Metabase On-Prem Installation Steps
========================================================
METABASE ON-PREM INSTALLATION SOP (NO DOCKER)
WITH NGINX + PUBLIC IP (PRODUCTION READY)
========================================================
DOCUMENT VERSION : 1.0
STATUS : VERIFIED WORKING
OS : Ubuntu 22.04 / 24.04
JAVA : OpenJDK 21
METADATA DB : PostgreSQL
ACCESS : Nginx Reverse Proxy (Public IP)
METABASE PORT : 3000 (localhost only)
NGINX PORT : 80 / 443
========================================================
===========================
1. SYSTEM PRE-REQUISITES
===========================
Run as root or sudo user.
sudo apt update && sudo apt upgrade -y
Install required packages:
sudo apt install -y \
openjdk-21-jdk \
postgresql postgresql-contrib \
nginx \
curl unzip
Verify Java version:
java -version
Expected:
openjdk version "21"
===========================
2. CREATE METABASE USER
===========================
sudo useradd -r -s /bin/false metabase
sudo mkdir -p /opt/metabase
sudo chown metabase:metabase /opt/metabase
===========================
3. DOWNLOAD METABASE
===========================
cd /opt/metabase
sudo wget https://downloads.metabase.com/latest/metabase.jar
sudo chown metabase:metabase metabase.jar
===========================
4. POSTGRESQL METADATA DB
===========================
sudo -u postgres psql
CREATE DATABASE metabase;
CREATE USER metabase_user WITH PASSWORD 'strongpassword';
ALTER DATABASE metabase OWNER TO metabase_user;
GRANT ALL PRIVILEGES ON DATABASE metabase TO metabase_user;
GRANT ALL ON SCHEMA public TO metabase_user;
ALTER USER metabase_user WITH SUPERUSER;
\q
===========================
5. METABASE ENV CONFIG
===========================
sudo nano /etc/metabase.env
---------------------------
openssl rand -hex 32
MB_ENCRYPTION_SECRET_KEY=PASTE_GENERATED_KEY_HERE
---------------------------
----- /etc/metabase.env -----
MB_DB_TYPE=postgres
MB_DB_DBNAME=metabase
MB_DB_PORT=5432
MB_DB_USER=metabase_user
MB_DB_PASS=StrongPassword
MB_DB_HOST=localhost
MB_JETTY_HOST=127.0.0.1
MB_JETTY_PORT=3000
MB_SITE_URL=http://PUBLIC-IP
JAVA_OPTS=-Xms1g -Xmx2g
MB_ENCRYPTION_SECRET_KEY=GENERATE_32_CHAR_RANDOM_KEY
----------------------------
Secure file:
sudo chmod 600 /etc/metabase.env
===========================
6. SYSTEMD SERVICE
===========================
sudo nano /etc/systemd/system/metabase.service
----- metabase.service -----
[Unit]
Description=Metabase Server
After=network.target postgresql.service
[Service]
User=metabase
Group=metabase
EnvironmentFile=/etc/metabase.env
ExecStart=/usr/lib/jvm/java-21-openjdk-amd64/bin/java \
$JAVA_OPTS \
-jar /opt/metabase/metabase.jar
Restart=always
SuccessExitStatus=143
[Install]
WantedBy=multi-user.target
----------------------------
Enable & start:
sudo systemctl daemon-reload
sudo systemctl enable metabase
sudo systemctl start metabase
sudo systemctl status metabase
===========================
7. VERIFY METABASE
===========================
Check listening port:
ss -lntp | grep 3000
Expected:
127.0.0.1:3000
===========================
8. NGINX REVERSE PROXY
===========================
sudo nano /etc/nginx/sites-available/metabase
----- nginx config -----
server {
listen 80 default_server;
server_name _;
client_max_body_size 50M;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_send_timeout 300;
}
}
--------------------------
Enable site:
sudo rm -f /etc/nginx/sites-enabled/default
sudo ln -s /etc/nginx/sites-available/metabase /etc/nginx/sites-enabled/
Test & reload:
sudo nginx -t
sudo systemctl reload nginx
===========================
9. FIREWALL & CLOUD RULES
===========================
Local firewall:
sudo ufw allow 80/tcp
sudo ufw deny 3000/tcp
sudo ufw enable
Cloud / AWS Security Group:
Allow:
- TCP 80 from 0.0.0.0/0
(Optional: 443 for HTTPS)
===========================
10. ACCESS METABASE
===========================
Open browser:
http://PUBLIC-IP
Metabase UI should load.
===========================
11. LOGS & TROUBLESHOOTING
===========================
Live logs:
journalctl -u metabase -f
Nginx logs:
/var/log/nginx/access.log
/var/log/nginx/error.log
===========================
12. BACKUP (RECOMMENDED)
===========================
pg_dump metabase > metabase_backup.sql
===========================
13. SECURITY HARDENING
===========================
- Keep port 3000 internal only
- Use HTTPS (Let’s Encrypt)
- Use read-only DB users for data sources
- Backup metadata DB daily
- Do not run Metabase as root
========================================================
END OF SOP
========================================================
Comments
Post a Comment