https://www.growthbook.io/ logo
#announcements
Title
# announcements
m

miniature-agency-3305

05/30/2023, 2:17 PM
Are there any recommendations on how to add SSL certificates and pointing towards a domain when self hosting Growthbook? Should I just use something like an NGINX instance and use the set those ports as my APP_ORIGIN and API_HOST or should I use the Growthbook proxy somehow to handle this?
b

broad-piano-24346

05/30/2023, 2:40 PM
My suggestion is to handle SSL separately, we could easily add it to an nginx server and set up a reverse proxy, using the growthbook server as upstream. App server and api host will take the https:// urls as values.
m

miniature-agency-3305

05/31/2023, 10:42 AM
Do you mean something like this? @broad-piano-24346 And have SSL certificates and such configured for the nginx server?
b

broad-piano-24346

05/31/2023, 10:47 AM
Yes, other arrangements also work but this is cleaner, keeps certificate management separate and you can utilise existing arrangements for other sub domains. Pls ensure you are able to access the app and api endpoints using https urls directly.
m

miniature-agency-3305

05/31/2023, 10:48 AM
Yeah I am not able to access it through the https url only the http so I guess I’ve messed something up 🤔
b

broad-piano-24346

05/31/2023, 10:51 AM
How are you configuring proxy pass for nginx? From the docker arrangement it's not clear, in my setups, i keep nginx as a separate layer, which receives traffic at the top level and proxy passes based on hostname to several upstreams including growthbook, something like a gateway.
In your docker setup nginx and growthbook instances are not talking to each other yet, need to add reverse proxy configuration on nginx to forward request to GB upstream
m

miniature-agency-3305

05/31/2023, 10:57 AM
I think that is what I am trying to do here but maybe I am missing something? I want port 3100 to be accessed directly through the url and to use port:3000 it’s fine if it is ${url}:3000
b

broad-piano-24346

05/31/2023, 11:11 AM
Will a simpler proxy pass arrangement with separate subdomains for growthbook and growthbook-api work for you? this way you can use https://growthbook.myexample.com and https://growthbook-api.myexample.com from outside.
Copy code
server {
    listen 80;
    server_name <http://growthbook.myexample.com|growthbook.myexample.com> <http://growthbook-api.myexample.com|growthbook-api.myexample.com>;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name <http://growthbook.myexample.com|growthbook.myexample.com>;
    ssl_certificate ...
    ssl_certificate_key ...

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;

        proxy_pass <gb-instance>:3000;
    }
}

server {
    listen 443 ssl http2;
    server_name <http://growthbook-api.myexample.com|growthbook-api.myexample.com>;
    ssl_certificate ...
    ssl_certificate_key ...

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;

        proxy_pass <gb-instance>:3100; 
    }
}
m

miniature-agency-3305

05/31/2023, 11:13 AM
Hmm will I then need to have different SSL for the different subdomains I guess?
b

broad-piano-24346

05/31/2023, 11:14 AM
can use wildcard certificate
m

miniature-agency-3305

05/31/2023, 11:17 AM
I haven’t setup the certificates myself and don’t have access to anything other than the PEM and PFX file I got for this one sub domain so I’m not sure I can change that then?
b

broad-piano-24346

05/31/2023, 11:25 AM
if we have to keep the same subdomain, we will need nginx to listen on
:3100
, so that we can use https://growthbook.myexample.com:3100 for API calls. You could play around a bit to check if it works.
Copy code
server {
  listen 3100 ssl http2;
for the api server
m

miniature-agency-3305

05/31/2023, 12:09 PM
for proxy_pass <gb-instance>:port What should be passed to gb-instance? Is it the internal ip address of the server, the external ip-address of the server or the name of the growthbook container or something else?
b

broad-piano-24346

05/31/2023, 12:14 PM
Internal IP of growthbook instance, since you're in the same container 127.0.0.1 should work. We will need nginx to listen on different port than 3100 as grownbook is also listening on the same port.
m

miniature-agency-3305

05/31/2023, 12:27 PM
And what if all I care about is port 3100? I want to access port 3100 (growthbook api) through just my url. so if I go towards my domain I want it to return what I currently on <server-external-ip>:3100 port 3000 is fine to access through the http as long as I manage to get https for port 3100. It doesn’t seem like my ssl is connected at all currently to my growthbook instance because if I go to http//&lt;domain&gt;3100 it works but if I go to https//&lt;domain&gt;3100 it doesn’t.
b

broad-piano-24346

05/31/2023, 12:29 PM
Change the listen ports first, both of them won't be able to bind to 3100, nginx can take another port, or you can make growthbook api run on different port
About your other query, it's possible to only use SSL for GB api
m

miniature-agency-3305

05/31/2023, 12:32 PM
so my proxy_pass should not go towards :3100 then?
Copy code
server {
    listen 80 server;
    listen [::]:80 server;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name experiment_server
    ssl_certificate /etc/nginx/certs/key.pem;
    ssl_certificate_key /etc/nginx/certs/key.pem;
    return 301 https://<domain>$request_uri;
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name experiments-api
    ssl_certificate /etc/nginx/certs/key.pem;
    ssl_certificate_key /etc/nginx/certs/key.pem;
    location / {
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;

                proxy_pass <http://127.0.0.1:3100/>; // change this?

    }
}
b

broad-piano-24346

05/31/2023, 12:46 PM
I thought you were to open nginx SSL on 3100 for api host, since you wanted to use the app and api on same subdomain
m

miniature-agency-3305

05/31/2023, 12:51 PM
The most important thing for me is to be able to access the API through https, I also got the information just now that the certificate should be a wildcard certificate if that helps? I have only added the Nginx for this purpose since the only thing running on this server is growthbook and mongodb for the growthbook instance. I am very new to all of this so I’m a bit lost on where to start 😅
b

broad-piano-24346

05/31/2023, 1:06 PM
Ok, no problem, first decide on what solution you want to obtain, then we can configure accordingly. If you have a wildcard cert and are okay with different subdomains, encourage you to go ahead with this arrangement, helps keep things clean. Based on other limitations, we can try different config options. Start afresh :)
One question, are you receiving incoming traffic directly on your server, is there a load balancer or gateway before traffic arrives to your instance? If that be the case, configuring SSL on external later, SLB or gateway is preferred option than doing it on actual application instance.
m

miniature-agency-3305

05/31/2023, 1:47 PM
Yeah it is received directly by the server and there is no load balancer or such configured for it. This server isn’t that critical for me since I have a backup killswitch json file hosted in object storage which can basically handle a lot of the same things if there is a need for it. if I can use the wildcard cert for configuring these subdomains then I’m completely fine with that.
b

broad-piano-24346

05/31/2023, 1:50 PM
Ok, then you can refer to my earlier message with two subdomains, try to set up 2 different proxies.
m

miniature-agency-3305

05/31/2023, 2:02 PM
Do you know what is the easiest way I can check if my certificates are actually working btw?
b

broad-piano-24346

05/31/2023, 2:05 PM
What do you see if you hit https:// url of your domain? error page is fine, but you should be able to see https secure on the address bar
Just keep nginx running with SSL certs added, and remove proxy pass stuff, just return 200. Your page should serve on https, then proceed to configure proxy pass and growthbook
m

miniature-agency-3305

05/31/2023, 2:19 PM
I get connection refused. What page is it that should be served?
b

broad-piano-24346

05/31/2023, 2:21 PM
This means nginx is not accessible on 443 from outside
You will need to check with your infra team if 443 port is open and accessible
m

miniature-agency-3305

05/31/2023, 3:39 PM
I think I got the API part working now with SSL, thanks a lot for the help 😄 I purged everything I had with nginx and started over with this and then went from there: https://ubuntu.com/tutorials/install-and-configure-nginx#1-overview Only issue I have now is that everything I had in Growthbook seems to be wiped 😅
b

broad-piano-24346

05/31/2023, 3:56 PM
You have nginx running stand alone, right? Not in the same docker container as the growthbook? You have a clean slate now, you can spawn growthbook docker and try proxy pass from nginx running stand alone, it will be able to connect to GB running in docker. Good luck. Happy to help debug if you run into issues
m

miniature-agency-3305

05/31/2023, 3:58 PM
Yeah exactly nginx is running standalone now so I can reach my API host through https now which was the main goal, I think I’ll save the web client with https for another day, it’s at least reachable through http and the domain now 😄
b

broad-piano-24346

05/31/2023, 3:59 PM
Sounds cool 😎
10 Views