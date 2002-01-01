Docker Compose Deployment

This guide explains how to install Sentinel on a cloud VPS or bare-metal server using a production-ready setup.

While recommended deployment options like Azure App Services, AWS ECS, or Kubernetes offer high uptime, reliability, and strong security guarantees, their monthly infrastructure costs can add up quickly.

For budget-conscious deployments, the setup described below offers a secure, production-ready deployment with monthly infrastructure cost as low as €5.

Prerequisites

A VPS or dedicated server (e.g. a cloud server from Hetzner)

Ubuntu Server 24.04 installed

1. Create a Server

This guide uses Hetzner as the VPS provider. Hetzner Online GmbH is a German company offering affordable hosting with data centers in the EU and US.

If you already have a server or use a different provider, skip to Step 3 – Run the Installation Script.

To get started with Hetzner:

Visit hetzner.com Register for their cloud services

Create a new server:

In the Hetzner Cloud Console, go to Servers Click Add Server Choose a location (e.g. Nuremberg) Select Ubuntu 24.04 as the image Choose a VPS type (e.g. Shared vCPU or Dedicated)

For low-traffic deployments, CAX11 (Shared vCPU / Arm64) is sufficient Add your SSH key

See How to Create an SSH Key by DigitalOcean for help Firewall and backups can be configured later Click Create & Buy Now to confirm

2. SSH into the Server

Once the server is ready, connect to it using SSH:

Terminal window ssh root@{SERVER_IP}

If you’re using a non-default SSH key location:

Terminal window ssh -i ~/.ssh/my_key root@{SERVER_IP}

3. Run the Installation Script

Run the following command on the server to download and execute the installation script as root :

Terminal window bash <( curl -s https://raw.githubusercontent.com/altcha-org/sentinel-install-scripts/main/install-ubuntu-24-04.sh )

This script is designed for a fresh Ubuntu 24.04 installation. It will:

Update package repositories

Install required packages

Enable automatic security updates

Start and enable Docker to ensure Sentinel runs after reboots

Create a dedicated non-root user altcha with sudo privileges

with sudo privileges Configure UFW firewall (allowing SSH + port 8080)

Install Fail2ban to protect against SSH brute-force attacks

Create helper scripts in /home/altcha/altcha/

4. Start Sentinel

Switch to the altcha user:

Terminal window su - altcha

Set a new password (default is altcha123 , use this when asked for the “current password”)

Start Sentinel by running the start script:

Terminal window cd ~/altcha ./start.sh

This command pulls the latest version of Sentinel and runs it on port 8080 .

Verify it’s running:

Terminal window curl http://localhost:8080/.live

You should receive a JSON response containing "status": "alive" .

Management Scripts

Located in /home/altcha/altcha/ :

./start.sh – Start ALTCHA Sentinel

– Start ALTCHA Sentinel ./stop.sh – Stop ALTCHA Sentinel

– Stop ALTCHA Sentinel ./status.sh – Check status and recent logs

– Check status and recent logs ./update.sh – Update to the latest version

– Update to the latest version ./logs.sh – View live logs

5. Set Up a Reverse Proxy

To use Sentinel in production, you must configure TLS termination (HTTPS). Accessing Sentinel’s application directly via server IP and HTTP will result in the error: Security Requirement Not Met.

Use a reverse proxy or CDN to provide HTTPS access.

Option 1 – Bunny.net CDN

Bunny.net is an affordable EU-based CDN that offers TLS termination and DDoS protection. You don’t need a custom domain — they provide a free *.b-cdn.net domain (you can add your own later).

To get started:

Sign up at bunny.net After logging in, go to the CDN section and click Add Pull Zone Set a Pull Zone Name Set the Origin URL as your server IP with port 8080 : http://{SERVER_IP}:8080 Click Add Pull Zone

You can skip WordPress or script installation suggestions — they’re not needed.

Note To ensure the Sentinel application works correctly on bunny.net, cookies must be manually enabled. Go to Caching → General and disable the Strip response cookies option.

Option 2 – Hetzner Load Balancer

Using Hetzner’s Load Balancer requires a custom domain managed by Hetzner DNS.

In Hetzner Cloud Console, go to Load Balancers Click Create Load Balancer Choose the same region as your server Choose a load balancer type (e.g. LB11) Under Targets, add your server instance Under Services: Select protocol: HTTPS

Destination port: 8080

Click Add Certificates to configure TLS Click Create & Buy Now

Other Options

Other ways to enable TLS termination:

Cloudflare

Nginx or Traefik reverse proxy

Built-in Sentinel TLS support using HTTP2_CERT and HTTP2_KEY See ENV variables

6. Updating Sentinel

To update Sentinel to a newer version, edit the docker-compose.yml file located at /home/altcha/altcha/ and set the desired image tag:

docker-compose.yml services : altcha_sentinel : image : ghcr.io/altcha-org/sentinel:{TAG}

Replace {TAG} with the version you want to use — for example: 1.2.3 .

After saving the file, run the update script to pull the new image and restart Sentinel:

Terminal window cd /home/altcha/altcha ./update.sh

7. Access the Application

Default credentials:

Username: root

Password: root

Access endpoints:

Security Recommendations

By default, your server’s public IP allows direct access — bypassing your reverse proxy.

To restrict access:

Restrict by Host Header

Set the ALLOWED_HOSTS ENV variable in Sentinel to only allow requests with valid Host headers (e.g. your domain or CDN hostname).

Also make sure:

Your proxy forwards the Host header

header 127.0.0.1 is added for health checks

Restrict by IP Address

If you know the IP ranges of your reverse proxy or CDN, you can whitelist only those IPs using your firewall and block all others.

Next Steps

Follow the Integration Checklist to ensure a secure deployment.

For secure, mission-critical deployments, consider other methods of deployment: