Docker Compose Deployment

This guide explains how to install Sentinel on a cloud VPS or bare-metal server using a production-ready setup.

While recommended deployment options like Azure App Services, AWS ECS, or Kubernetes offer high uptime, reliability, and strong security guarantees, their monthly infrastructure costs can add up quickly.

For budget-conscious deployments, the setup described below offers a secure, production-ready deployment with monthly infrastructure cost as low as €5.

Prerequisites

• A VPS or dedicated server (e.g. a cloud server from Hetzner)
• Ubuntu Server 24.04 installed

1. Create a Server

This guide uses Hetzner as the VPS provider. Hetzner Online GmbH is a German company offering affordable hosting with data centers in the EU and US.

If you already have a server or use a different provider, skip to Step 3 – Run the Installation Script.

To get started with Hetzner:

1. Visit hetzner.com
2. Register for their cloud services

Create a new server:

1. In the Hetzner Cloud Console, go to Servers
2. Click Add Server
3. Choose a location (e.g. Nuremberg)
4. Select Ubuntu 24.04 as the image
5. Choose a VPS type (e.g. Shared vCPU or Dedicated)
   For low-traffic deployments, CAX11 (Shared vCPU / Arm64) is sufficient
6. Add your SSH key
   See How to Create an SSH Key by DigitalOcean for help
7. Firewall and backups can be configured later
8. Click Create & Buy Now to confirm

2. SSH into the Server

Once the server is ready, connect to it using SSH:

ssh root@{SERVER_IP}

If you’re using a non-default SSH key location:

ssh -i ~/.ssh/my_key root@{SERVER_IP}

3. Run the Installation Script

Run the following command on the server to download and execute the installation script as root:

bash <(curl -s https://raw.githubusercontent.com/altcha-org/sentinel-install-scripts/main/install-ubuntu-24-04.sh)

This script is designed for a fresh Ubuntu 24.04 installation. It will:

• Update package repositories
• Install required packages
• Enable automatic security updates
• Start and enable Docker to ensure Sentinel runs after reboots
• Create a dedicated non-root user altcha with sudo privileges
• Configure UFW firewall (allowing SSH + port 8080)
• Install Fail2ban to protect against SSH brute-force attacks
• Create helper scripts in /home/altcha/altcha/

4. Start Sentinel

Switch to the altcha user:

su - altcha

Set a new password (default is altcha123, use this when asked for the “current password”)

Start Sentinel by running the start script:

cd ~/altcha
./start.sh

This command pulls the latest version of Sentinel and runs it on port 8080.

Verify it’s running:

curl http://localhost:8080/.live

You should receive a JSON response containing "status": "alive".

Management Scripts

Located in /home/altcha/altcha/:

• ./start.sh – Start ALTCHA Sentinel
• ./stop.sh – Stop ALTCHA Sentinel
• ./status.sh – Check status and recent logs
• ./update.sh – Update to the latest version
• ./logs.sh – View live logs

5. Set Up a Reverse Proxy

To use Sentinel in production, you must configure TLS termination (HTTPS). Accessing Sentinel’s application directly via server IP and HTTP will result in the error: Security Requirement Not Met.

Use a reverse proxy or CDN to provide HTTPS access.

Option 1 – Bunny.net CDN

Bunny.net is an affordable EU-based CDN that offers TLS termination and DDoS protection. You don’t need a custom domain — they provide a free *.b-cdn.net domain (you can add your own later).

To get started:

1. Sign up at bunny.net
2. After logging in, go to the CDN section and click Add Pull Zone
3. Set a Pull Zone Name
4. Set the Origin URL as your server IP with port 8080: http://{SERVER_IP}:8080
5. Click Add Pull Zone

You can skip WordPress or script installation suggestions — they’re not needed.

Note

To ensure the Sentinel application works correctly on bunny.net, cookies must be manually enabled. Go to Caching → General and disable the Strip response cookies option.

Option 2 – Hetzner Load Balancer

Using Hetzner’s Load Balancer requires a custom domain managed by Hetzner DNS.

1. In Hetzner Cloud Console, go to Load Balancers
2. Click Create Load Balancer
3. Choose the same region as your server
4. Choose a load balancer type (e.g. LB11)
5. Under Targets, add your server instance
6. Under Services:
   • Select protocol: HTTPS
   • Destination port: 8080
   • Click Add Certificates to configure TLS
7. Click Create & Buy Now

Other Options

Other ways to enable TLS termination:

• Cloudflare
• Nginx or Traefik reverse proxy
• Built-in Sentinel TLS support using HTTP2_CERT and HTTP2_KEY See ENV variables

6. Updating Sentinel

To update Sentinel to a newer version, edit the docker-compose.yml file located at /home/altcha/altcha/ and set the desired image tag:

docker-compose.yml

services:
  altcha_sentinel:
    image: ghcr.io/altcha-org/sentinel:{TAG}

Replace {TAG} with the version you want to use — for example: 1.2.3.

After saving the file, run the update script to pull the new image and restart Sentinel:

cd /home/altcha/altcha
./update.sh

7. Access the Application

Default credentials:

• Username: root
• Password: root

Access endpoints:

• Web Interface: http://localhost:8080
• API: http://localhost:8080/v1
• API Documentation: http://localhost:8080/v1/docs

Security Recommendations

By default, your server’s public IP allows direct access — bypassing your reverse proxy.

To restrict access:

Restrict by Host Header

Set the ALLOWED_HOSTS ENV variable in Sentinel to only allow requests with valid Host headers (e.g. your domain or CDN hostname).

Also make sure:

• Your proxy forwards the Host header
• 127.0.0.1 is added for health checks

Restrict by IP Address

If you know the IP ranges of your reverse proxy or CDN, you can whitelist only those IPs using your firewall and block all others.

Next Steps

• Follow the Integration Checklist to ensure a secure deployment.

For secure, mission-critical deployments, consider other methods of deployment:

• Azure App Services
• AWS ECS
• Kubernetes