| 
									
										
										
										
											2023-12-13 14:03:08 +01:00
										 |  |  |  | --- | 
					
						
							|  |  |  |  | title: Enable SSL with Nginx | 
					
						
							|  |  |  |  | slug: /deployment/security/enable-ssl/nginx | 
					
						
							| 
									
										
										
										
											2024-09-05 10:30:31 +02:00
										 |  |  |  | collate: false | 
					
						
							| 
									
										
										
										
											2023-12-13 14:03:08 +01:00
										 |  |  |  | --- | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | # Enable SSL with Nginx
 | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | Nginx can be used as a load balancer or an SSL termination point for OpenMetadata. | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | In this section, we will look at how to use Nginx and Certbot to deploy SSL. The below instructions are for Ubuntu 20  | 
					
						
							|  |  |  |  | and any other flavor of Linux please find similar instructions. | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | ## Install Nginx
 | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | Nginx can be installed to a completely different host where you are running OpenMetadata Server or on the same host.  | 
					
						
							|  |  |  |  | For simplicity, we will do this on the same host as the OpenMetadata server. | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | ```commandline | 
					
						
							|  |  |  |  | sudo apt update | 
					
						
							|  |  |  |  | sudo apt install nginx | 
					
						
							|  |  |  |  | sudo systemctl start nginx | 
					
						
							|  |  |  |  | ``` | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | ## Configure Nginx to redirect requests to OpenMetadata
 | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | For Nginx to serve this content, it’s necessary to create a server block with the correct directives.  | 
					
						
							|  |  |  |  | Instead of modifying the default configuration file directly, let’s make a new one at `/etc/nginx/sites-available/openmetadata`: | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | ```commandline | 
					
						
							|  |  |  |  | sudo vi /etc/nginx/sites-available/openmetadata | 
					
						
							|  |  |  |  | ``` | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | And add the below content | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | ```commandline | 
					
						
							|  |  |  |  | server { | 
					
						
							|  |  |  |  |         access_log /var/log/nginx/sandbox-access.log; | 
					
						
							|  |  |  |  |         error_log /var/log/nginx/sandbox-error.log;          | 
					
						
							|  |  |  |  |         server_name sandbox.open-metadata.org; | 
					
						
							|  |  |  |  |         location / { | 
					
						
							|  |  |  |  |           proxy_pass http://127.0.0.1:8585; | 
					
						
							|  |  |  |  |         } | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | ``` | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | In the above configuration, please ensure that the `server_name` matches the domain where you are hosting the OpenMetadata  | 
					
						
							|  |  |  |  | server. Also, the `proxy_pass` configuration should point to the OpenMetadata server port. | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | Then, link the configuration to `sites-enabled` and restart nginx: | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | ```commandline | 
					
						
							|  |  |  |  | sudo ln -s /etc/nginx/sites-available/openmetadata /etc/nginx/sites-enabled/openmetadata | 
					
						
							|  |  |  |  | sudo systemctl restart nginx | 
					
						
							|  |  |  |  | ``` | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | The above configuration will serve at port 80, so if you configured a domain like `sandbox.open-metadata.org` one can  | 
					
						
							|  |  |  |  | start accessing OpenMetadata server by just pointing the browser to [http://sandbox.open-metadata.org](http://sandbox.open-metadata.org). | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | ## Enable SSL using Certbot
 | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | Certbot, [https://certbot.eff.org/](https://certbot.eff.org/), is a non-profit org that distributes the certified X509  | 
					
						
							|  |  |  |  | certs and renews them as well. | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | ```commandline | 
					
						
							|  |  |  |  | sudo apt install certbot python3-certbot-nginx | 
					
						
							|  |  |  |  | sudo systemctl reload nginx | 
					
						
							|  |  |  |  | ``` | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | ## Obtaining an SSL Certificate
 | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | Certbot provides a variety of ways to obtain SSL certificates through plugins. The Nginx plugin will take care of | 
					
						
							|  |  |  |  | reconfiguring Nginx and reloading the config whenever necessary. To use this plugin, type the following: | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | ```commandline | 
					
						
							|  |  |  |  | sudo certbot --nginx -d sandbox.open-metadata.org  | 
					
						
							|  |  |  |  | ``` | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | Replace` sandbox.open-metadata.org` with your domain for OpenMetadata.  | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | If this is your first time running certbot, you will be prompted to enter an email address and agree to the terms of  | 
					
						
							|  |  |  |  | service. After doing so, certbot will communicate with the `Let's Encrypt` server, then run a challenge to verify that | 
					
						
							|  |  |  |  | you control the domain you’re requesting a certificate for. | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | If that’s successful, certbot will ask how you’d like to configure your HTTPS settings. | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | ## Verifying Certbot Auto-Renewal
 | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | `Let's Encrypt`'s certificates are only valid for ninety days. This is to encourage users to automate their certificate | 
					
						
							|  |  |  |  | renewal process. The certbot package we installed takes care of this for us by adding a `systemd` timer that will run  | 
					
						
							|  |  |  |  | twice a day and automatically renew any certificate that’s within thirty days of expiration. | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | You can query the status of the timer with `systemctl`: | 
					
						
							|  |  |  |  | ```commandline | 
					
						
							|  |  |  |  | sudo systemctl status certbot.timer | 
					
						
							|  |  |  |  | ``` | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | to renew, you can run the following command | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | ```commandline | 
					
						
							|  |  |  |  | sudo certbot renew --dry-run | 
					
						
							|  |  |  |  | ``` | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | ## Summary
 | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | In this tutorial, we walked through the setup of Nginx to serve the requests to OpenMetadata and used Certbot to enable | 
					
						
							|  |  |  |  | SSL on Nginx.  | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | Do keep in mind that we secured the external connection to Nginx, and Nginx terminates the SSL connections,  | 
					
						
							|  |  |  |  | and the rest of the transport Nginx to the OpenMetadata server is on Plaintext. However, OpenMetadata server should be  | 
					
						
							|  |  |  |  | configured to listen to only localhost requests, i.e., It cannot be reached directly from outside traffic except for  | 
					
						
							|  |  |  |  | Nginx on that host. This makes it a secure SSL. |