Production Setup
Security Checklist
Before exposing Relayly to the internet, complete this checklist:
- Run behind TLS (Caddy or nginx, see below)
- Bind admin UI to
127.0.0.1(the default) - Mount
/dataas a persistent Docker volume - Back up
/data/relayly.dband/data/server.noise.key - Set
log.level: warnin production to reduce noise
Caddy (Recommended)
Caddy handles automatic TLS via Let’s Encrypt:
relay.yourdomain.com {
reverse_proxy localhost:8080
}WebSocket connections are automatically proxied, no special configuration needed.
nginx
server {
listen 443 ssl;
server_name relay.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/relay.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/relay.yourdomain.com/privkey.pem;
location / {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}Firewall Rules
# Allow WebSocket relay port from anywhere
ufw allow 8080/tcp
# Admin UI: NEVER expose publicly, access via SSH tunnel only
# ssh -L 8081:localhost:8081 user@your-serverMonitoring
# Check relay status
./relayly status
# JSON output for monitoring scripts
./relayly status --format=json