Deployment strategies

    Minimal setup

    One of the best PocketBase feature is that it's completely portable. This mean that it doesn't require any external dependency and could be deployed by just uploading the executable on your server .

    Here is an example for starting a production HTTPS server (auto managed TLS with Let's Encrypt) on clean Ubuntu 22.04 installation:

    1. Upload the binary and anything else related to your remote server, for example using rsync:

      rsync -avz -e ssh /local/path/to/pocketbase root@YOUR_SERVER_IP:/root/pb
    2. Start a SSH session with your server:

      ssh root@YOUR_SERVER_IP
    3. Start the executable (the --https flag issues a Let's Encrypt certificate):

      [root@dev ~]$ /root/pb/pocketbase serve --http="yourdomain.com:80" --https="yourdomain.com:443"

      Notice that in the above example we are logged in as root which allow us to bind to the privileged 80 and 443 ports.
      For non-root users usually you'll need special privileges to be able to do that. You have several options depending on your OS - authbind, setcap, iptables, sysctl, etc. Here is an example using setcap:

      [myuser@dev ~]$ sudo setcap 'cap_net_bind_service=+ep' /root/pb/pocketbase
    Systemd service

    To allow your application to start on its own (or to restart in case the process get killed), you could create a Systemd service for it.

    Here is an example service file (usually created at /lib/systemd/system/pocketbase.service):

    [Unit] Description = pocketbase [Service] Type = simple User = root Group = root LimitNOFILE = 4096 Restart = always RestartSec = 5s StandardOutput = append:/root/pb/errors.log StandardError = append:/root/pb/errors.log ExecStart = /root/pb/pocketbase serve --http="yourdomain.com:80" --https="yourdomain.com:443" [Install] WantedBy = multi-user.target

    After that we just have to enable it and start the service using systemctl:

    [root@dev ~]$ systemctl enable pocketbase.service [root@dev ~]$ systemctl start pocketbase
    Using reverse proxy

    If you plan hosting multiple applications on a single server or need finer network controls (rate limiter, IPs whitelisting, etc.), you could always put PocketBase behind a reverse proxy such as NGINX or Apache. Here is a minimal NGINX sample configuration:

    server { listen 80; server_name example.com; client_max_body_size 10M; location / { # check http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive proxy_set_header Connection ''; proxy_http_version 1.1; proxy_read_timeout 360s; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1:8090; } }
    Using Docker

    Some hosts (eg. fly.io) use Docker for deployments. PocketBase doesn't have an official Docker image yet, but you could use the below Dockerfile as an example:

    FROM alpine:latest ARG PB_VERSION=0.8.0 RUN apk add --no-cache \ unzip \ ca-certificates # download and unzip PocketBase ADD https://github.com/pocketbase/pocketbase/releases/download/v${PB_VERSION}/pocketbase_${PB_VERSION}_linux_amd64.zip /tmp/pb.zip RUN unzip /tmp/pb.zip -d /pb/ EXPOSE 8080 # start PocketBase CMD ["/pb/pocketbase", "serve", "--http=0.0.0.0:8080"]

    For a full example you could check the "Host for free on Fly.io" guide.

    Backup and Restore

    Another great PocketBase feature is how easy and simple it is to backup and restore.

    To backup your application, it is usually enough to just copy the pb_data directory (for transactional safety make sure that the application is not running). Or alternatively, you could also use the sqlite3 .backup command on the database file.

    To restore, as you may have already guessed, you just have to do the opposite - upload the pb_data backup directory to your server and restart the application.

    Recommendations

    highly recommended
    Use SMPT mail server

    By default, PocketBase uses the internal Unix sendmail command for sending emails.
    While it's OK for development, it's not very useful for production, because your emails most likely will get marked as spam or even fail to deliver.

    To avoid deliverability issues, consider using a local SMTP server or an external mail service like MailerSend, Sendinblue, SendGrid, Mailgun, AWS SES, etc.

    Once you've decided on a mail service, you could configure the PocketBase SMTP settings from the admin UI (Settings > Mail settings):

    SMTP settings screenshot
    optional
    Increase the open file descriptors limit

    The below instructions are for Linux but other operating systems have similar mechanism.

    Unix uses "file descriptors" also for network connections and most systems have a default limit of ~ 1024.
    If your application has a lot of concurrent realtime connections, it is possible that at some point you would get an error such as: Too many open files.

    One way to mitigate this is to check your current account resource limits by running ulimit -a and find the parameter you want to change. For example, if you want to increase the open files limit (-n), you could run ulimit -n 4096 before starting PocketBase.

    optional
    Enable settings encryption

    By default, PocketBase stores the applications settings in the database as plain JSON text, including the secret keys for the OAuth2 clients and the SMTP password.

    While this is not a security issue on its own (PocketBase applications live entirely on a single server and its expected only authorized users to have access to your server and application data), in some situations it may be a good idea to store the settings encrypted in case someone get their hands on your database file (eg. from an external stored backup).

    To store your PocketBase settings encrypted:

    1. Create a new environment variable and set a random 32 characters string as its value.
      eg. add export PB_ENCRYPTION_KEY="XQ0UAEG9kR5XpdPd7EO6qPMi7n5DiyPy" in your shell profile file
    2. Start the application with --encryptionEnv=YOUR_ENV_VAR flag.
      eg. pocketbase serve --encryptionEnv=PB_ENCRYPTION_KEY