Install ALTCHA Sentinel

ALTCHA Sentinel is a self-hosted application distributed as an OCI-compatible container image. It can be deployed on any container runtime that supports the Open Container Initiative (OCI) standard, including platforms like Docker, AWS ECS or Azure App Service.

The default configuration is optimized for quick, production-ready deployments that are secure and require no external databases or services. For users seeking compliance and minimal technical overhead, deployment to Azure App Service is recommended.

What’s included?

The official container image of ALTCHA Sentinel includes everything you need to start using Sentinel with all its features without external services or databases:

• Sentinel server
• Sentinel front-end application
• SQLite-backed primary database
• Redis-compatible database with persistency
• Machine learning engine for advanced classification

Technical Requirements

To install ALTCHA Sentinel on your infrastructure, ensure you have the following:

• A container runtime compatible with the OCI standard and capable of running Linux-based containers on AMD64 or ARM64 architectures (e.g., Azure App Services, AWS ECS, Kubernetes, Docker, Docker Compose, Docker Swarm, Podman)
• Support for persistent storage volumes for storing database data
• An instance with at least 2 vCPUs (or CPU cores) and at least 2 GB of RAM

External Data Sources

While Sentinel is designed to be self-contained and independent of external dependencies, some frequently updated data must be sourced externally:

• IP Resolvers – Provides IP geolocation data
• Data Sources – Supplies IP and email blacklists (requires no additional configuration)

Supported Runtimes

While it is possible to run the provided container image on any OCI-compatible runtime, we recommend using one of the following officially supported environments:

• Azure App Services (recommended for beginners)
• AWS ECS
• Kubernetes
• Docker Swarm or Docker Compose

The deployment runtime must support persistent storage volumes, unless used in a multi-instance configuration.

Container Image

The official OCI-compatible container image is multi-arch and hosted on the following registries:

GitHub Container Registry:

ghcr.io/altcha-org/sentinel

AWS ECR:

public.ecr.aws/n6m6b4n8/altcha-org/sentinel

Tencent Cloud (China):

ccr.ccs.tencentyun.com/altcha-org/sentinel

Supported architectures:

• AMD64 (x86-64)
• ARM64 (AArch64)

The image automatically selects the correct architecture based on the host system. For production environments, it is recommended to use an explicit version tag rather than latest.

Exposed Ports

The container image exposes several ports. Only port 8080 should be accessible from the internet.

• 8080 — Main HTTP port for ALTCHA Sentinel

The following ports are for internal use only. Do not expose them publicly unless for debugging purposes:

• 6389 — Internal Redis-compatible database
• 4080 — Internal database HTTP API (protocol currently undocumented)
• 4001 and 4002 — RQLite protocols used for distributed clustering

HTTPS (TLS Encryption)

To enable TLS encryption (HTTPS), configure a load balancer or reverse proxy with TLS termination. If you use one of the pre-configured deployment options, TLS encryption is enabled automatically:

• Azure App Services: Deploys an internet-facing gateway with TLS termination. Custom domain names are supported. For CDN and caching capabilities, deploy Azure Front Door separately.
• AWS ECS: Deploys an internet-facing Application Load Balancer (ALB). Custom domain names are supported.

For other deployment methods, we recommend using bunny.net, a global CDN operated by an EU-based company. Alternatively, you can use services such as Cloudflare.

To enable TLS encryption directly in Sentinel, set the HTTP2_CERT and HTTP2_KEY environment variables. This will also enable the HTTP/2 protocol.

Volumes

The container requires a persistent storage volume for database data, which must be mounted to the /data directory:

volumes:
  - altcha_sentinel_data_volume:/data

Deployment Modes

ALTCHA Sentinel can be deployed in two modes: 1) single-instance or 2) multi-instance. The latter offers high-availability and fault-tolerance and is available only in the Enterprise plan.

	Single-instance	Multi-instance
Max. number of instances (nodes)	1	limit per license
High availability	No	Yes
Fault tolerance	No	Yes
Scaling	Vertical	Horizontal
Traffic	Low to moderate	High

Related

• Integration Checklist
• Performance Tuning
• Clustering