Are there any recommendations on how to add SSL certificates and pointing towards a domain when self hosting Growthbook? Should I just use something like an NGINX instance and use the set those ports as my APP_ORIGIN and API_HOST or should I use the Growthbook proxy somehow to handle this?

My suggestion is to handle SSL separately, we could easily add it to an nginx server and set up a reverse proxy, using the growthbook server as upstream. App server and api host will take the https:// urls as values.

Do you mean something like this? @broad-piano-24346 And have SSL certificates and such configured for the nginx server?

Yes, other arrangements also work but this is cleaner, keeps certificate management separate and you can utilise existing arrangements for other sub domains. Pls ensure you are able to access the app and api endpoints using https urls directly.

Yeah I am not able to access it through the https url only the http so I guess I’ve messed something up 🤔

How are you configuring proxy pass for nginx? From the docker arrangement it's not clear, in my setups, i keep nginx as a separate layer, which receives traffic at the top level and proxy passes based on hostname to several upstreams including growthbook, something like a gateway.

I think that is what I am trying to do here but maybe I am missing something? I want port 3100 to be accessed directly through the url and to use port:3000 it’s fine if it is ${url}:3000

Will a simpler proxy pass arrangement with separate subdomains for growthbook and growthbook-api work for you? this way you can use https://growthbook.myexample.com and https://growthbook-api.myexample.com from outside.

server {
    listen 80;
    server_name <http://growthbook.myexample.com|growthbook.myexample.com> <http://growthbook-api.myexample.com|growthbook-api.myexample.com>;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name <http://growthbook.myexample.com|growthbook.myexample.com>;
    ssl_certificate ...
    ssl_certificate_key ...

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;

        proxy_pass <gb-instance>:3000;
    }
}

server {
    listen 443 ssl http2;
    server_name <http://growthbook-api.myexample.com|growthbook-api.myexample.com>;
    ssl_certificate ...
    ssl_certificate_key ...

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;

        proxy_pass <gb-instance>:3100; 
    }
}

Hmm will I then need to have different SSL for the different subdomains I guess?

can use wildcard certificate

I haven’t setup the certificates myself and don’t have access to anything other than the PEM and PFX file I got for this one sub domain so I’m not sure I can change that then?

if we have to keep the same subdomain, we will need nginx to listen on

:3100

, so that we can use https://growthbook.myexample.com:3100 for API calls. You could play around a bit to check if it works.

for proxy_pass <gb-instance>:port What should be passed to gb-instance? Is it the internal ip address of the server, the external ip-address of the server or the name of the growthbook container or something else?

Internal IP of growthbook instance, since you're in the same container 127.0.0.1 should work. We will need nginx to listen on different port than 3100 as grownbook is also listening on the same port.

And what if all I care about is port 3100? I want to access port 3100 (growthbook api) through just my url. so if I go towards my domain I want it to return what I currently on <server-external-ip>:3100 port 3000 is fine to access through the http as long as I manage to get https for port 3100. It doesn’t seem like my ssl is connected at all currently to my growthbook instance because if I go to http//&lt;domain&gt;3100 it works but if I go to https//&lt;domain&gt;3100 it doesn’t.

Change the listen ports first, both of them won't be able to bind to 3100, nginx can take another port, or you can make growthbook api run on different port

so my proxy_pass should not go towards :3100 then?

server {
    listen 80 server;
    listen [::]:80 server;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name experiment_server
    ssl_certificate /etc/nginx/certs/key.pem;
    ssl_certificate_key /etc/nginx/certs/key.pem;
    return 301 https://<domain>$request_uri;
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name experiments-api
    ssl_certificate /etc/nginx/certs/key.pem;
    ssl_certificate_key /etc/nginx/certs/key.pem;
    location / {
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;

                proxy_pass <http://127.0.0.1:3100/>; // change this?

    }
}

I thought you were to open nginx SSL on 3100 for api host, since you wanted to use the app and api on same subdomain

The most important thing for me is to be able to access the API through https, I also got the information just now that the certificate should be a wildcard certificate if that helps? I have only added the Nginx for this purpose since the only thing running on this server is growthbook and mongodb for the growthbook instance. I am very new to all of this so I’m a bit lost on where to start 😅

Ok, no problem, first decide on what solution you want to obtain, then we can configure accordingly. If you have a wildcard cert and are okay with different subdomains, encourage you to go ahead with this arrangement, helps keep things clean. Based on other limitations, we can try different config options. Start afresh :)

Yeah it is received directly by the server and there is no load balancer or such configured for it. This server isn’t that critical for me since I have a backup killswitch json file hosted in object storage which can basically handle a lot of the same things if there is a need for it. if I can use the wildcard cert for configuring these subdomains then I’m completely fine with that.

Ok, then you can refer to my earlier message with two subdomains, try to set up 2 different proxies.

Do you know what is the easiest way I can check if my certificates are actually working btw?

What do you see if you hit https:// url of your domain? error page is fine, but you should be able to see https secure on the address bar

I get connection refused. What page is it that should be served?

This means nginx is not accessible on 443 from outside

I think I got the API part working now with SSL, thanks a lot for the help 😄 I purged everything I had with nginx and started over with this and then went from there: https://ubuntu.com/tutorials/install-and-configure-nginx#1-overview Only issue I have now is that everything I had in Growthbook seems to be wiped 😅

You have nginx running stand alone, right? Not in the same docker container as the growthbook? You have a clean slate now, you can spawn growthbook docker and try proxy pass from nginx running stand alone, it will be able to connect to GB running in docker. Good luck. Happy to help debug if you run into issues

Yeah exactly nginx is running standalone now so I can reach my API host through https now which was the main goal, I think I’ll save the web client with https for another day, it’s at least reachable through http and the domain now 😄

Sounds cool 😎