Session Request always 401 behind AWS Load Balancer with TLS

thomas545 · May 4, 2025, 6:46am

Describe the bug

Since I am not sure if its a bug or a missconfiguration, i also posted to github: Session Request always 401 behind AWS Load Balancer with TLS · Issue #57572 · metabase/metabase · GitHub

We are deploying metabase to Aws ECS with Terraform.
We use the official Image with the latest version 0.54.x

And add our custom Start Script which starts the app /app/run_metabase.sh & and also sets up the Admin User via a http call.
Everything here works fine.
With Env Vars we set the Database to an Aws Rds Postgres Database, that also works.
The runnning ECS Task registers itself to the target group and the target Group is referenced by our Application Load Balancer. The ALB has a certificate and secures the request. The target group is working with http and redirects traffic to our running task.
The ALB handles TLS termination, while the target group uses plain HTTP.

That all works fine.

We also have setup the ENV MB_SITE_URL to our https://xyz.com Url.

If we now open the url, we see the metabase login page.
But when we are trying to login with the setup user, we alway get a 401 Response from the session Call:

https://xyz.com/api/session
Request Method:
POST
Status Code:
401 Unauthorized

We checked multiple times that the password and everything is correct and since we can see that the ui is being served, so the general connection seems to be fine.
Also if we clear the database and skip our http call to setup and try to do it with /setup over the gui this always fails when trying to insert a password, because of the the same 401 call.

So I don't know if we are missing something important, but since the general Connections seems to be working
but the session call fails with 401 before we are even logged in or in the other case have created a user, we don't really know what to do anymore.

To Reproduce

Deploy the http version of metabase to AWS ECS Fargate.
Then register the task to a target group that is being used by a loadbalancer that is secured with a cert.
Then try the setup in the gui.

Expected behavior

We expect to be able to login, since we created a user via http call in our setup script - and/or to create a user via /setup gui.

Logs

No response

Information about your Metabase installation

Since we can't login, we can't paste it.

Severity

blocking

Luiggi · May 4, 2025, 5:16pm

Are you using a WAF on the ALB?

thomas545 · May 4, 2025, 6:53pm

No, we have no WAF configured.
For the internal requests we have a security group, but since the gui for the login page is being served, everything here should be fine.