QueryGlow

Docker Deployment

The recommended way to run QueryGlow. The deploy.sh script auto-detects your server setup and configures SSL, authentication, and Safe Mode automatically.

Prerequisites

  • Docker installed

    Install: curl -fsSL https://get.docker.com | sh

  • User in docker group

    Run: sudo usermod -aG docker $USER then logout and login again

  • Linux server with 512MB+ RAM

    Ubuntu 20.04+, Debian 11+, or similar

  • Ports 80 and 443 open

    Required for Let's Encrypt SSL certificate generation

  • Domain pointing to your server

    DNS A record: db.yourcompany.com → your-server-ip

Auto-Detected Deployment Modes

The deploy script automatically detects your server configuration:

Standalone Mode

Fresh server, no existing nginx

→ Docker runs: QueryGlow + Nginx + Certbot

Integration Mode

Server already has nginx running

→ Docker runs: QueryGlow only (uses your nginx)

Method 1: Automated Script (Recommended)

The deploy.sh script handles everything: Docker configuration, Nginx reverse proxy, SSL certificates (Let's Encrypt), Basic Auth, and Safe Mode.

# 1. Clone the repository
git clone [email protected]:mxfschr/queryglow.git
cd queryglow

# 2. Run the deploy script
chmod +x deploy.sh
./deploy.sh

Why SSH ([email protected]) instead of HTTPS?

GitHub disabled password authentication in 2021. If you try HTTPS, you'll be prompted for a password, but your actual GitHub password will NOT work. SSH keys are the simplest solution.

❌ Getting "Permission denied (publickey)" error?

This means your SSH key isn't set up with GitHub. Here's how to fix it:

  1. Check if you have an SSH key:ls -la ~/.ssh/id_*.pub
  2. If no key exists, create one:ssh-keygen -t ed25519 -C "[email protected]"
  3. Copy your public key:cat ~/.ssh/id_ed25519.pub
  4. Add to GitHub: Go to github.com/settings/keys → New SSH key → Paste your key
  5. Test the connection:ssh -T [email protected]
🔐 Corporate network blocking SSH? Use HTTPS with a token

If your network blocks port 22 (SSH), you can use HTTPS with a Personal Access Token:

  1. Generate a token: Go to github.com/settings/tokens → Generate new token (classic) → Select repo scope → Generate
  2. Copy the token immediately (it's only shown once!)
  3. Clone using the token:git clone https://github.com/mxfschr/queryglow.git

    Username: your GitHub username

    Password: paste your token (NOT your GitHub password)

The script will prompt for:

  • Domain – e.g., db.yourcompany.com
  • Email – for SSL certificate notifications
  • Username – for Basic Auth login
  • Password – minimum 8 characters
  • AI API keys – optional (OpenAI, Anthropic, or Google)

What gets configured automatically:

  • HTTPS with Let's Encrypt
  • Nginx reverse proxy
  • Basic Auth (bcrypt, 10 rounds)
  • Safe Mode enabled
  • AES-256-GCM credential encryption
  • Search engine blocking
  • Security headers
  • Auto SSL renewal

Method 2: Manual Docker Compose

For local development or if you want to manage nginx/SSL yourself. This runs QueryGlow only—you handle the reverse proxy.

1. Create .env file

# Generate session secret (REQUIRED)
echo "SESSION_SECRET=$(openssl rand -hex 32)" > .env

# Optional: Add AI keys
echo "OPENAI_API_KEY=sk-..." >> .env

# Optional: Disable Safe Mode (not recommended)
# echo "QUERYGLOW_ALLOW_DESTRUCTIVE=true" >> .env

2. Start with Docker Compose

# Development (no SSL, port 3000 exposed)
docker compose up --build

# Production (requires existing nginx on host)
docker compose -f docker-compose.production.yml up -d --build

3. Verify it's running

curl http://localhost:3000/api/health# Should return: {"status":"ok"}

Environment Variables

VariableRequiredDescription
SESSION_SECRETYesEncryption key for stored credentials. Generate with openssl rand -hex 32
QUERYGLOW_ALLOW_DESTRUCTIVENofalse (default) = Safe Mode ON, blocks DROP/TRUNCATE/mass DELETE in Query Editor.
true = Power Mode, all SQL allowed.
PORTNoApp port. Default: 3000
OPENAI_API_KEYNoFor AI SQL generation (GPT-4o)
ANTHROPIC_API_KEYNoFor AI SQL generation (Claude)
GOOGLE_API_KEYNoFor AI SQL generation (Gemini)

See Environment Variables for the complete reference.

Common Commands

Standalone Mode (deploy.sh on fresh server)

# View logs
docker compose -f docker-compose.production.yml logs -f
# Restart
docker compose -f docker-compose.production.yml restart
# Update
git pull && docker compose -f docker-compose.production.yml up -d --build

Integration Mode (deploy.sh with existing nginx)

# View logs
docker logs queryglow -f
# Restart
docker restart queryglow
# Update
git pull && docker compose -f docker-compose.production.yml up -d --build queryglow

Security Notes

  • • In production, QueryGlow binds to 127.0.0.1 only—not accessible from internet directly.
  • • Always use the deploy.sh script for production to ensure SSL and authentication are configured.
  • • Never expose port 3000 directly to the internet without a reverse proxy and authentication.
  • • Back up your .env file—it contains the encryption key for stored passwords.