Skip to main content

Installation

Prerequisites

To run a server:

  • A Linux server (or any Docker host) reachable from the internet, with a public IP.
  • A domain name you control, with the ability to add DNS records for it.
  • Either Docker (recommended, simplest) or a systemd-based Linux distro (for the Direct/bare-metal install path).
  • (Optional, for automated TLS) A Cloudflare account managing DNS for your domain, and an API token scoped to DNS-edit on that zone. Without this, raba falls back to a self-signed certificate (browsers will warn) or a manually obtained one.
  • Four categories of ports open on your firewall — not just :443. See Deployment → Ports for the full list and what each one is for; the short version is HTTPS/HTTP for visitors and the dashboard, a separate tunnel port for the CLI Client to connect to (not visitors), and a port range for TCP/UDP projects.

To use the CLI: nothing beyond the binary itself — no runtime dependency, it's a single static-ish executable. Linux, macOS (Intel and Apple Silicon), and Windows are all supported.

Automatic setup

curl -fsSL https://raw.githubusercontent.com/codad5/raba/master/install-server.sh | bash

This is a real interactive script, not a black box — here's exactly what it does, in order:

  1. Asks for your domain (e.g. tunnel.example.com) — required.
  2. Asks if you want automated TLS via Cloudflare DNS-01. If yes: your Cloudflare API token (DNS-edit scope only), your zone ID, a contact email for Let's Encrypt renewal-failure notices, and whether to use Let's Encrypt's staging environment (for testing — untrusted certs, much higher rate limits).
  3. Asks whether to allow public signup. The very first account on a fresh instance can always sign up regardless of this setting — it only affects who can join after that.
  4. Asks for your HTTPS/HTTP listener ports (default 7222/8080, non-privileged so nothing needs root). If you enter 443/80 instead — meaning this server is dedicated to raba alone — it warns you that nothing else can bind those ports afterward. If you keep the defaults, it asks which reverse proxy you're using (nginx, Caddy, or none) and generates the actual SNI-passthrough config for it, since something needs to forward :443 traffic to raba's real port in that case.
  5. Generates JWT_SECRET for you. Never prompted for — a user-supplied session secret is a footgun, so the script always generates a real one.
  6. Asks Docker or Direct, then does one of:
    • Docker: writes a self-contained docker-compose.yml, pulls the published image from GHCR, runs docker compose up -d.
    • Direct: downloads the Linux server binary from the latest GitHub release, installs it as a systemd service (raba.service, using AmbientCapabilities=CAP_NET_BIND_SERVICE so it can bind privileged ports without running as root), and starts it.
  7. Prints next steps — point your domain's DNS A/AAAA record at this server's public IP.

Re-running it later updates in place — it detects an existing install, offers to just pull the latest image (or re-download and restart the binary) using your existing config, without repeating any prompt or touching your JWT_SECRET.

Manual setup

Prefer to configure everything yourself, or don't want an interactive script touching your server at all? Both install paths above are just automation over things you can do by hand — see Deployment for the full manual Docker/systemd configuration, sharing :443/:80 with another service via a reverse proxy, and exactly when TLS certificates get issued and renewed.

Install the CLI

curl -fsSL https://raw.githubusercontent.com/codad5/raba/master/install.sh | sh

Windows (PowerShell):

irm https://raw.githubusercontent.com/codad5/raba/master/install.ps1 | iex

Both detect your OS/architecture, download the matching binary from the latest GitHub release, and install it — install.sh to ~/.local/bin (checking whether that's already on your PATH, and printing the fix if not). Already have it installed? raba update fetches and installs the latest release in place.