Deployment Guide
How to deploy CodeRaft in production with HTTPS, domain configuration, and network hardening.
Deployment modes
Localhost (Development)
Access via http://localhost:3000. No TLS required. Suitable for evaluation and testing. All services communicate over the Docker internal network without encryption.
Domain (Production)
Access via https://your-domain.com. TLS termination at nginx with Let's Encrypt (auto) or custom certificate. Required for production — all credentials and tokens transit over HTTPS.
Production deployment
- Install the platform
Linux / macOS:
curl -fsSL https://install.coderaft.io | bashWindows (PowerShell as Administrator):
irm https://install.coderaft.io/win | iex - Activate your licence in the Setup Wizard at
http://localhost:3000 - Create admin account — set your name, email and a strong password (min. 8 characters)
- Configure network in the Setup Wizard "Network & Access" step:
- Select "Domain" mode
- Enter your domain (e.g.,
security.company.com) - Choose TLS mode:
- Let's Encrypt — automatic certificate issuance and renewal (requires public DNS + port 80)
- Custom certificate — upload your own
fullchain.pemandprivkey.pemdirectly in the wizard - None — localhost development only (not recommended for production)
- DNS configuration — point your domain to the server's IP address (A record or CNAME)
- Firewall — open ports 80 (HTTP → HTTPS redirect) and 443 (HTTPS)
TLS / HTTPS
TLS is handled by the nginx reverse proxy container. Internal services communicate over plain HTTP within the isolated Docker network. All external traffic must use HTTPS in production.
Let's Encrypt (recommended)
The dashboard automatically obtains and renews certificates using certbot. This is configured during the Setup Wizard.
- Domain must resolve to the server (public DNS A/CNAME record)
- Port 80 must be accessible from the internet (HTTP-01 ACME challenge)
- Certificates auto-renew 30 days before expiration via a scheduled task
- Certificate files are stored in
/data/certs/Docker volume
Custom certificate
For internal CAs, purchased certificates, or wildcard certs. You can import them in two ways:
Option 1: Via the Setup Wizard (recommended)
In the "Network & Access" step, select "Custom certificate" and upload your PEM files directly through the web interface. The wizard validates the certificate chain and key pair before applying.
Option 2: Manual file placement
Copy your certificate files to the data volume:
# Linux / macOScp fullchain.pem /data/coderaft/certs/fullchain.pemcp privkey.pem /data/coderaft/certs/privkey.pemchmod 600 /data/coderaft/certs/privkey.pem# Windows (PowerShell)Copy-Item fullchain.pem C:\coderaft\certs\fullchain.pemCopy-Item privkey.pem C:\coderaft\certs\privkey.pem Then restart the nginx container: docker compose restart nginx
Certificate requirements
fullchain.pem— full certificate chain (server cert + intermediate CAs), PEM formatprivkey.pem— RSA or ECDSA private key, PEM format, unencrypted- Key size: RSA 2048+ or ECDSA P-256/P-384
- The certificate must match the configured domain name
- For wildcard certificates (
*.company.com), the domain in the wizard must be a subdomain of the wildcard
Nginx configuration
The platform manages nginx automatically. For reference, the generated configuration uses:
server {
listen 443 ssl http2;
server_name security.company.com;
ssl_certificate /etc/nginx/certs/fullchain.pem;
ssl_certificate_key /etc/nginx/certs/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff always;
add_header X-Frame-Options SAMEORIGIN always;
add_header Referrer-Policy strict-origin-when-cross-origin always;
location / {
proxy_pass http://dashboard:3001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 300s;
}
}
server {
listen 80;
server_name security.company.com;
return 301 https://$host$request_uri;
} You should not need to edit this manually. The dashboard generates it from your network configuration.
Architecture
Client (browser)
│
▼
┌─────────────────────┐
│ nginx (TLS term.) │ :443 / :3000
│ + static frontend │
└─────────┬───────────┘
│ HTTP (internal Docker network)
┌─────┼─────┬──────────┐
▼ ▼ ▼ ▼
dashboard entraguard ravenscan redfox
-api -api -api
:3001 :8000 :8080 :8082
│ │ │ │
└───────┴─────────┴───────┘
│
┌──────┼──────┐
▼ ▼ ▼
postgres redis neo4j
Data persistence
All data is stored in Docker volumes. Volumes persist across container restarts and updates.
- postgres_data — all database data (audits, findings, sessions, configs)
- dashboard_data — licence cache, network configuration
- neo4j_data — attack graph data (EntraGuard)
Updates
Re-run the installer to update to the latest version. All data (configs, audits, scans, sessions) is stored in Docker volumes and persists through updates.
Linux / macOS:
curl -fsSL https://install.coderaft.io | bash Windows (PowerShell as Administrator):
irm https://install.coderaft.io/win | iex Update behaviour
- Hotfix (patch version, e.g., 1.2.3 → 1.2.4) — containers are updated in-place. You are redirected to the dashboard immediately. No re-login required.
- Minor update (e.g., 1.2.x → 1.3.0) — may include database migrations. You are asked to re-login to verify your licence. Data persists.
- Major update (e.g., 1.x → 2.0) — re-login required. Read the release notes for breaking changes before updating.
postgres_data, neo4j_data, dashboard_data). These volumes are never deleted by the installer or update process. Licences are valid for a minimum of 1 year.
Support
For deployment assistance, contact [email protected]. Enterprise customers receive priority support with dedicated onboarding.