QueryGlow

Quick Start

Get QueryGlow running on your server in under 10 minutes. This guide covers production deployment with SSL and authentication.

Prerequisites

Before running the deploy script, ensure you have:

Linux server with Docker installed

Ubuntu 20.04+, Debian 11+, or similar. Minimum 512MB RAM.

Domain pointing to your server

e.g., db.yourcompany.com → your server IP

Ports 80 and 443 open

Required for SSL certificate generation and HTTPS.

Don't have Docker yet?

Install it first: curl -fsSL https://get.docker.com | sh

Then add your user to the docker group and logout/login: sudo usermod -aG docker $USER

Need detailed setup instructions? See full prerequisites guide →

1. Clone the Repository

Use the GitHub invite sent to your email after purchase.

git clone [email protected]:mxfschr/queryglow.git
cd queryglow

Why SSH ([email protected]) instead of HTTPS?

GitHub disabled password authentication in 2021. If you try HTTPS, you'll be prompted for a password, but your actual GitHub password will NOT work. SSH keys are the simplest solution.

❌ Getting "Permission denied (publickey)" error?

This means your SSH key isn't set up with GitHub. Here's how to fix it:

  1. Check if you have an SSH key:ls -la ~/.ssh/id_*.pub
  2. If no key exists, create one:ssh-keygen -t ed25519 -C "[email protected]"
  3. Copy your public key:cat ~/.ssh/id_ed25519.pub
  4. Add to GitHub: Go to github.com/settings/keys → New SSH key → Paste your key
  5. Test the connection:ssh -T [email protected]
🔐 Corporate network blocking SSH? Use HTTPS with a token

If your network blocks port 22 (SSH), you can use HTTPS with a Personal Access Token:

  1. Generate a token: Go to github.com/settings/tokens → Generate new token (classic) → Select repo scope → Generate
  2. Copy the token immediately (it's only shown once!)
  3. Clone using the token:git clone https://github.com/mxfschr/queryglow.git

    Username: your GitHub username

    Password: paste your token (NOT your GitHub password)

2. Run the Deploy Script

The script auto-detects your server setup and configures everything: Nginx reverse proxy, SSL certificates (Let's Encrypt), authentication, and the app container.

chmod +x deploy.sh
./deploy.sh

The script will ask for:

  • Domain — e.g., db.yourcompany.com
  • Email — for SSL certificate notifications
  • Username & Password — for Basic Auth login
  • AI API keys — optional, can be added later

What the script does:

  • Detects if you have existing nginx (Integration mode) or not (Standalone mode)
  • Finds an available port (3000, 3001, etc.)
  • Generates SSL certificate via Let's Encrypt
  • Creates encrypted credential storage (AES-256-GCM)
  • Enables Safe Mode by default (blocks DROP TABLE, TRUNCATE, etc.)

✓ Once complete, your app is live at https://your-domain.com

Alternative: Run Locally (Development)

For testing on your laptop without SSL or authentication:

# Create .env with a session secret
echo "SESSION_SECRET=$(openssl rand -hex 32)" > .env

# Start the container
docker compose up --build

Open http://localhost:3000 in your browser. No login required in local dev mode.

Note: Local dev mode has no authentication. For production, always use ./deploy.sh which sets up SSL and Basic Auth.

Security by Default

After deployment, QueryGlow has these protections enabled automatically:

  • Safe Mode ON — Blocks DROP TABLE, TRUNCATE, DELETE/UPDATE without WHERE in Query Editor
  • HTTPS enforced — All traffic encrypted via Let's Encrypt
  • Basic Auth — Login required for all access
  • Credentials encrypted — Database passwords stored with AES-256-GCM
  • Search engines blocked — Your instance won't appear in Google