Skip to content

Deployment Guide

This guide covers deploying to Coolify on Hetzner servers.

Complete the pre-deployment checklist before deploying.

  1. Create server in Hetzner Cloud:

    • Ubuntu 22.04 or 24.04
    • SSH keys configured
    • Appropriate resources for your traffic
  2. Configure firewall:

    PortSourcePurpose
    80/443AnywhereHTTP/HTTPS
    22Your IPSSH
  3. Run hardening script from coolifyservermanagement

  4. Install Coolify proxy

Create separate environments for staging and production.

  1. Create PostgreSQL database in Coolify
  2. For the name use the “project name” + “-db” for example “instance-studio-db”
  3. Copy the connection string
  1. Select your Git repository
  2. Set build type to docker
  3. For the name use the “project name” for example “instance-studio”

Configuration:

SettingValue
DomainYour production domain
Builddocker

Copy from .env.example and update:

Terminal window
PAYLOAD_SECRET=your-new-secure-secret
DATABASE_URI=postgres://coolify:password@host:5432/coolify
NEXT_PUBLIC_SERVER_URL=https://yourdomain.com
NEXT_PUBLIC_SITE_NAME="Your Project Name"

Name: next
Source Path: leave empty
Destination Path: /app/.next/cache

Source Directory: add /media to the end
Destination Directory: /app/media

Set permissions:

Terminal window
chown -R 1001:1001 media
chmod -R 755 media

Enable at /healthcheck

Coolify routes the app through Traefik. Define a security-headers middleware via container labels (Application → ConfigurationLabels) to send HSTS and related hardening headers at the edge:

traefik.http.middlewares.security-headers.headers.stspreload=true
traefik.http.middlewares.security-headers.headers.stsSeconds=63072000
traefik.http.middlewares.security-headers.headers.stsIncludeSubdomains=true
traefik.http.middlewares.security-headers.headers.contentTypeNosniff=true
traefik.http.middlewares.security-headers.headers.frameDeny=true

Then append security-headers to the middlewares list on every existing router label — keep the middlewares already there (e.g. redirect-to-https):

traefik.http.routers.http-0-u135i35v2fora1wdylwegphv.middlewares=redirect-to-https,security-headers
TypeNameValueTTL
A@SERVER_IPAuto
CNAMEwwwyourdomain.comAuto

SSL certificates are automatically provisioned by Traefik.

  • Site loads at https://yourdomain.com
  • Admin panel works at /admin
  • Uploaded media displays correctly
  • Media persists between deployments
  • Health check returns 200
  • Headers verified with web-check.xyz (HSTS, CSP, cross-origin)

Push changes to Git. Coolify auto-deploys via webhook.

Rollback: Go to Coolify → deployments → click previous working version.

IssueSolution
502 Bad GatewayCheck app logs, env vars, database
Uploads failRemove --entrypoints.https.http3 from proxy
Build failsCheck TypeScript errors in logs
SSL issuesVerify DNS points to server
  • SSH restricted to office IP
  • Strong PAYLOAD_SECRET
  • HSTS enabled
  • Database backups configured