yujunjun/OpenMetadata
1
0
Fork 0
mirror of https://github.com/open-metadata/OpenMetadata.git synced 2025-10-31 02:29:03 +00:00
Code Issues Packages Projects Releases Wiki Activity
OpenMetadata/openmetadata-docs/content/v1.6.x/deployment/security/enable-ssl/nginx.md
Mayur Singal b8826aa2c3
DOCS - Update Version Snapshots (#18988)
2024-12-10 19:09:00 +01:00

113 lines
4.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: Enable SSL with Nginx
slug: /deployment/security/enable-ssl/nginx
collate: false
---
# Enable SSL with Nginx
Nginx can be used as a load balancer or an SSL termination point for OpenMetadata.
In this section, we will look at how to use Nginx and Certbot to deploy SSL. The below instructions are for Ubuntu 20
and any other flavor of Linux please find similar instructions.
## Install Nginx
Nginx can be installed to a completely different host where you are running OpenMetadata Server or on the same host.
For simplicity, we will do this on the same host as the OpenMetadata server.
```commandline
sudo apt update
sudo apt install nginx
sudo systemctl start nginx
```
## Configure Nginx to redirect requests to OpenMetadata
For Nginx to serve this content, its necessary to create a server block with the correct directives.
Instead of modifying the default configuration file directly, lets make a new one at `/etc/nginx/sites-available/openmetadata`:
```commandline
sudo vi /etc/nginx/sites-available/openmetadata
```
And add the below content
```commandline
server {
access_log /var/log/nginx/sandbox-access.log;
error_log /var/log/nginx/sandbox-error.log;
server_name sandbox.open-metadata.org;
location / {
proxy_pass http://127.0.0.1:8585;
}
}
```
In the above configuration, please ensure that the `server_name` matches the domain where you are hosting the OpenMetadata
server. Also, the `proxy_pass` configuration should point to the OpenMetadata server port.
Then, link the configuration to `sites-enabled` and restart nginx:
```commandline
sudo ln -s /etc/nginx/sites-available/openmetadata /etc/nginx/sites-enabled/openmetadata
sudo systemctl restart nginx
```
The above configuration will serve at port 80, so if you configured a domain like `sandbox.open-metadata.org` one can
start accessing OpenMetadata server by just pointing the browser to [http://sandbox.open-metadata.org](http://sandbox.open-metadata.org).
## Enable SSL using Certbot
Certbot, [https://certbot.eff.org/](https://certbot.eff.org/), is a non-profit org that distributes the certified X509
certs and renews them as well.
```commandline
sudo apt install certbot python3-certbot-nginx
sudo systemctl reload nginx
```
## Obtaining an SSL Certificate
Certbot provides a variety of ways to obtain SSL certificates through plugins. The Nginx plugin will take care of
reconfiguring Nginx and reloading the config whenever necessary. To use this plugin, type the following:
```commandline
sudo certbot --nginx -d sandbox.open-metadata.org
```
Replace` sandbox.open-metadata.org` with your domain for OpenMetadata.
If this is your first time running certbot, you will be prompted to enter an email address and agree to the terms of
service. After doing so, certbot will communicate with the `Let's Encrypt` server, then run a challenge to verify that
you control the domain youre requesting a certificate for.
If thats successful, certbot will ask how youd like to configure your HTTPS settings.
## Verifying Certbot Auto-Renewal
`Let's Encrypt`'s certificates are only valid for ninety days. This is to encourage users to automate their certificate
renewal process. The certbot package we installed takes care of this for us by adding a `systemd` timer that will run
twice a day and automatically renew any certificate thats within thirty days of expiration.
You can query the status of the timer with `systemctl`:
```commandline
sudo systemctl status certbot.timer
```
to renew, you can run the following command
```commandline
sudo certbot renew --dry-run
```
## Summary
In this tutorial, we walked through the setup of Nginx to serve the requests to OpenMetadata and used Certbot to enable
SSL on Nginx.
Do keep in mind that we secured the external connection to Nginx, and Nginx terminates the SSL connections,
and the rest of the transport Nginx to the OpenMetadata server is on Plaintext. However, OpenMetadata server should be
configured to listen to only localhost requests, i.e., It cannot be reached directly from outside traffic except for
Nginx on that host. This makes it a secure SSL.
Reference in New Issue View Git Blame Copy Permalink