036 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 6049 (nginx)
Tasks: 2 (limit: 4915)
CGroup: /system.slice/nginx.service
├─6049 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
└─6054 nginx: worker process
Jan 27 22:10:03 my-dev:systemd[1]: Stopped A high performance web server and a reverse proxy server.
Jan 27 22:10:03 my-dev:systemd[1]: Starting A high performance web server and a reverse proxy server...
Jan 27 22:10:03 my-dev:nginx[6036]: nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/ssl/
Jan 27 22:10:03 my-dev:nginx[6047]: nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/ssl/
Jan 27 22:10:03 my-dev:systemd[1]: nginx.service: Failed to parse PID from file /run/nginx.pid: Invalid argument
Jan 27 22:10:03 my-dev:systemd[1]: Started A high performance web server and a reverse proxy server.
lines 1-19/19 (END)
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled#
root@my-dev:/etc/nginx/sites-enabled#