mirror of
				https://github.com/open-metadata/OpenMetadata.git
				synced 2025-10-24 23:34:51 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			114 lines
		
	
	
		
			4.3 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			114 lines
		
	
	
		
			4.3 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| ---
 | ||
| title: Enable SSL with Nginx | OpenMetadata Security Setup
 | ||
| description: Enable SSL using NGINX to encrypt traffic and protect sensitive metadata exchanges across service endpoints and UI access.
 | ||
| slug: /deployment/security/enable-ssl/nginx
 | ||
| collate: false
 | ||
| ---
 | ||
| 
 | ||
| # Enable SSL with Nginx
 | ||
| 
 | ||
| Nginx can be used as a load balancer or an SSL termination point for OpenMetadata.
 | ||
| 
 | ||
| In this section, we will look at how to use Nginx and Certbot to deploy SSL. The below instructions are for Ubuntu 20 
 | ||
| and any other flavor of Linux please find similar instructions.
 | ||
| 
 | ||
| ## Install Nginx
 | ||
| 
 | ||
| Nginx can be installed to a completely different host where you are running OpenMetadata Server or on the same host. 
 | ||
| For simplicity, we will do this on the same host as the OpenMetadata server.
 | ||
| 
 | ||
| ```commandline
 | ||
| sudo apt update
 | ||
| sudo apt install nginx
 | ||
| sudo systemctl start nginx
 | ||
| ```
 | ||
| 
 | ||
| ## Configure Nginx to redirect requests to OpenMetadata
 | ||
| 
 | ||
| For Nginx to serve this content, it’s necessary to create a server block with the correct directives. 
 | ||
| Instead of modifying the default configuration file directly, let’s make a new one at `/etc/nginx/sites-available/openmetadata`:
 | ||
| 
 | ||
| ```commandline
 | ||
| sudo vi /etc/nginx/sites-available/openmetadata
 | ||
| ```
 | ||
| 
 | ||
| And add the below content
 | ||
| 
 | ||
| ```commandline
 | ||
| server {
 | ||
|         access_log /var/log/nginx/sandbox-access.log;
 | ||
|         error_log /var/log/nginx/sandbox-error.log;         
 | ||
|         server_name sandbox.open-metadata.org;
 | ||
|         location / {
 | ||
|           proxy_pass http://127.0.0.1:8585;
 | ||
|         }
 | ||
| }
 | ||
| ```
 | ||
| 
 | ||
| In the above configuration, please ensure that the `server_name` matches the domain where you are hosting the OpenMetadata 
 | ||
| server. Also, the `proxy_pass` configuration should point to the OpenMetadata server port.
 | ||
| 
 | ||
| Then, link the configuration to `sites-enabled` and restart nginx:
 | ||
| 
 | ||
| ```commandline
 | ||
| sudo ln -s /etc/nginx/sites-available/openmetadata /etc/nginx/sites-enabled/openmetadata
 | ||
| sudo systemctl restart nginx
 | ||
| ```
 | ||
| 
 | ||
| The above configuration will serve at port 80, so if you configured a domain like `sandbox.open-metadata.org` one can 
 | ||
| start accessing OpenMetadata server by just pointing the browser to [http://sandbox.open-metadata.org](http://sandbox.open-metadata.org).
 | ||
| 
 | ||
| ## Enable SSL using Certbot
 | ||
| 
 | ||
| Certbot, [https://certbot.eff.org/](https://certbot.eff.org/), is a non-profit org that distributes the certified X509 
 | ||
| certs and renews them as well.
 | ||
| 
 | ||
| ```commandline
 | ||
| sudo apt install certbot python3-certbot-nginx
 | ||
| sudo systemctl reload nginx
 | ||
| ```
 | ||
| 
 | ||
| ## Obtaining an SSL Certificate
 | ||
| 
 | ||
| Certbot provides a variety of ways to obtain SSL certificates through plugins. The Nginx plugin will take care of
 | ||
| reconfiguring Nginx and reloading the config whenever necessary. To use this plugin, type the following:
 | ||
| 
 | ||
| ```commandline
 | ||
| sudo certbot --nginx -d sandbox.open-metadata.org 
 | ||
| ```
 | ||
| 
 | ||
| Replace` sandbox.open-metadata.org` with your domain for OpenMetadata. 
 | ||
| 
 | ||
| If this is your first time running certbot, you will be prompted to enter an email address and agree to the terms of 
 | ||
| service. After doing so, certbot will communicate with the `Let's Encrypt` server, then run a challenge to verify that
 | ||
| you control the domain you’re requesting a certificate for.
 | ||
| 
 | ||
| If that’s successful, certbot will ask how you’d like to configure your HTTPS settings.
 | ||
| 
 | ||
| ## Verifying Certbot Auto-Renewal
 | ||
| 
 | ||
| `Let's Encrypt`'s certificates are only valid for ninety days. This is to encourage users to automate their certificate
 | ||
| renewal process. The certbot package we installed takes care of this for us by adding a `systemd` timer that will run 
 | ||
| twice a day and automatically renew any certificate that’s within thirty days of expiration.
 | ||
| 
 | ||
| You can query the status of the timer with `systemctl`:
 | ||
| ```commandline
 | ||
| sudo systemctl status certbot.timer
 | ||
| ```
 | ||
| 
 | ||
| to renew, you can run the following command
 | ||
| 
 | ||
| ```commandline
 | ||
| sudo certbot renew --dry-run
 | ||
| ```
 | ||
| 
 | ||
| ## Summary
 | ||
| 
 | ||
| In this tutorial, we walked through the setup of Nginx to serve the requests to OpenMetadata and used Certbot to enable
 | ||
| SSL on Nginx. 
 | ||
| 
 | ||
| Do keep in mind that we secured the external connection to Nginx, and Nginx terminates the SSL connections, 
 | ||
| and the rest of the transport Nginx to the OpenMetadata server is on Plaintext. However, OpenMetadata server should be 
 | ||
| configured to listen to only localhost requests, i.e., It cannot be reached directly from outside traffic except for 
 | ||
| Nginx on that host. This makes it a secure SSL.
 | 
