Fixed https://gist.github.com/arikfr/64c9ff8d2f2b703d4e44fe9e45a7730e

1. Connect to your redash EC2 (use `ubuntu` as username, rather than `root` proposed by AWS):
```
ssh -i ~/Downloads/your-ec2-cert.pem ubuntu@YOU.R.IP.HERE.eu-west-1.compute.amazonaws.com
```
2. `sudo su`
3. `mkdir /opt/redash/nginx`
4. `mkdir /opt/redash/nginx/certs`
5. `mkdir /opt/redash/nginx/certs-data`
6. `nano /opt/redash/nginx/nginx.conf`, put this in there (replace your hostname):

```
upstream redash {
    server redash:5000;
}

server {
    listen      80;
    listen [::]:80;
    server_name example.redashapp.com;

    location ^~ /ping {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;

        proxy_pass       http://redash;
    }

    location / {
        rewrite ^ https://$host$request_uri? permanent;
    }

    location ^~ /.well-known {
        allow all;
        root  /data/letsencrypt/;
    }
}
```

7. `nano /opt/redash/docker-compose.yml`, edit `nginx` section to look like this (most lilely, you'll need to add port 443 and `volumes`):

```
nginx:
 image: nginx:latest
 ports:
   - "80:80"
   - "443:443"
 depends_on:
   - server
 links:
   - server:redash
 volumes:
   - /opt/redash/nginx/nginx.conf:/etc/nginx/conf.d/default.conf
   - /opt/redash/nginx/certs:/etc/letsencrypt
   - /opt/redash/nginx/certs-data:/data/letsencrypt
 restart: always
```

8. `cd /opt/redash/`
9. `docker-compose up -d`
10. Generate certificates (put your domain instead of example.redashapp.com):

```
docker run -it --rm -v /opt/redash/nginx/certs:/etc/letsencrypt -v /opt/redash/nginx/certs-data:/data/letsencrypt deliverous/certbot certonly --webroot --webroot-path=/data/letsencrypt -d example.redashapp.com
```

You should see something like that, but with your domain name
```
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.redashapp.com/fullchain.pem
```

11. Time to change nginx config once again `nano /opt/redash/nginx/nginx.conf`, *add* this section (replace your hostname at `server_name` and three occurences in `ssl_` options):

```
server {
 listen      443           ssl http2;
 listen [::]:443           ssl http2;
 server_name               example.redashapp.com;

 add_header                Strict-Transport-Security "max-age=31536000" always;

 ssl_session_cache         shared:SSL:20m;
 ssl_session_timeout       10m;

 ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_ciphers               "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";

 ssl_stapling              on;
 ssl_stapling_verify       on;
 resolver                  8.8.8.8 8.8.4.4;

 ssl_certificate           /etc/letsencrypt/live/example.redashapp.com/fullchain.pem;
 ssl_certificate_key       /etc/letsencrypt/live/example.redashapp.com/privkey.pem;
 ssl_trusted_certificate   /etc/letsencrypt/live/example.redashapp.com/chain.pem;

 access_log                /dev/stdout;
 error_log                 /dev/stderr info;

 # other configs

 location / {
     proxy_set_header Host $http_host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;

     proxy_pass       http://redash;
 }
}
```

12. `docker-compose restart nginx`