Running a self-hosted Meilisearch project in production

This tutorial will guide you through setting up a production-ready Meilisearch instance. These instructions use a DigitalOcean droplet running Debian, but should be compatible with any hosting service running a Linux distro.

• A DigitalOcean droplet running Debian 12
• An SSH key pair to connect to that machine

Log into your server via SSH, update the list of available packages, and install curl:

apt update
apt install curl -y

Using the latest version of a package is good security practice, especially in production environments.

Next, use curl to download and run the Meilisearch command-line installer:

# Install Meilisearch latest version from the script
curl -L https://install.meilisearch.com | sh

The Meilisearch installer is a set of scripts that ensure you will get the correct binary for your system.

Next, you need to make the binary accessible from anywhere in your system. Move the binary file into /usr/local/bin:

mv ./meilisearch /usr/local/bin/

Meilisearch is now installed in your system, but it is not publicly accessible.

Running applications as root exposes you to unnecessary security risks. To prevent that, create a dedicated user for Meilisearch:

useradd -d /var/lib/meilisearch -s /bin/false -m -r meilisearch

Then give the new user ownership of the Meilisearch binary:

chown meilisearch:meilisearch /usr/local/bin/meilisearch

After installing Meilisearch and taking the first step towards keeping your data safe, you need to set up a basic configuration file.

First, create the directories where Meilisearch will store its data:

mkdir /var/lib/meilisearch/data /var/lib/meilisearch/dumps /var/lib/meilisearch/snapshots
chown -R meilisearch:meilisearch /var/lib/meilisearch
chmod 750 /var/lib/meilisearch

In this tutorial, you're creating the directories in your droplet's local disk. If you are using additional block storage, create these directories there.

Next, download the default configuration to /etc:

curl https://raw.githubusercontent.com/meilisearch/meilisearch/latest/config.toml > /etc/meilisearch.toml

Finally, update the following lines in the meilisearch.toml file so Meilisearch uses the directories you created earlier to store its data, replacing MASTER_KEY with a 16-byte string:

env = "production"
master_key = "MASTER_KEY"
db_path = "/var/lib/meilisearch/data"
dump_dir = "/var/lib/meilisearch/dumps"
snapshot_dir = "/var/lib/meilisearch/snapshots"

Remember to choose a safe master key and avoid exposing it in publicly accessible locations.

You have now configured your Meilisearch instance.

In Linux environments, a service is a process that can be launched when the operating system is booting and which will keep running in the background. If your program stops running for any reason, Linux will immediately restart the service, helping reduce downtime.

Service files are text files that tell your operating system how to run your program.

Run this command to create a service file in /etc/systemd/system:

cat << EOF > /etc/systemd/system/meilisearch.service
[Unit]
Description=Meilisearch
After=systemd-user-sessions.service

[Service]
Type=simple
WorkingDirectory=/var/lib/meilisearch
ExecStart=/usr/local/bin/meilisearch --config-file-path /etc/meilisearch.toml
User=meilisearch
Group=meilisearch
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

With your service file now ready to go, activate the service using systemctl:

systemctl enable meilisearch
systemctl start meilisearch

With systemctl enable, you're telling the operating system you want it to run at every boot. systemctl start then immediately starts the Meilisearch service.

Ensure everything is working by checking the service status:

systemctl status meilisearch

You should see a message confirming your service is running:

● meilisearch.service - Meilisearch
   Loaded: loaded (/etc/systemd/system/meilisearch.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2023-04-10 14:27:49 UTC; 1min 8s ago
 Main PID: 14960 (meilisearch)

At this point, Meilisearch is installed and running. It is also protected from eventual crashes and system restarts.

The next step is to make your instance publicly accessible.

A reverse proxy is an application that will handle every communication between the outside world and your application. In this tutorial, you will use Nginx as your reverse proxy to receive external HTTP requests and redirect them to Meilisearch.

First, install Nginx on your machine:

apt-get install nginx -y

Next, delete the default configuration file:

rm -f /etc/nginx/sites-enabled/default

Nginx comes with a set of default settings, such as its default HTTP port, that might conflict with Meilisearch.

Create a new configuration file specifying the reverse proxy settings:

cat << EOF > /etc/nginx/sites-enabled/meilisearch
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    location / {
        proxy_pass  http://localhost:7700;
    }
}
EOF

Finally, enable the Nginx service:

systemctl daemon-reload
systemctl enable nginx
systemctl restart nginx

Your Meilisearch instance is now publicly available.

The only remaining problem is that Meilisearch processes requests via HTTP without any additional security. This is a major security flaw that could result in an attacker accessing your data.

This tutorial assumes you have a registered domain name, and you have correctly configured its DNS's A record to point to your DigitalOcean droplet's IP address. Consult the DigitalOcean DNS documentation for more information.

Use certbot to configure enable HTTPS in your server.

First, install the required packages on your system:

sudo apt install certbot python3-certbot-nginx -y

Next, run certbot:

certbot --nginx

Enter your email address, agree to the Terms and Conditions, and choose your domain. When prompted if you want to automatically redirect HTTP traffic, choose option 2: Redirect.

Certbot will finish configuring Nginx. Once it is done, all traffic to your server will use HTTPS and you will have finished securing your Meilisearch instance.

Your security certificate must be renewed every 90 days. Certbot schedules the renewal automatically. Run a test to verify this process is in place:

sudo certbot renew --dry-run

If this command returns no errors, you have successfully enabled HTTPS in your Nginx server.

You have followed the main steps to provide a safe and stable service. Your Meilisearch instance is now up and running in a safe and publicly accessible environment thanks to the combination of a reverse proxy, HTTPS, and Meilisearch's built-in security keys.