Skip to main content
Skip to main content
Edit this page

Going to Production

When deploying ClickStack in production, there are several additional considerations to ensure security, stability, and correct configuration.

Network and Port Security

By default, Docker Compose exposes ports on the host, making them accessible from outside the container - even if tools like ufw (Uncomplicated Firewall) are enabled. This behavior is due to Docker's use of its own networking stack, which can bypass host-level firewall rules unless explicitly configured.

Recommendation:

Only expose ports that are necessary for production use. Typically the OTLP endpoints, API server, and frontend.

For example, remove or comment out unnecessary port mappings in your docker-compose.yml file:

Refer to the Docker networking documentation for details on isolating containers and hardening access.

Session Secret Configuration

In production, you must set a strong, random value for the EXPRESS_SESSION_SECRET environment variable to protect session data and prevent tampering.

Here's how to add it to your docker-compose.yml file for the app service:

You can generate a strong secret using openssl:

Avoid committing secrets to source control. In production, consider using environment variable management tools (e.g. Docker Secrets, HashiCorp Vault, or environment-specific CI/CD configs).

ClickHouse

For production deployments, we recommend using ClickHouse Cloud, which applies industry-standard security practices by default - including enhanced encryption, authentication and connectivity, and managed access controls.

User Permissions

The Clickhouse user for HyperDX only needs to be a readonly user with access to change the following settings:

  • max_rows_to_read (at least up to 1 million)
  • read_overflow_mode
  • cancel_http_readonly_queries_on_client_close
  • wait_end_of_query

By default the default user in both OSS and ClickHouse Cloud will have these permissions available but we recommend you create a new user with these permissions.

Using ClickHouse Cloud

Create a service

Follow the getting started guide for ClickHouse Cloud to create a service.

Copy connection details

To find the connection details for HyperDX, navigate to the ClickHouse Cloud console and click the Connect button on the sidebar recording the HTTP connection details specifically the url.

While you may use the default username and password shown in this step to connect HyperDX, we recommend creating a dedicated user - see below

Create a user

We recommend you create a dedicated user for HyperDX. Run the following SQL commands in the Cloud SQL console:

Deploy HyperDX

Ensure HyperDX is deployed - the Helm, Docker Compose (modified to exclude ClickHouse) or HyperDX only deployment models are prefered.

Create a user on initial login.

Connect to ClickHouse Cloud

Using the credentials created earlier, complete the connection details and click Create.

Self-managed security

If you are managing your own ClickHouse instance, it's essential to enable SSL/TLS, enforce authentication, and follow best practices for hardening access. See this blog post for context on real-world misconfigurations and how to avoid them.

ClickHouse OSS provides robust security features out of the box. However, these require configuration:

See also external authenticators and query complexity settings for managing users and ensuring query/resource limits.

MongoDB Guidelines

Follow the official MongoDB security checklist.