Skip to content

Deployment Overview of H-UI VPN Server on Server

Prerequisites and Basic Requirements

The deployment of the H-UI VPN Server requires a specific operating system environment and root-level privileges. The following conditions must be met before proceeding:

  • Operating System: Ubuntu 22.04 (codename: jammy). The installation process will fail on other distributions or versions.
  • Privileges: Root access is required to install packages, configure systemd services, and manage Docker containers.
  • Architecture Support: The application supports x86_64 (mapped to amd64) and aarch64 (mapped to arm64) architectures.
  • Required Packages: The system must have curl and sqlite3 installed.
  • Timezone: The server timezone is configured to match the deployment variable h_ui_timezone.

File and Directory Structure

The application and its supporting components utilize the following directory structure on the server:

  • Application Binary: Located in the installation directory defined by h_ui_install_dir (default path not specified in source, typically /opt or similar). The binary is named h-ui.
  • Systemd Service File: Located at h_ui_service_file (path variable).
  • Nginx Configuration Directory: /root/nginx
  • Nginx Compose File: /root/nginx/compose.yml
  • Nginx User Configuration: /data/nginx/user_conf.d/
  • Nginx Environment File: /data/nginx/nginx-certbot.env
  • Database: An SQLite database file (.db) is generated automatically within the h_ui_install_dir directory.
  • SSL Certificates: Stored in the Docker volume nginx_secrets mounted at /etc/letsencrypt inside the container.

Application Installation Process

The H-UI VPN Server is installed as a native binary managed by systemd. The installation process involves downloading the latest release and configuring the service unit.

  1. Binary Download: The latest h-ui binary is downloaded from the GitHub repository jonssonyan/h-ui based on the server's architecture (amd64 or arm64).
  2. Service Unit Configuration:
    • The h-ui.service file is downloaded from the repository.
    • The ExecStart directive is modified to include the custom port defined by h_ui_port.
    • The Environment variable is set to TZ={{ h_ui_timezone }} to ensure correct time handling.
  3. Service Activation:
    • The systemd daemon is reloaded.
    • The h-ui service is enabled and started.
  4. Database Initialization: The application initializes an SQLite database upon the first start. The installation script waits for this file to appear before proceeding.
  5. Admin Account Setup:
    • The default sysadmin account is updated via SQL.
    • The username is changed to useradmin.
    • The password is set to the SHA-224 hash of the SSH password (ansible_ssh_pass).
    • The connection password (con_pass) is set to root. followed by the SSH password.
    • The service is restarted to apply these changes.

Docker Containers and Their Deployment

A reverse proxy and SSL certificate management system is deployed using Docker Compose.

  • Compose File Location: /root/nginx/compose.yml
  • Deployment Command: docker compose up -d executed from the /root/nginx directory.
  • Container Details:
    • Image: jonasal/nginx-certbot:latest
    • Restart Policy: unless-stopped
    • Network Mode: host
    • Environment:
      • CERTBOT_EMAIL: Set to [email protected]
      • Loads additional environment variables from /data/nginx/nginx-certbot.env
    • Volumes:
      • nginx_secrets (external volume) mounted to /etc/letsencrypt
      • Host directory /data/nginx/user_conf.d mounted to /etc/nginx/user_conf.d

Proxy Servers

The Nginx container acts as a reverse proxy for the H-UI application.

  • Proxy Configuration: The proxy pass rule is dynamically injected into the Nginx configuration file located at /data/nginx/user_conf.d/{{ prefix }}{{ server_id }}.hostkey.in.conf.
  • Routing Rule:
    • The proxy_pass directive is set to http://127.0.0.1:8081.
    • This rule is inserted immediately after the location / { block.
  • SSL/TLS: Managed automatically by the nginx-certbot container using Let's Encrypt.
  • Custom Domains: Configuration files are stored in /data/nginx/user_conf.d/ and referenced by the Docker volume mount.

Databases

The application uses a local SQLite database for data persistence.

  • Database Type: SQLite
  • Location: The database file is created automatically within the h_ui_install_dir directory.
  • Access Method: The database is accessed directly by the h-ui binary.
  • Initial Configuration:
    • The account table is updated to set the username to useradmin.
    • The pass field stores the SHA-224 hash of the configured password.
    • The con_pass field stores the string root. concatenated with the SSH password.

Starting, Stopping, and Updating

The H-UI application is managed as a native Linux service, while the proxy is managed via Docker Compose.

  • H-UI Service Management:
    • Start: systemctl start h-ui
    • Stop: systemctl stop h-ui
    • Restart: systemctl restart h-ui
    • Enable on Boot: systemctl enable h-ui
    • Status: systemctl status h-ui
  • Proxy Service Management:
    • Start/Update: docker compose up -d (run from /root/nginx)
    • Stop: docker compose down (run from /root/nginx)
    • Status: docker compose ps (run from /root/nginx)

Permission Settings

The following permissions are applied to ensure secure operation:

  • Nginx Directory: /root/nginx is owned by root:root with mode 0755.
  • Compose File: /root/nginx/compose.yml is owned by root:root with mode 0644.
  • H-UI Installation Directory: Owned by root:root with mode 0755.
  • H-UI Binary: Executable permissions are set to 0755.
  • Systemd Service File: Mode 0644.
question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×