Self-hosting analytics on Amazon EC2 free tier

2024

8 min read

Plausible on Amazon EC2

If you ask why Plausible, while Google Analytics are free then this article is talk about it why use Plausible over Google Analytics, What makes Plausible a great Google Analytics alternative, pretty clear and have the points.

I was so tired of the costs incurred for maintaining backends for my website and the problems related to it.

I started to pay more attention to Open Source, I think it will solve financial problems and worry less and let my mind rest and think about other things in life.

So I chose Plausible, it is Open Source, but in essence it still costs quite a lot for monthly maintenance for subscribe packages, so I developed a solution to store it on AWS free tier to be completely free to use it and reduce expenses.

Amazon EC2 is a web service that lets you create virtual machines (known as instances) in the cloud. They’re also known as Cloud Server.

Other cloud servers also offer free-tier, but I’m going to use Amazon EC2 because I’ve already used Amazon S3 for my static documents. Sign in with your Amazon account to access the dashboard.

Follow these steps to create a new instance that we will use to set up Plausible.

  1. Select “Instances” from the sidebar
  2. Select “Launch Instances”
  3. Enable “Free-tier only” filter in the sidebar
  4. Choose Ubuntu Server 20.04 LTS (HVM) 64-bit (x86)
  5. Choose the free tier option in the list
  6. Select “Review and Launch” to complete the instance setup
  7. Save the PEM certificate somewhere safe You’ll be asked to name the PEM certificate.

I name the certificate as aws-ubuntu and save it in ~/.ssh directory. Keep the certificate safe because you will need it whenever you want to access the server. Before connecting to the instance you’ve just created, you need to set the inbound security rules to accept requests made to port 80 and 443. You can click on the running instance and select the Security tab under the instance summary. Next, click on the security groups and set the following inbound rules.

TypeProtocolPort rangeSource
HTTPTCP800.0.0.0/0
SSHTCP220.0.0.0/0
HTTPSTCP4430.0.0.0/0

You typically don’t want to manage your server as the root user, so we’ll start by creating a user account.

adduser stepham

Next, add your new user to the sudo group so it can run tasks as root.

usermod -aG sudo stepham

Next, copy the ssh keys from the root user to the new user so we can log in via ssh. We can use rsync to copy and change the ownership of the new files with a single command (you can see the Digitalocean post I got this trick from here). The -a flag is for archive mode, which you can read about from the rsync help screen.

rsync -a --chown stepham:stepham ~/.ssh /home/stepham

Next, open a new terminal and test your users login.

ssh tyler@IP_Server_Address

If this worked, close the root ssh session: we’re going to disable root login. With your non-root user, open the ssh daemon configuration with nano.

sudo nano /etc/ssh/sshd_config

Find the line with PermitRootLogin and set the value to no.

PermitRootLogin no

Save the file, then restart the ssh daemon so these changes take effect.

sudo systemctl restart ssh

I’m going to copy directly from their docs, so please feel free to reference the Docker Installation Guide and Docker Compose Installation Guide for the most up-to-date installation instructions.

First, remove any old versions of Docker:

sudo apt-get remove docker docker-engine docker.io containerd runc

Set up the Docker repository:

sudo apt-get update
sudo apt-get install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg \
    lsb-release

Add Docker’s official GPG key:

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

Add the Docker repository:

echo \
  "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Install Docker engine:

sudo apt-get update  
sudo apt-get install docker-ce docker-ce-cli containerd.io

Copy Docker Compose onto your machine:

sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

Make Docker Compose executable:

sudo chmod +x /usr/local/bin/docker-compose

Add your user to the docker group so you don’t have to run Docker as root.

sudo usermod -aG docker stepham

Run the following command for the group change to take effect without having to log out and log back in:

exec su -l $USER

Like Docker, I’m copying from the Plausible Self-Hosting Guide. Please reference the official guide for the most up-to-date installation instructions.

To keep things simple, we’re going to install everything in our user’s home directory. From your home directory, run the following:

git clone https://github.com/plausible/hosting  
cd hosting

Next, we’ll set up the config inside plausible-conf.env.

The ADMIN_USER_EMAIL, ADMIN_USER_NAME and ADMIN_USER_PWD fields will be used to create the Plausible user the first time you run the containers. After you’ve started the containers for the first time, you need to set up SMPT to change the password, so choose a strong password while setting this up.

Run nano plausible-conf.env to set these fields.

Add DISABLE_REGISTRATION=true to plausible-conf.env file to prevent people signing up a new account on your self-hosted Plausible.

ADMIN_USER_EMAIL=talktodev@stepham.com
ADMIN_USER_NAME=stepham
ADMIN_USER_PWD=kmw6W4nkuV!GqC-mczCyARYZ  
DISABLE_REGISTRATION=true

Next, set the BASE_URL to the URL where you’d like to access the dashboard.

touch .env  
echo "BASE_URL=https://stats.stepham.com" >> .env  
echo "SECRET_KEY_BASE=$(openssl rand -base64 48)" >> .env

cat .env  
BASE_URL=https://stats.stepham.com
SECRET_KEY_BASE=As0fZsJlUpuFYSthRjT5Yflg/NlxkFKPRro72xMLXF8yInZ60s6xGGXYVqml+XN1

Start Docker Compose in detached mode:

docker-compose up -d

Plausible is now running, but we still have some extra steps before we can use it.

Set an A record on your domain’s DNS pointing to the server

How you’ll go about this will vary depending on your registrar or where your DNS is hosted, but make sure your domain is pointing to the server’s IP.

Run the following:

sudo apt update  
sudo apt install nginx

Next we’ll create an nginx configuration file for our site using nano.

sudo nano /etc/nginx/sites-available/stats.stepham.com

We’ll use the Plausible nginx example as a template:

server {
	# replace example.com with your domain name
	server_name stats.stepham.com;

	listen 80;
	listen [::]:80;

	location / {
		proxy_pass http://127.0.0.1:8000;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
}

Next, link the site config to the sites-enabled folder.

sudo ln /etc/nginx/sites-available/stats.stepham.com /etc/nginx/sites-enabled

Confirm that the configuration syntax is correct:

sudo nginx -t

Restart nginx:

sudo systemctl restart nginx

Certbot’s official docs recommend installing Certbot with snapd, but nginx recommends installing with apt. We’ll follow nginx’s Certbot installation instructions.

sudo apt-get update  
sudo apt-get install certbot  
sudo apt-get install python3-certbot-nginx

Create a certificate for your domain. The -d flags are for domains. In the example below, we’re creating a certificate for both the www and non-www versions of the domains. This is a good practice, but it isn’t required.

Make sure that your DNS has propagated before running this command:

sudo certbot --nginx -d stats.stepham.com -d stats.stepham.com

Next, we’ll protect the sever with ufw, short for Uncomplicated Firewall.

You can see your available apps with the following command:

sudo ufw app list

You should see the following returned:

Available applications:  
  Nginx Full  
  Nginx HTTP  
  Nginx HTTPS  
  OpenSSH

Add nginx and OpenSSH

sudo ufw allow OpenSSH  
sudo ufw allow "Nginx Full"

Next, enable the firewall. Be sure that you’ve allowed OpenSSH before running this command, or you may be unable to access this server in the future.

sudo ufw enable

Next, run sudo ufw status. You should see the following returned:

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)
ROKHALLOWS
ROKHALLOWS
ROKHALLOWS
ROKHALLOWS
ROKHALLOWS
ROKHALLOWS
ROKHALLOWS
ROKHALLOWS
Superset: writing
Topics: creativity, knowhow
Year: 2024