WIP - Add automatic self signed SSL by default to setup #4194
Conversation
|
Thank you for opening this, but I don't see a reason to have self signed
setup created by default when it's so simple[1] to use LetsEncrypt to get a
recognized certificate.
[1] https://gist.github.com/arikfr/64c9ff8d2f2b703d4e44fe9e45a7730e
…On Fri, Sep 27, 2019, 23:34 Chester Enright ***@***.***> wrote:
What type of PR is this? (check all applicable)
- Feature
Description
Redash's main strength is sharing of queries/reports between parties,
technical and non-technical. If self-hosted, a better security practice is
to use SSL (even on an internal network). Redash should support self-signed
certificates out of the box as the bare minimum security.
------------------------------
You can view, comment on, or merge this pull request online at:
#4194
Commit Summary
- WIP - starting SSL self signed server
- Working self signed server
File Changes
- *M* setup/docker-compose.yml
<https://github.com/getredash/redash/pull/4194/files#diff-0> (4)
- *A* setup/ssl/.gitignore
<https://github.com/getredash/redash/pull/4194/files#diff-1> (3)
- *A* setup/ssl/README.md
<https://github.com/getredash/redash/pull/4194/files#diff-2> (3)
- *A* setup/ssl/generate_self_signed.sh
<https://github.com/getredash/redash/pull/4194/files#diff-3> (3)
- *A* setup/ssl/nginx.conf
<https://github.com/getredash/redash/pull/4194/files#diff-4> (46)
- *A* setup/ssl/self-signed.conf
<https://github.com/getredash/redash/pull/4194/files#diff-5> (2)
- *A* setup/ssl/ssl-params.conf
<https://github.com/getredash/redash/pull/4194/files#diff-6> (21)
Patch Links:
- https://github.com/getredash/redash/pull/4194.patch
- https://github.com/getredash/redash/pull/4194.diff
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#4194?email_source=notifications&email_token=AAAROLFZEGXQGKTAZMKW6QDQLZU37A5CNFSM4I3KT2X2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HOH3YDQ>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAAROLER7DXJ4K3TU7O3M5LQLZU37ANCNFSM4I3KT2XQ>
.
|
|
Letsencrypt is wonderful when the Redash instance is accessible externally; however for my use case (and I imagine other environments), the internal database I wish to query and current network configuration do not allow external routes, making certificate generation/renewal impossible. I suppose you could generate a certificate externally, then copy it internally, but that doesn't seem very friendly out of the box. (DDNS isn't allowed for us via general policy, but that would probably work as well). |
|
I guess the use case this solves is for a semi-local installation (by that I mean, installation on an internal network with more clients than just the installer's personal machine). My situation was, I installed redash on one of our local servers, was quite excited to get up and querying, then realized I almost sent all our database information over cleartext, which would have landed me in hot water with the security folks. This PR is trying to address that particular "gotcha" and make initial installation have at least that minimum of security. |
|
Thanks for the explanation. I see why LetsEncrypt won't work in your case, but I believe it's the less common case. How about we add a page that documents how to create self signed certificates to the documentation instead of having it as the default setup? |
|
Sounds good - I think the scope of the PR has changed significantly, so I'll go ahead and close this one. Thanks! |
What type of PR is this? (check all applicable)
Description
Redash's main strength is sharing of queries/reports between parties, technical and non-technical. If self-hosted, a better security practice is to use SSL (even on an internal network). Redash should support self-signed certificates out of the box as the bare minimum security.