――I have a lot of things in BigQuery and Postgres, so I want to query easily.
――I hope you can access it from anywhere. (So I asked for a place that is not local)
――I want to make it as cheap as possible. (If you think about the NPV of investment from the initial investment of home server with RasPi, it should be about 1,000 yen a month)
--I want to make it my own domain and https (it is essential if it is .dev) → Replace YOUR-DOMAIN.HERE in the text with your own domain.
--Set the global IP.
--In the network settings, open only port 443 used for https.
-(SSH 22 is as needed. In my case, I'm working with another Lightsail instance via VPN, so I kept it closed.)
By using our own domain, we pointed the subdomain metabase.YOUR-DOMAIN.HERE to the global IP of the Lightsail instance in the A record.
mkdir -p ~/Docker/Metabase ~/Docker/LetsEncrypt ~/Docker/nginx
--I used the official image of Certbot.
--The reason for using DNS authentication is that it was easy to arrange for multiple domains.
--The issued certificates are written to / etc/letsencrypt and are persisted on the host side.
docker run -it --rm \
--name certbot \
-v ~/Docker/LetsEncrypt/cert:/etc/letsencrypt \
certbot/certbot certonly \
--no-self-upgrade \
--manual \
-d metabase.YOUR-DOMAIN.HERE \
-m [email protected] \
--agree-tos \
--preferred-challenges dns-01
--I used the official image of Metabase.
――Ulimit seems to be annoying, but I used it as a habit.
--The default save destination of Metabase settings is H2, the file creation destination is / metabase-data, and it is mapped to the directory on the host side and made persistent.
--If your host is a little more powerful, you could put MySQL or Postgres on its side instead of H2.
docker run --name Metabase -d \
--restart=always \
-v ~/Docker/Metabase:/metabase-data \
-e "MB_DB_FILE=/metabase-data/metabase.db" \
-p 3000:3000 \
--ulimit nproc=4096:4096 \
--ulimit memlock=256000:256000 \
--ulimit nofile=65536:65536 \
metabase/metabase
First move to the working directory.
cd ~/Docker/nginx
Create a https.conf file that defines TLS support and behavior as a reverse proxy.
ssl_protocols TLSv1.2;
server {
listen 443;
ssl on;
server_name metabase.YOUR-DOMAIN.HERE;
ssl_certificate /etc/cert/fullchain1.pem;
ssl_certificate_key /etc/cert/privkey1.pem;
location / {
proxy_pass http://metabase:3000;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
}
}
Create Dockerfile dockerfile-nginx.
FROM nginx:latest
EXPOSE 443/tcp
ADD https.conf /etc/nginx/conf.d/default.conf
Build the image.
docker build -f dockerfile-nginx -t nginx-tls .
Launch the built set nginx by specifying the certificate.
docker run --name nginx -d \
--restart=always \
--link Metabase:metabase \
-v ~/Docker/LetsEncrypt/cert/archive/metabase.YOUR-DOMAIN.HERE:/etc/cert \
-p 443:443 \
nginx-tls
Access https://metabase.YOUR-DOMAIN.HERE/ with a browser and perform the initial settings.
The Let's Encrypt certificate expires in 3 months, so you need to renew it before that. Updates are also done with Certbot. You can automate this with cron.
docker run -it --rm \
--name certbot \
-v ~/Docker/LetsEncrypt/cert:/etc/letsencrypt \
certbot/certbot renew
――Why Docker ... --It's a hassle to run Certbot directly on a Lightsail instance --I don't want to pollute my host through trial and error --I want to limit the memory as needed ――I wouldn't do this for business use --It becomes https with ELB
Enjoy!
Recommended Posts