https://www.growthbook.io/ logo
#ask-questions
Title
# ask-questions
c

chilly-france-68998

02/22/2024, 9:48 PM
Hi, I'm running a self hosted growthbook and growthbook proxy in an EKS cluster. I have the proxy set up to use an elasticache redis cluster with encryption in transit enabled. The proxy doesn't seem to be able to connect to redis. It returns the first request fine but on subsequent requests (I'm assuming it's trying to hit the cache) it hangs. Is there an example of a
CLUSTER_ROOT_NODES_JSON
that someone can provide with the available fields? Are there options for certificates? Thanks!
Seems like one of the issues is that the certs on the growthbook-proxy image need to be updated
h

happy-autumn-40938

02/22/2024, 10:44 PM
haven't tried it myself, but you should be able to pass in the certificate string into clusterOptionsJSON
Copy code
redisOptions: {
  tls: {
    ca: #yourCaString (from .pem)
  }
}
alternately, perhaps a naive question, but do you actually need in-transit encryption between Redis and your GB Proxy? This should all be airgapped in a private network anyhow
c

chilly-france-68998

02/26/2024, 5:47 PM
Yeah we need the encryption, it's a security policy in our infra org, even though it's in a vpc. The problem/solution was that the ca certs on the proxy image needed to be updated and the elasticache redis instance I was using to test has a master/reader configuration but cluster mode was not enabled so the cluster configuration with all those options didn't work. It's wasn't super obvious from the docs but the redis url needs to look like this if encryption is enabled and you use the default user
rediss://:<password>@your-endpoint
and the port doesn't need to be specified if it's running on the default. The
rediss
was the crux of the issue I think. Thanks for the help! I can update the docs to note that if you think it's worthwhile.
h

happy-autumn-40938

02/26/2024, 5:57 PM
Thank you for the feedback! Yes, I'd be glad to add this to the docs if you'd like to open a PR
c

chilly-france-68998

02/27/2024, 7:21 PM
Hey, I have one more question I'm hoping you can provide some guidance on. I am going to be deploying ad-hoc instances of growthbook for our developers in what we call "review apps". It's basically an isolated environment with our api, various services, and now growthbook. I want to be able to seed growthbook with a basic feature set that mimics what we have in production when these review environments start up. I'm looking at the REST docs and they say that you need to generate keys in growthbook itself. So, I'm wondering if/how I can start up an instance of growthbook and either programmatically generate a key or set some type of environment variable that is a known key to use immediately for the REST api. If that's not possible I guess another option would be to put some type of data directly in Mongo. I haven't looked at that too closely so I'm wondering how it's namespaced if you have multiple instances of growthbook pointing at a single Mongo db and if the data is stored as a single blob of json like the api spits out. The api option would be more desirable if it's possible to use it with a known key and having some endpoint to just send the whole feature set as a single request with a json payload. Any advice is greatly appreciated!
h

happy-autumn-40938

02/27/2024, 10:40 PM
Our REST API is still in active development (technically still beta), and isn't quite suitable yet for fully provisioning a vanilla installation. You might have better luck with creating a custom Mongo image that has all the provisioning taken care of. Basically install and set up GB once, export your mongo DB, then import it as part of your provisioning script.
c

chilly-france-68998

03/14/2024, 9:44 PM
When I initially set up a self hosted instance, it seems like by virtue of being the first user to register, I can set the organization and I'm made the owner. Is that the only way to do it? I'm going to be deploying an instance of Growthbook on a public URL with a fresh database and was wondering if someone could just swoop in and make themselves the owner?
h

happy-autumn-40938

03/14/2024, 9:48 PM
Typically you'd put GrowthBook on a private URL via firewall or VPN. This avoids the problem you're describing as well as reducing attack vectors. (See here https://docs.growthbook.io/self-host/production)
c

chilly-france-68998

03/14/2024, 11:40 PM
Gotcha. We don't have a corporate VPN setup and need certain teams to be able to add features, etc. That would be my choice but it's out of scope for this. Thanks for the info!
10 Views