How to Self-Host Dify in 2026
A complete, hands-on guide to running Dify on your own VPS. From choosing a server to SSL certificates and ongoing maintenance — everything you need in one place.
What Is Self-Hosting Dify?
Dify is an open-source LLM application development platform that lets you build AI-powered apps, chatbots and RAG pipelines. Self-hosting means running Dify on your own server instead of using Dify Cloud.
You'd choose self-hosting over Dify Cloud for three main reasons:
- Cost — A Hetzner CX22 costs €3.79/mo vs $59/mo for Dify Cloud Pro. At team scale, savings are dramatic.
- Control — Full access to configuration, plugins, custom models, unlimited workspace members and no message credit limits.
- Data privacy — Your prompts, documents and conversation history never leave your own infrastructure. Critical for regulated industries.
The trade-off is that you're responsible for setup, updates and uptime. This guide makes that straightforward.
Server Requirements
Minimum
Recommended
OS: Ubuntu 22.04 LTS (recommended). Debian 11/12 also works.
Choose a Server
For most self-hosters, Hetzner CX22 (€3.79/mo, 2 vCPU, 4GB RAM, 40GB NVMe) is the best starting point. It comfortably runs Dify and all its services. European data centers make it ideal for GDPR compliance.
For beginners who want a simpler control panel, Hostinger VPS starts at $7.99/mo and includes more hand-holding. If you need 8GB RAM, their KVM 2 plan at $9.99/mo is excellent value.
Tip: Create the server with your SSH public key already added. This avoids password authentication entirely and is more secure.
Initial Server Setup
Connect to your server and run the initial setup:
# SSH into your server
ssh root@YOUR_SERVER_IP
# Update packages
apt update && apt upgrade -y
# Install essential tools
apt install -y curl wget git ufw
# Create a non-root user
adduser dify
usermod -aG sudo dify
# Copy SSH keys to new user
rsync --archive --chown=dify:dify ~/.ssh /home/dify
# Configure UFW firewall
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp comment 'SSH'
ufw allow 80/tcp comment 'HTTP'
ufw allow 443/tcp comment 'HTTPS'
ufw --force enable
ufw statusNow log out and reconnect as the dify user for the remaining steps.
Install Docker Engine
Install Docker using the official apt repository — don't use the snap version:
# Install prerequisites
sudo apt install -y ca-certificates curl gnupg lsb-release
# Add Docker's official GPG key
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
# Add Docker apt repository
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \
https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Install Docker Engine
sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io
# Add your user to the docker group (no sudo needed)
sudo usermod -aG docker $USER
newgrp docker
# Verify installation
docker --versionInstall Docker Compose Plugin
The Docker Compose plugin is included in the package above. Verify it works:
# Check Docker Compose version (should be v2.x)
docker compose version
# If not installed, add it manually
sudo apt install -y docker-compose-pluginClone and Configure Dify
Clone the official Dify repository and configure your environment:
# Clone the repository
git clone https://github.com/langgenius/dify.git
cd dify/docker
# Create your .env file from the example
cp .env.example .env
# Generate a secure SECRET_KEY
openssl rand -base64 42
# Edit the .env file
nano .envKey settings to update in .env:
# REQUIRED: Set a strong random secret key
SECRET_KEY=your-generated-secret-key-here
# Set your domain (used in emails and links)
CONSOLE_URL=https://your-domain.com
APP_URL=https://your-domain.com
# Change default database password
DB_PASSWORD=your-strong-db-password
# Change default Redis password
REDIS_PASSWORD=your-strong-redis-password
# Optional: Add your OpenAI API key for quick start
OPENAI_API_KEY=sk-...Start Dify
Launch all Dify services with Docker Compose:
# Start all services in the background
docker compose up -d
# Check that all containers are running
docker compose ps
# Follow logs to watch startup (Ctrl+C to exit)
docker compose logs -fOnce all containers show healthy status (takes 1-2 minutes), visit http://YOUR_SERVER_IP to complete the admin setup wizard.
Configure SSL with Nginx
Dify's Docker stack includes its own Nginx on port 80. For SSL, we'll add a host-level Nginx as a reverse proxy in front of it. First, change Dify's port to avoid conflicts:
# In dify/docker/.env, change the Nginx port
EXPOSE_NGINX_PORT=8080
# Restart to apply
docker compose down && docker compose up -d
# Install host Nginx and Certbot
sudo apt install -y nginx certbot python3-certbot-nginx
# Create Nginx config for your domain
sudo nano /etc/nginx/sites-available/difyAdd this config (replace your-domain.com):
server {
listen 80;
server_name your-domain.com www.your-domain.com;
location / {
proxy_pass http://localhost:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 300s;
client_max_body_size 100M;
}
}# Enable and test
sudo ln -s /etc/nginx/sites-available/dify /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx
# Obtain SSL certificate (auto-configures Nginx for HTTPS)
sudo certbot --nginx -d your-domain.com -d www.your-domain.comMaintenance
Updating Dify — Dify releases updates frequently. Update with zero config changes:
cd ~/dify
git pull origin main
cd docker
docker compose pull
docker compose up -dBackup — Back up your PostgreSQL database and uploaded files:
# Backup database
docker compose exec db pg_dump -U postgres dify > backup_$(date +%Y%m%d).sql
# Backup uploaded files
tar -czf dify_storage_$(date +%Y%m%d).tar.gz ./volumes/app/storageMonitoring — Check resource usage:
# Container resource usage
docker stats
# Disk usage
df -h
docker system dfFrequently Asked Questions
Port conflict: something is already using port 80
Another service (often Apache) is occupying port 80. Either stop it (sudo systemctl stop apache2) or change Dify's Nginx port in .env by setting EXPOSE_NGINX_PORT=8080.
Container exits with out-of-memory error
Dify needs at least 4GB RAM. Check with free -h. If RAM is borderline, add a 4GB swap file: fallocate -l 4G /swapfile && chmod 600 /swapfile && mkswap /swapfile && swapon /swapfile.
Can't access the admin setup page
Check that all containers are running (docker compose ps) and that your firewall allows port 80 (sudo ufw status). The API container takes 30-60 seconds to be ready — wait for the healthy status.
Forgot the admin password
Reset it via the API container: docker compose exec api flask reset-password — follow the prompts to enter your email and new password.
How to update Dify without downtime?
Run docker compose pull to pre-pull new images, then docker compose up -d to apply. Docker Compose performs rolling restarts by default, so downtime is typically under 30 seconds. For zero-downtime updates, consider a load balancer in front of two Dify instances.