Using https: with Docker

Does anybody know how to get a Metabase image running under Docker to work via https: ?

I’d probably go with an Nginx container on the same network, and use that to proxy… but I’m not sure if there’s a drawback to that approach. One cool thing about using an nginx proxy is you don’t have to bind container ports to the host

Thank you for the suggestion. I’ve got Docker and the Metabase image running under Centos 7.3, and setting that up was not straightforward. Ideally, I would like to find somebody who has actually got Metabase to work with https: under Docker. And preferably with Centos 7.

Configuring SSL on Nginx is fairly simple (especially if you have the cert files already); I can help with that if needed. Hopefully this will offer a foundation for what you’re wanting to build:

Before starting out, create the docker network to which the ‘metabase-app’ and ‘nginx-proxy’ containers will eventually connect:

docker network create proxy-network

Since you already have metabase containers (let’s say they’re metabase-app and metabase-db), adding the app to the new network can be accomplished as follows:

docker network connect proxy-network metabase-app

Now, let’s run an nginx container (but this will require some setup, per the example file that follows):

docker run -d --restart always -p 80:80 -v /host/path/to/conf.d:/etc/nginx/conf.d --network proxy-network --name nginx-proxy nginx

I’m proxying to multiple containerized services, but maybe you only need something called metabase.conf in your conf.d. (note: the nginx container is looking for files that end in .conf)

Here’s an example metabase.conf:

upstream metabase-service {
  server metabase-app:3000;
}

server {
  server_name metabase.example.org;
  listen 80;

  location / {
    proxy_pass http://metabase-service;
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $server_name;
  }
}

nginx can be further configured to support SSL – and these two containers can be isolated on virtual networks; you won’t need to bind the docker container’s ports to the host machine, and nginx can proxy to the metabase-app container.

1 Like

To get to SSL support, here are some example nginx server blocks:

Automatically redirect http requests to https:

server {
	server_name metabase.example.org;
	return 301 https://metabase.example.org$request_uri;
}

Incomplete server block to handle https:

server {
	listen 443 ssl;
	server_name metabase.example.org;

	ssl on;
	ssl_certificate /path/to/ssl/fullchain.pem;
	ssl_certificate_key /path/to/ssl/privkey.pem;

	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header Proxy "";
	proxy_redirect off;

	access_log /path/to/log/access.log;
	error_log /path/to/log/error.log;

	location / {
		 proxy_pass http://metabase-service;
	}
}

Might need to tweak some of these things for your environment…

i run it on ubuntu.
i found this, i think it wont get any easier.
renew automatically signed certificates for free …

i stumpled over this too. I am not very educated in this question.
But so far i would say, definitely run your server in an additional docker container.
It is clearly stated so in the docker documentation to split things up.
In the metabase documentation i read an implicit hint to handle it elsewhere, too.

The suggestions given will work, but there is an easier way.
You can pass these environment variables:
MB_JETTY_SSL: 1
MB_JETTY_SSL_Port: 8443
MB_JETTY_SSL_Keystore: “/tmp/keystore.jks”
MB_JETTY_SSL_Keystore_Password: “xxx”

You’ll have to read up on creating .jks file from your certificate (It’s a java specific thing), but I can confirm I got this to work on my end.

1 Like

@ipeevski but, how to pass these to an already running container?
I’m new to metabase AND docker