Option A — Docker Compose (recommended)
Use docker/docker-compose.yml for a one-command production deployment. It includes:
| Service | Host port |
| ---------------------- | ------------- |
| server (Bun backend) | 3888 |
| api (Rust proxy) | 5060 |
| web-tenant | 5090 |
| web-admin | 5091 |
| postgres | internal only |
1. Prepare environment file
cd docker
./prepare.sh
This script creates docker/.env from docker/.env.example and fills required values such as BETTER_AUTH_SECRET, CRON_SECRET, RSA_PRIVATE_KEY, and RSA_PUBLIC_KEY.
If you prefer to configure everything manually, you can still run:
cp docker/.env.example docker/.env
Then review docker/.env. Required variables:
DATABASE_URL=postgresql://postgres:postgres@postgresql:5432/openproxy
BETTER_AUTH_SECRET=<random 32-byte base64>
BETTER_AUTH_URL=https://your-tenant-domain/api
# APP_DOMAIN is the apex domain (e.g. example.com; defaults to aiproxy.shop).
# It controls:
# - trusted origins generated for *.APP_DOMAIN
# - better-auth session cookie Domain (.APP_DOMAIN), so *.APP_DOMAIN
# subdomains share the same login session (production only)
APP_DOMAIN=
# CLIENT_ORIGIN is the public origin of the tenant web app (scheme + host,
# no trailing slash, e.g. https://app.example.com). Used to build payment
# notify/return URLs and email verification links. Defaults to
# https://app.${APP_DOMAIN} in production.
CLIENT_ORIGIN=
ADMIN_EMAILS=owner@example.com
RSA_PRIVATE_KEY=<generated with bun scripts/generateRSAKey.ts>
RSA_PUBLIC_KEY=<same generation>
REDIS_URL=redis://redis:6379
Also add email (RESEND or SMTP), OAuth, SMS/captcha, and payment variables as needed. For self-hosting, set ADMIN_EMAILS so the matching signup account is promoted to admin automatically.
2. Start
cd docker
docker compose up -d
3. Verify
curl http://localhost:5060/health # Rust proxy
curl http://localhost:3888/api/health # Bun server
4. Domain and reverse proxy
Bind domains with Nginx (or any reverse proxy):
server {
listen 80;
server_name api.example.com;
location / {
proxy_pass http://127.0.0.1:5060;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
server {
listen 80;
server_name app.example.com;
location / {
proxy_pass http://127.0.0.1:5090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
For HTTPS, add ssl_certificate / ssl_certificate_key or use Certbot.
Option B — Manual deployment
PostgreSQL
Provision PostgreSQL 15+ and create a database. Run migrations:
cd apps/server
DATABASE_URL=postgres://... bun run migrate
apps/server (Bun)
cd apps/server
bun install
bun run start # or use pm2 / systemd
apps/api (Rust)
cd apps/api
cargo build --release
./target/release/api
For production process management use systemd or a container:
# /etc/systemd/system/openproxy-api.service
[Unit]
Description=OpenProxy Rust API
After=network.target
[Service]
EnvironmentFile=/etc/openproxy/api.env
ExecStart=/usr/local/bin/openproxy-api
Restart=always
[Install]
WantedBy=multi-user.target
apps/web (React)
cd apps/web
bun run build:tenant # outputs to dist/tenant
bun run build:admin # outputs to dist/admin
Serve the dist/ directories with Nginx or any static file host.
For scheduled job setup and endpoint usage, see Scheduled Jobs.
Production checklist
- [ ] Use HTTPS with valid certificates for all public domains
- [ ] Set
BETTER_AUTH_URLto the public frontend origin with/api, and setAPP_DOMAINso built-in trusted origins and cross-subdomain cookies match your deployment - [ ] Enable PostgreSQL backups (e.g. pg_dump cron or managed DB snapshot)
- [ ] Schedule
cleanupOrderandarchiveMonthlyUsage, and ensure each request uses the correctCRON_SECRET - [ ] Never log
RSA_PRIVATE_KEYor plaintext API keys - [ ] Use secrets management (e.g. Docker secrets, Vault) rather than plain
.envfiles in production - [ ] Configure resource limits (memory, CPU) for the Rust proxy container