Securing Metabase

Hi,

I am running MB off the Jar file.

This maybe a little off topic. Besides HTTPS, what’s the recommended way to run MB in a public network? Would something like proxy possible?

TIA,

James.

We typically run it behind an ELB on amazon’s web service and lock down all ports. Make sure the application database (and data warehouse) aren’t accessible from the broader internet.

How paranoid are you looking to get?

Thanks. I will take that into account.

@sameer can you elaborate a little on how that works? is the application no longer exposed?

@AdamFinley depends on your definition of “exposed”.

For the embedded database (H2) we use a second process listening on another port for the DB. We chose this instead of an inprocess H2 setup to allow for better stability and not tying the persistence of the application database to any potential bugs in our own code base.

A consequence of this is that there is a process listening on that higher port. H2 uses an authentication mechanism, so it’s not exposing your application data.

All that said, it is another place to attack, and probably not the most secure setup. In general, we don’t view the embedded database as the best choice for truly hardened, production installations.

Practically, your network/firewall/aws security group should close off everything but port 80 on Metabase instances, and if you’re trying to further lock things down, we recommend using MySQL or PostgreSQL as the application database.

That make sense?