Installation
Prerequisites
To run a server:
- A Linux server (or any Docker host) reachable from the internet, with a public IP.
- A domain name you control, with the ability to add DNS records for it.
- Either Docker (recommended, simplest) or a systemd-based Linux distro (for the Direct/bare-metal install path).
- (Optional, for automated TLS) A Cloudflare account managing DNS for your domain, and an API token scoped to DNS-edit on that zone. Without this, raba falls back to a self-signed certificate (browsers will warn) or a manually obtained one.
- Four categories of ports open on your firewall — not just
:443. See Deployment → Ports for the full list and what each one is for; the short version is HTTPS/HTTP for visitors and the dashboard, a separate tunnel port for the CLI Client to connect to (not visitors), and a port range for TCP/UDP projects.
To use the CLI: nothing beyond the binary itself — no runtime dependency, it's a single static-ish executable. Linux, macOS (Intel and Apple Silicon), and Windows are all supported.
Automatic setup
curl -fsSL https://raw.githubusercontent.com/codad5/raba/master/install-server.sh | bash
This is a real interactive script, not a black box — here's exactly what it does, in order:
- Asks for your domain (e.g.
tunnel.example.com) — required. - Asks if you want automated TLS via Cloudflare DNS-01. If yes: your Cloudflare API token (DNS-edit scope only), your zone ID, a contact email for Let's Encrypt renewal-failure notices, and whether to use Let's Encrypt's staging environment (for testing — untrusted certs, much higher rate limits).
- Asks whether to allow public signup. The very first account on a fresh instance can always sign up regardless of this setting — it only affects who can join after that.
- Asks for your HTTPS/HTTP listener ports (default
7222/8080, non-privileged so nothing needs root). If you enter443/80instead — meaning this server is dedicated to raba alone — it warns you that nothing else can bind those ports afterward. If you keep the defaults, it asks which reverse proxy you're using (nginx, Caddy, or none) and generates the actual SNI-passthrough config for it, since something needs to forward:443traffic to raba's real port in that case. - Generates
JWT_SECRETfor you. Never prompted for — a user-supplied session secret is a footgun, so the script always generates a real one. - Asks Docker or Direct, then does one of:
- Docker: writes a self-contained
docker-compose.yml, pulls the published image from GHCR, runsdocker compose up -d. - Direct: downloads the Linux server binary from the latest GitHub release, installs it
as a systemd service (
raba.service, usingAmbientCapabilities=CAP_NET_BIND_SERVICEso it can bind privileged ports without running as root), and starts it.
- Docker: writes a self-contained
- Prints next steps — point your domain's DNS A/AAAA record at this server's public IP.
Re-running it later updates in place — it detects an existing install, offers to just pull
the latest image (or re-download and restart the binary) using your existing config, without
repeating any prompt or touching your JWT_SECRET.
Manual setup
Prefer to configure everything yourself, or don't want an interactive script touching your
server at all? Both install paths above are just automation over things you can do by hand —
see Deployment for the full manual Docker/systemd configuration,
sharing :443/:80 with another service via a reverse proxy, and exactly when TLS
certificates get issued and renewed.
Install the CLI
curl -fsSL https://raw.githubusercontent.com/codad5/raba/master/install.sh | sh
Windows (PowerShell):
irm https://raw.githubusercontent.com/codad5/raba/master/install.ps1 | iex
Both detect your OS/architecture, download the matching binary from the latest GitHub
release, and install it — install.sh to ~/.local/bin (checking whether that's already on
your PATH, and printing the fix if not). Already have it installed? raba update fetches
and installs the latest release in place.