Post

Coolify

Posted
By Philippe Beaufort
3 min read
Coolify

Coolify is an open-source and self-hostable platform that lets you deploy any service, in any language, to any server. It offers features like Git integration, SSL certificates, webhooks, API, terminal, collaboration, and more.

Pre-setup

Coolify uses the root user, we have to add our SSH key to access it. After Installation of Ubuntu server on a machine and the SSH Configuration here: Ubuntu Server Install and Setup

Create a the Root user password.

1

sudo passwd

Connect to Root user

1

su root

Add your ssh key to connect to root in authorized_keys

1

nano .ssh/authorized_keys

Apply changes and restart SSH server

1

sudo systemctl reload ssh

Install Coolify

You can follow the official doc here : Coolify - Installation

  1. Connect to root with SSH
  2. Run the Coolify installation script with this command :
1

  curl -fsSL https://cdn.coollabs.io/coolify/install.sh | sudo bash
  1. After Installation, the script will display your Coolify URL (e.g., http://203.0.113.1:8000).Visit this URL, and you’ll be redirected to a registration page to create your first admin account.
  2. If coolify can’t reach your server, add the public key found here : Keys & Tokens > localhost’s key to the root user .ssh/authorized_keys

Settings

  • Instance Timezone:  America/Toronto
  • Instance’s domain: <your_colify_domain> (e.g., https://coolify.exemple.com)

Servers > localhost

  • Wildcard Domain: <your_wildcard_domain> (e.g., https://exemple.com)
  • Server Timezone: America/Toronto
  • Start Sentinel for basic metrics

Backup

To restore a backup, you can follow the Coolify Guide here : Backup and Restore Your Coolify Instance

  • You can backup your instance locally or in S3 buckets here: Settings > Backup

  • Keep a copy of the .env file found here /data/coolify/source/, it is used to decrypt your data during restoration.

Access

  • You can add OAuth here: Settings > OAuth
  • You can create teams and add users to your instance in Teams

Proxy config

Traefik configuration for https only with origin certificate Coolify - full tls

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

name: coolify-proxy
networks:
  coolify:
    external: true
services:
  traefik:
    container_name: coolify-proxy
    image: 'traefik:v3.1'
    restart: unless-stopped
    extra_hosts:
      - 'host.docker.internal:host-gateway'
    networks:
      - coolify
    ports:
      #- '80:80'
      - '443:443'
      #- '443:443/udp'
      #- '8080:8080'
    healthcheck:
      test: 'wget -qO- http://localhost:80/ping || exit 1'
      interval: 4s
      timeout: 2s
      retries: 5
    volumes:
      - '/var/run/docker.sock:/var/run/docker.sock:ro'
      - '/data/coolify/proxy:/traefik'
    command:
      - '--ping=true'
      - '--ping.entrypoint=http'
      - '--api.dashboard=true'
      - '--entrypoints.http.address=:80'
      - '--entrypoints.https.address=:443'
      - '--entrypoints.http.http.encodequerysemicolons=true'
      - '--entryPoints.http.http2.maxConcurrentStreams=250'
      - '--entrypoints.https.http.encodequerysemicolons=true'
      - '--entryPoints.https.http2.maxConcurrentStreams=250'
      - '--entrypoints.https.http3'
      - '--providers.file.directory=/traefik/dynamic/'
      - '--providers.file.watch=true'
      - '--certificatesresolvers.letsencrypt.acme.httpchallenge=false' # use origin cert
      #- '--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=http'
      #- '--certificatesresolvers.letsencrypt.acme.storage=/traefik/acme.json'
      #- '--api.insecure=false'
      - '--providers.docker=true'
      - '--providers.docker.exposedbydefault=false'
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik.entrypoints=https
      - traefik.http.routers.traefik.service=api@internal
      - traefik.http.services.traefik.loadbalancer.server.port=8080
      - coolify.managed=true
      - coolify.proxy=true

Proxy dynamic configs

Forward Auth config with authentik and traefik. Not working Throught https only

  • authentik-auth.yaml
    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

    https:
middlewares:
  authentik-auth:
    forwardAuth:
      address: 'http://authentik.<domain>.com/outpost.goauthentik.io/auth/traefik'
      trustForwardHeader: true
      authResponseHeaders:
        - X-authentik-username
        - X-authentik-groups
        - X-authentik-entitlements
        - X-authentik-email
        - X-authentik-name
        - X-authentik-uid
        - X-authentik-jwt
        - X-authentik-meta-jwks
        - X-authentik-meta-outpost
        - X-authentik-meta-provider
        - X-authentik-meta-app
        - X-authentik-meta-version

Config to use origin certificates. You will need to add <domain>.cert and <domain>.key to the folder /data/coolify/proxy/certs/ of your server.

  • cloudflare-origin-certs.yaml
    1
2
3
4
5

    tls:
certificates:
  -
    certFile: /traefik/certs/<domain>.cert
    keyFile: /traefik/certs/<domain>.key

Proxy TLS configuration

  • tls-config.yaml
    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

    tls:
options:
  default:
    minVersion: VersionTLS11
    sniStrict: true
    curvePreferences:
      - CurveP256
      - CurveP384
      - CurveP521
    cipherSuites:
      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
This post is licensed under CC BY 4.0 by the author.