Self Hosted Supabase Configuration

Overview

This guide helps you set up Supabase on your own server with GitHub login enabled for SFP tools.

Note: This documentation extends the official Supabase Self-Hosting with Docker guide. Some steps may become outdated as Supabase evolves - refer to the official documentation for the most current information.

What You'll Need

• A server with at least 8GB RAM and 25GB SSD storage (EC2 with Ubuntu preferred, as this guide uses apt commands)

• A domain name (like supabase.yourdomain.com)

• Basic command line knowledge

• For AWS EC2: Security Group with ports 80, 443 (for HTTPS), and 8000 (for direct access) open for inbound traffic

Quick Start

Step 1: Install Prerequisites

# Update system
sudo apt update && sudo apt upgrade -y

# Install Docker and Docker Compose
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
sudo usermod -aG docker $USER

# The get-docker.sh script might install docker-ce only and not the compose plugin
# Install Docker Compose plugin
sudo apt update && sudo apt install -y docker-compose-plugin

# Log out and back in, then continue

# Install Caddy (REQUIRED for production - provides automatic HTTPS/SSL)
# Caddy automatically obtains and renews SSL certificates from Let's Encrypt
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update && sudo apt install caddy

Step 2: Get Supabase

Step 3: Generate Your Keys

1. Generate a JWT secret:

1. Go to the JWT Generator in the official Supabase docs

2. Paste your JWT secret in the form and generate:

   • ANON_KEY

   • SERVICE_ROLE_KEY

Step 4: Configure Supabase

Edit the .env file and update these values:

Update the following values:

Save and exit (Ctrl+X, then Y, then Enter).

Step 5: Configure SSL with Caddy (Required for Production)

Why you need this: GitHub OAuth and secure authentication require HTTPS. Running without SSL exposes your credentials and tokens in plain text. Never run production without HTTPS.

If you installed Caddy in Step 1, configure it now. If not, go back and install it first.

Edit the existing /etc/caddy/Caddyfile:

Add this block at the END of the file (after any existing :80 block):

Your Caddyfile should now have both the default :80 block AND your new Supabase domain block.

Then reload Caddy:

Step 6: Set Up GitHub Login

1. Go to GitHub Settings → Developer settings → OAuth Apps → New OAuth App

2. Fill in:

   • Application name: Your Supabase

   • Homepage URL: https://supabase.yourdomain.com

   • Callback URL: https://supabase.yourdomain.com/auth/v1/callback

3. Create and save the Client ID and Secret

4. Add to your .env file:

Pre-flight Check (AWS EC2)

If using AWS EC2, ensure the required ports are open:

1. Go to EC2 Console → Your instance → Security tab

2. Check current Security Groups - if none or only default, you need to add one

3. Click "Actions" → "Security" → "Change security groups"

4. Either modify existing or create new security group with:

   • Inbound rule: HTTP, Port 80, Source 0.0.0.0/0 (for Let's Encrypt certificate validation)

   • Inbound rule: HTTPS, Port 443, Source 0.0.0.0/0 (for secure access via domain)

   • Inbound rule: Custom TCP, Port 8000, Source 0.0.0.0/0 (for direct Supabase access during setup)

   • Inbound rule: SSH, Port 22, Source: Your IP (for SSH access)

Step 7: Start Supabase

After configuration, pull and start services:

Wait for all services to start (about 30 seconds), then check their status:

All services should show status running (healthy).

Test if Supabase is running:

If you get a 401 Unauthorized response, your Supabase instance is running correctly (the 401 just means you need authentication, which is normal).

You can now access Supabase Studio at http://YOUR-PUBLIC-IP:8000 with the credentials you configured in Step 4 (DASHBOARD_USERNAME and DASHBOARD_PASSWORD).

Note: If you made configuration changes to the .env file after starting Supabase, restart the services for the changes to take effect:

Step 8: Connect SFP Server

On your SFP Server, use these settings:

Verify Everything Works

Maintenance

Start/Stop Supabase

Update Supabase

View Logs

Troubleshooting

Can't access Supabase from public IP?

• AWS EC2: Check Security Group - ensure port 8000 is open for inbound traffic

• Verify Docker is running: docker compose ps

• Check if port is listening: sudo netstat -tlnp | grep 8000

• Test locally first: curl http://localhost:8000/auth/v1/health

Can't login with GitHub?

• Check your GitHub OAuth app callback URL matches exactly

• Look at auth logs: docker compose logs -f auth

SSL not working?

• Make sure your domain points to your server's IP

• Check Caddy logs: sudo journalctl -u caddy -f

Out of memory?

• Your server needs at least 8GB RAM

• Check with: free -h

Security Checklist

Before going live:

• Changed all default passwords

• Set strong database password

• Enabled firewall (ports 22, 80, 443 only)

• Regular backups configured

Need Help?

• Supabase Discord

• Supabase GitHub Discussions

• SFP Documentation