Logo
DocumentationCommand Line

Self Hosting

Last Updated :

Businesses and technical people may want more control over the hosting of their data so we made it easy to self-host your own server.

All data is end-to-end encrypted so only the account holder can access secrets using the primary password but if you are self-hosting you are responsible for configuring TLS to protect the data in transit.

After installing the command line tools create a folder to store account data, initialize the config file and start the server.

By default the server will listen on all interfaces to port 5053, use the --bind option to change the bind address.

Configuration

Servers are permissionless which means no sign up is required to create an account therefore you are responsible for protecting access to the server, use the access control configuration to restrict access.

Transport Layer Security

Whilst the account data is secured using end-to-end encryption protecting the server communication with SSL helps to prevent MitM and replay attacks; we strongly recommend enabling SSL/TLS using either Let's Encrypt of a certificate you own.

Let's Encrypt ACME

We make it easy to secure your self-hosted server with support for the Let's Encrypt ACME protocol. The validation mechanism used is tls-alpn-01, which allows serving ACME challenge responses and regular TLS traffic on the same port; which means your server must be running on the standard SSL port 443.

An example configuration for Let's Encrypt:

[storage]
path = "./accounts"
 
[net]
bind = "0.0.0.0:443"
 
[net.ssl.acme]
cache = "acme-cache"
domains = ["acme.example.com"]
email = ["[email protected]"]
production = true

Make sure you change the email address and domain name and ensure the acme-cache folder exists. The DNS for the domain name must resolve to a public IP address so the ACME protocol can verify ownership of the domain name.

Once the certificate has been issued you should see output like this in the server logs:

INFO sos_server::server: acme result=AccountCacheStore
INFO sos_server::server: acme result=DeployedNewCert
INFO sos_server::server: acme result=CertCacheStore

If the production flag is not set then you will get an error attempting to connect to the server as a staging certificate will have been issued.

Once all the required changes have been made, check the connection, perhaps with curl:

curl -vL https://acme.example.com

Certificate

If you already have a certificate for the domain name hosting your server you can configure the server to use it in the tls section:

[net.ssl.tls]
cert = "cert.pem"
key = "key.pem"

Access Control

The configuration supports access control with deny and allow sections to control which accounts are allowed to connect.

To restrict access to certain account addresses use an allow list:

[access]
allow = [
  "0x3ebe1c7c8e56a1e9b813073e30caf1a0cd8e7634"
]

Only the specific addresses listed are allowed to connect to the server. Alternatively it's possible to explicitly deny certain account addresses.

[access]
deny = [
  "0x7ebe1c7c89e56a1e9b813073e30caf1a0cd8e5541"
]
PreviousInstallationInstall the command line tools
Next AccountsCreate accounts and backup archives