Running a self-hosted Meilisearch project in production

    This tutorial will guide you through setting up a production-ready Meilisearch instance. These instructions use a DigitalOcean droplet running Debian, but should be compatible with any hosting service running a Linux distro.

    NOTE

    Meilisearch Cloud is the recommended way to run Meilisearch in production environments.

    Requirements

    TIP

    DigitalOcean has extensive documentation on how to use SSH to connect to a droplet.

    Step 1: Install Meilisearch

    Log into your server via SSH, update the list of available packages, and install curl:

    apt update
    apt install curl -y
    

    Using the latest version of a package is good security practice, especially in production environments.

    Next, use curl to download and run the Meilisearch command-line installer:

    # Install Meilisearch latest version from the script
    curl -L https://install.meilisearch.com | sh
    

    The Meilisearch installer is a set of scripts that ensure you will get the correct binary for your system.

    Next, you need to make the binary accessible from anywhere in your system. Move the binary file into /usr/local/bin:

    mv ./meilisearch /usr/local/bin/
    

    Meilisearch is now installed in your system, but it is not publicly accessible.

    Step 2: Create system user

    Running applications as root exposes you to unnecessary security risks. To prevent that, create a dedicated user for Meilisearch:

    useradd -d /var/lib/meilisearch -s /bin/false -m -r meilisearch
    

    Then give the new user ownership of the Meilisearch binary:

    chown meilisearch:meilisearch /usr/local/bin/meilisearch
    

    Step 3: Create a configuration file

    After installing Meilisearch and taking the first step towards keeping your data safe, you need to set up a basic configuration file.

    First, create the directories where Meilisearch will store its data:

    mkdir /var/lib/meilisearch/data /var/lib/meilisearch/dumps /var/lib/meilisearch/snapshots
    chown -R meilisearch:meilisearch /var/lib/meilisearch
    chmod 750 /var/lib/meilisearch
    

    In this tutorial, you're creating the directories in your droplet's local disk. If you are using additional block storage, create these directories there.

    Next, download the default configuration to /etc:

    curl https://raw.githubusercontent.com/meilisearch/meilisearch/latest/config.toml > /etc/meilisearch.toml
    

    Finally, update the following lines in the meilisearch.toml file so Meilisearch uses the directories you created earlier to store its data, replacing MASTER_KEY with a 16-byte string:

    env = "production"
    master_key = "MASTER_KEY"
    db_path = "/var/lib/meilisearch/data"
    dump_dir = "/var/lib/meilisearch/dumps"
    snapshot_dir = "/var/lib/meilisearch/snapshots"
    

    Remember to choose a safe master key and avoid exposing it in publicly accessible locations.

    You have now configured your Meilisearch instance.

    Step 4: Run Meilisearch as a service

    In Linux environments, a service is a process that can be launched when the operating system is booting and which will keep running in the background. If your program stops running for any reason, Linux will immediately restart the service, helping reduce downtime.

    4.1. Create a service file

    Service files are text files that tell your operating system how to run your program.

    Run this command to create a service file in /etc/systemd/system:

    cat << EOF > /etc/systemd/system/meilisearch.service
    [Unit]
    Description=Meilisearch
    After=systemd-user-sessions.service
    
    [Service]
    Type=simple
    WorkingDirectory=/var/lib/meilisearch
    ExecStart=/usr/local/bin/meilisearch --config-file-path /etc/meilisearch.toml
    User=meilisearch
    Group=meilisearch
    Restart=on-failure
    
    [Install]
    WantedBy=multi-user.target
    EOF
    

    4.2. Enable and start service

    With your service file now ready to go, activate the service using systemctl:

    systemctl enable meilisearch
    systemctl start meilisearch
    

    With systemctl enable, you're telling the operating system you want it to run at every boot. systemctl start then immediately starts the Meilisearch service.

    Ensure everything is working by checking the service status:

    systemctl status meilisearch
    

    You should see a message confirming your service is running:

    ● meilisearch.service - Meilisearch
       Loaded: loaded (/etc/systemd/system/meilisearch.service; enabled; vendor preset: enabled)
       Active: active (running) since Fri 2023-04-10 14:27:49 UTC; 1min 8s ago
     Main PID: 14960 (meilisearch)
    

    Step 5: Secure and finish your setup

    At this point, Meilisearch is installed and running. It is also protected from eventual crashes and system restarts.

    The next step is to make your instance publicly accessible.

    TIP

    If all the requests you send to Meilisearch are done by another application living in the same machine, you can safely skip this section.

    5.1. Creating a reverse proxy with Nginx

    A reverse proxy is an application that will handle every communication between the outside world and your application. In this tutorial, you will use Nginx as your reverse proxy to receive external HTTP requests and redirect them to Meilisearch.

    First, install Nginx on your machine:

    apt-get install nginx -y
    

    Next, delete the default configuration file:

    rm -f /etc/nginx/sites-enabled/default
    

    Nginx comes with a set of default settings, such as its default HTTP port, that might conflict with Meilisearch.

    Create a new configuration file specifying the reverse proxy settings:

    cat << EOF > /etc/nginx/sites-enabled/meilisearch
    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        location / {
            proxy_pass  http://localhost:7700;
        }
    }
    EOF
    

    Finally, enable the Nginx service:

    systemctl daemon-reload
    systemctl enable nginx
    systemctl restart nginx
    

    Your Meilisearch instance is now publicly available.

    5.2. Enable HTTPS

    The only remaining problem is that Meilisearch processes requests via HTTP without any additional security. This is a major security flaw that could result in an attacker accessing your data.

    This tutorial assumes you have a registered domain name, and you have correctly configured its DNS's A record to point to your DigitalOcean droplet's IP address. Consult the DigitalOcean DNS documentation for more information.

    Use certbot to configure enable HTTPS in your server.

    First, install the required packages on your system:

    sudo apt install certbot python3-certbot-nginx -y
    

    Next, run certbot:

    certbot --nginx
    

    Enter your email address, agree to the Terms and Conditions, and choose your domain. When prompted if you want to automatically redirect HTTP traffic, choose option 2: Redirect.

    Certbot will finish configuring Nginx. Once it is done, all traffic to your server will use HTTPS and you will have finished securing your Meilisearch instance.

    Your security certificate must be renewed every 90 days. Certbot schedules the renewal automatically. Run a test to verify this process is in place:

    sudo certbot renew --dry-run
    

    If this command returns no errors, you have successfully enabled HTTPS in your Nginx server.

    Conclusion

    You have followed the main steps to provide a safe and stable service. Your Meilisearch instance is now up and running in a safe and publicly accessible environment thanks to the combination of a reverse proxy, HTTPS, and Meilisearch's built-in security keys.