Skip to main content

Self-Hosted Noxys

Deploy Noxys on your own infrastructure for maximum control, compliance, and data sovereignty.

Why Self-Host?

Data Sovereignty

Noxys Cloud is hosted in EU regions (AWS eu-west-1, Azure westeurope, GCP europe-west1), but some organizations require on-premise-only deployments.

Self-hosted benefits:

  • Zero US cloud presence
  • Data never leaves your data center
  • Comply with strict data residency laws (GDPR Article 44, EU AI Act)
  • Meet regulatory requirements for sensitive sectors (finance, healthcare, government)

Compliance & Audit

Keep Noxys entirely within your compliance scope:

  • EU AI Act: Full compliance when deployed in-house
  • GDPR: Data Processing Agreement not required (you are the controller)
  • NIS2: Meet critical infrastructure protections
  • Industry regulations: HIPAA, PCI-DSS, SOX (with additional configuration)
  • Internal audits: Audit your own infrastructure without third-party involvement

Air-Gapped Environments

Noxys can run in fully isolated networks:

  • No external dependencies (except PostgreSQL, Redis, NATS)
  • Optional offline extension mode (local policy evaluation)
  • Manual update procedures
  • No telemetry or external API calls (configurable)

Performance & Latency

Self-hosted deployments reduce latency:

  • API calls don't cross the internet
  • Extension communicates to local backend (milliseconds)
  • Policy evaluation happens in your network
  • Real-time dashboard updates within 1-2 seconds

Deployment Options

OptionScaleEffortHACost
Docker ComposeDev / Small (<50 users)30 minNoLow
KubernetesEnterprise / Multi-region4-8 hoursYesMedium
On-PremiseRegulated IndustriesManualCustomHigh

Architecture Overview

Self-hosted Noxys consists of:

┌─────────────────┐
│  Browser Ext.   │─────→ HTTPS
├─────────────────┤      Port 443
│  Users          │
└─────────────────┘

┌─────────────────────────────────────────┐
│  Your VPC / Private Network             │
├─────────────────────────────────────────┤
│ ┌────────────────────────────────────┐  │
│ │  Reverse Proxy (Nginx/Traefik)     │  │ Port 443
│ │  TLS Termination, Rate Limiting    │  │
│ └────────────────────────────────────┘  │
│                 ↓                        │
│ ┌────────────────────────────────────┐  │
│ │  Noxys API (Go)                    │  │ Port 8080
│ │  • Authentication (JWT)            │  │
│ │  • Policy Evaluation               │  │
│ │  • WebSocket (real-time updates)   │  │
│ └────────────────────────────────────┘  │
│                 ↓                        │
│ ┌─────────────────┬──────────┬────────┐ │
│ │ PostgreSQL      │ Redis    │ NATS   │ │
│ │ (Interactions,  │ (Cache)  │ (Ev.)  │ │
│ │  Policies)      │          │        │ │
│ └─────────────────┴──────────┴────────┘ │
│                                          │
│ ┌────────────────────────────────────┐  │
│ │  React Dashboard (Optional)        │  │ Port 3000
│ │  Admin UI for Policies, Audit Log  │  │
│ └────────────────────────────────────┘  │
└─────────────────────────────────────────┘

┌─────────────────────────────────────────┐
│  Optional Integrations                  │
├─────────────────────────────────────────┤
│ • SIEM (Splunk, Elastic, Datadog)       │
│ • LDAP / Entra ID (SSO)                 │
│ • Webhook (Slack, Custom HTTP)          │
│ • Prometheus / Grafana (Monitoring)     │
└─────────────────────────────────────────┘

System Requirements

Minimum (Docker Compose, dev/testing)

  • OS: Linux (Ubuntu 20.04+), macOS, Windows WSL2
  • CPU: 2 cores
  • RAM: 4 GB
  • Storage: 20 GB (SSD recommended)
  • Docker: 20.10+, Docker Compose 2.0+
  • CPU: 4 cores
  • RAM: 8 GB
  • Storage: 100 GB SSD
  • Network: 100 Mbps, stable connection

Enterprise (Kubernetes, 1000+ users)

  • Kubernetes: v1.24+
  • CPU: 8+ cores per node (3+ nodes for HA)
  • RAM: 32 GB per node
  • Storage: 500+ GB, high-performance storage (NVMe)
  • Network: 1+ Gbps, low latency (<50ms between nodes)

Before You Start

Gather these prerequisites:

  1. SSL/TLS Certificate (required)

    • Self-signed (development) or
    • Corporate CA (production) or
    • Let's Encrypt (free, automatic renewal)

  2. Domain Name

    • Example: noxys.company.com
    • Must resolve to your deployment

  3. Database Backup Strategy

    • Backup location (local disk, S3, NFS)
    • Retention policy (30-90 days typical)

  4. Access Control

    • Restrict ports to internal networks (firewall rules)
    • VPN/bastion host for remote access

  5. Monitoring (optional but recommended)

    • Prometheus / Grafana for metrics
    • ELK / Loki for logs
    • Uptime monitoring (Datadog, New Relic)

What You Own

When you self-host, you are responsible for:

ComponentResponsibility
InfrastructureYou (AWS, Azure, on-premise)
Compute, Storage, NetworkYou
Updates & PatchesYou
Backups & DRYou
Monitoring & AlertingYou
SSL CertificatesYou
High AvailabilityYou (via Kubernetes)

Noxys provides:

  • Software updates (released monthly)
  • Security patches (within 48 hours of disclosure)
  • Documentation & guides
  • Technical support (based on plan)

Next Steps

  1. Choose your deployment: Docker Compose (fastest) or Kubernetes (production)
  2. Prepare your Configuration
  3. For fully isolated networks, read Air-Gapped Deployments
  4. Plan your Upgrade Strategy

Questions? Email support@noxys.eu or visit doc.noxys.cloud