Deployment Guide
This guide covers deploying to Coolify on Hetzner servers.
Prerequisites
Section titled “Prerequisites”Complete the pre-deployment checklist before deploying.
Server Setup (Hetzner)
Section titled “Server Setup (Hetzner)”-
Create server in Hetzner Cloud:
- Ubuntu 22.04 or 24.04
- SSH keys configured
- Appropriate resources for your traffic
-
Configure firewall:
Port Source Purpose 80/443 Anywhere HTTP/HTTPS 22 Your IP SSH -
Run hardening script from coolifyservermanagement
-
Install Coolify proxy
Coolify Setup
Section titled “Coolify Setup”Create Environment
Section titled “Create Environment”Create separate environments for staging and production.
Add Database
Section titled “Add Database”- Create PostgreSQL database in Coolify
- For the name use the “project name” + “-db” for example “instance-studio-db”
- Copy the connection string
Add Application
Section titled “Add Application”- Select your Git repository
- Set build type to
docker - For the name use the “project name” for example “instance-studio”
Configuration:
| Setting | Value |
|---|---|
| Domain | Your production domain |
| Build | docker |
Environment Variables
Section titled “Environment Variables”Copy from .env.example and update:
PAYLOAD_SECRET=your-new-secure-secretDATABASE_URI=postgres://coolify:password@host:5432/coolifyNEXT_PUBLIC_SERVER_URL=https://yourdomain.comNEXT_PUBLIC_SITE_NAME="Your Project Name"Persistent Storage
Section titled “Persistent Storage”Volume Mount
Section titled “Volume Mount”Name: next
Source Path: leave empty
Destination Path: /app/.next/cache
Directory Mount
Section titled “Directory Mount”Source Directory: add /media to the end
Destination Directory: /app/media
Set permissions:
chown -R 1001:1001 mediachmod -R 755 mediaHealth Check
Section titled “Health Check”Enable at /healthcheck
Security Headers (HSTS) (OPTIONAL)
Section titled “Security Headers (HSTS) (OPTIONAL)”Coolify routes the app through Traefik. Define a security-headers middleware
via container labels (Application → Configuration → Labels) to send HSTS
and related hardening headers at the edge:
traefik.http.middlewares.security-headers.headers.stspreload=truetraefik.http.middlewares.security-headers.headers.stsSeconds=63072000traefik.http.middlewares.security-headers.headers.stsIncludeSubdomains=truetraefik.http.middlewares.security-headers.headers.contentTypeNosniff=truetraefik.http.middlewares.security-headers.headers.frameDeny=trueThen append security-headers to the middlewares list on every existing
router label — keep the middlewares already there (e.g. redirect-to-https):
traefik.http.routers.http-0-u135i35v2fora1wdylwegphv.middlewares=redirect-to-https,security-headersDNS Setup
Section titled “DNS Setup”| Type | Name | Value | TTL |
|---|---|---|---|
| A | @ | SERVER_IP | Auto |
| CNAME | www | yourdomain.com | Auto |
SSL certificates are automatically provisioned by Traefik.
Post-Deployment Checklist
Section titled “Post-Deployment Checklist”- Site loads at
https://yourdomain.com - Admin panel works at
/admin - Uploaded media displays correctly
- Media persists between deployments
- Health check returns 200
- Headers verified with web-check.xyz (HSTS, CSP, cross-origin)
Updating
Section titled “Updating”Push changes to Git. Coolify auto-deploys via webhook.
Rollback: Go to Coolify → deployments → click previous working version.
Troubleshooting
Section titled “Troubleshooting”| Issue | Solution |
|---|---|
| 502 Bad Gateway | Check app logs, env vars, database |
| Uploads fail | Remove --entrypoints.https.http3 from proxy |
| Build fails | Check TypeScript errors in logs |
| SSL issues | Verify DNS points to server |
Security
Section titled “Security”- SSH restricted to office IP
- Strong
PAYLOAD_SECRET - HSTS enabled
- Database backups configured