Introduction
In this tutorial, you will learn how to install and configure Supabase on Ubuntu 20.04. You will also learn how to secure your Supabase instance with secure secrets and a reverse proxy.
Supabase is a Firebase alternative that offers a PostgreSQL database, user authentication, storage, and a real-time API through a web interface. Supabase also has open-source API libraries that allow for easy interaction with other applications.
Prerequisites
Before you begin, you should:
- Deploy an Ubuntu 20.04 server with at least 2 GB of RAM.
- Create a non-root user with sudo privileges.
- Log in to your server as a non-root user.
- Ensure the server is fully updated.
- Open port 433 on your Rcs firewall or your ufw (if applicable).
You will also need a domain name that points to your server. This is because the SSL certificate generator Certbot/Let's Encrypt) does not offer SSL certificates for IP addresses. You will need to create a domain name that points to your server. It is also possible to use HTTP instead, but this is not recommended.
Installation
Nginx, Certbot, and Git
Install Nginx and Git.
$ sudo apt install nginx git
Uninstall any old versions of Certbot and Docker.
$ sudo apt remove certbot docker docker.io containerd runc
Update the snap installer.
$ sudo snap install core; sudo snap refresh core
Install Certbot using
snap
.$ sudo snap install --classic certbot
Run Certbot and follow the prompts to enter your domain name and redirect all traffic to HTTPS.
$ sudo certbot certonly --standalone
Take note of your certificate and private key paths when provided. It will be different depending on the domain used.
Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
If you used a different SSL provider, ensure the certificate and private key files are stored somewhere on your system and that you know the full file path to them.
Docker
Install Docker using
snap
.$ sudo snap install docker
Clone the Supabase repository.
$ git clone --depth 1 https://github.com/supabase/supabase.git
Open the
docker
folder.$ cd supabase/docker
Copy the
.env.example
file to.env
.$ cp .env.example .env
Open the
.env
file in your text editor.$ nano .env
Open a strong password generator like Bitwarden in your browser, and generate a new password. It should contain more than 25 characters.
https://bitwarden.com/password-generator/
Replace the
POSTGRES_PASSWORD
value in the.env
file with the password you generated.POSTGRES_PASSWORD=<password>
Generate another password with more than 32 characters and no special characters. Replace the
JWT_SECRET
value in the.env
file with the newly generated password.JWT_SECRET=<new password>
Use your
JWT_SECRET
to generate anANON_KEY
on the Supabase website. Copy and paste yourJWT_SECRET
, switch the Preconfigured Payload type toANON_KEY
, press Generate JWT, and copy the Generated Token result into theANON_KEY
value in the.env
file.https://supabase.com/docs/guides/hosting/overview#api-keys ANON_KEY=<generated key>
Do the same for the
SERVICE_KEY
value while using the sameJWT_SECRET
. Paste it as theSERVICE_ROLE_KEY
value in the.env
file.SERVICE_ROLE_KEY=<generated key>
Close your text editor and save your changes by using Control + X, then Y, followed by Enter.
Navigate to the
volumes/api
folder and openkong.yml
in your text editor.$ cd volumes/api $ nano kong.yml
Under
consumers
, replace theanon
user'skey
with theANON_KEY
value from the.env
file.consumers: - username: anon keyauth_credentials: - key: [anon key]
Replace the
service_role
user'skey
with theSERVICE_ROLE_KEY
value from the.env
file.consumers: - username: anon keyauth_credentials: - key: [anon key] - username: service_role keyauth_credentials: - key: [service_role key]
Close your text editor again by using Control + X, then Y, followed by Enter.
Run Supabase by using
docker-compose
in detached mode. This may take 10-15 minutes.$ sudo docker-compose up -d
Check that Supabase is running by using
docker
. The status should beUp
.$ sudo docker ps STATUS Up x seconds/minutes
You have now successfully installed Supabase and have obtained a signed SSL certificate.
Securing Supabase with an Nginx Reverse Proxy
You can now use your SSL certificate and Nginx to secure your Supabase installation. Make sure to replace example.com
with your chosen domain name or IP address.
Remove the Nginx default configuration file.
$ sudo rm /etc/nginx/sites-enabled/default
Create and open the new configuration file in Nginx's
sites-available
directory in your text editor.$ sudo nano /etc/nginx/sites-available/supabase
Paste the following into the file and replace
example.com
with your domain name or IP address. Ensure that thessl_certificate
andssl_certificate_key
lines point to your SSL certificate.upstream supabase { server localhost:3000; } server { listen 443 ssl http2; server_name example.com; gzip on; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_session_cache shared:MySSL:10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; ssl_prefer_server_ciphers on; # REST API location ~ ^/rest/v1/(.*)$ { proxy_set_header Host $host; proxy_pass http://kong:8000; proxy_redirect off; } # Authentication location ~ ^/auth/v1/(.*)$ { proxy_set_header Host $host; proxy_pass http://kong:8000; proxy_redirect off; } # Realtime location ~ ^/realtime/v1/(.*)$ { proxy_redirect off; proxy_pass http://kong:8000; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; } }
This Nginx configuration will serve Supabase on port 443, and will use the SSL certificate and private key you generated earlier. It will also point the
/rest/v1/
,/auth/v1/
and/realtime/v1/
routes to the Kong API server.Exit your text editor and save changes by pressing Control + X, then Y, followed by Enter.
Create a link to the new configuration file in Nginx's
sites-enabled
directory.$ sudo ln -s /etc/nginx/sites-available/supabase /etc/nginx/sites-enabled/supabase.conf
Test the configuration file. If the test is successful, you will see the
syntax is ok
, and thetest is successful
messages.$ sudo nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Reload Nginx to apply your changes.
$ sudo /etc/init.d/nginx reload
Finishing Steps
You should now navigate to your Supabase installation.
https://example.com
From there you can configure your database, authentication, and file storage.
Congratulations, you have successfully installed Supabase and secured it using an SSL certificate and an Nginx reverse proxy.