Self-Hosted Overview

Hawkra Self-Hosted is the full vulnerability management and penetration testing platform deployed entirely on your own infrastructure. Every feature available in the SaaS Premium tier is included out of the box, and you remain in control of your data.

Why Self-Host?

• Data sovereignty -- data stays on your infrastructure, nothing leaves your network unless you configure it to do so
• All features unlocked - unlimited workspaces, TalonStrike, AI analysis, OSINT, reports, RBAC
• Local LLM support -- connect to Ollama, llama.cpp, vLLM, or any OpenAI-compatible API instead of cloud providers

System Requirements

Hardware

Component	Minimum	Recommended
CPU	2 cores	4 cores
RAM	4 GB	8 GB
Disk	48 GB	64+ GB (depends on scan data volume)

Operating System

Hawkra Self-Hosted runs on any Linux distribution that supports Docker. The following are tested and recommended:

• Ubuntu 22.04 LTS or later
• Debian 12 (Bookworm) or later
• Fedora 39 or later

Networking

• Port 80 (HTTP) -- ACME challenges and HTTP-to-HTTPS redirect
• Port 443 (HTTPS) -- web interface and API
• A domain name is optional but recommended for Let's Encrypt TLS. Without one, Caddy uses self-signed certificates.

Architecture

Hawkra Self-Hosted consists of six containerized services orchestrated with Docker Compose:

                    Internet / LAN
                         |
                    +---------+
                    |  Caddy  |  :80, :443
                    | (Proxy) |  Reverse proxy + automatic HTTPS
                    +----+----+
                         |
              +----------+----------+----------+
              |                     |          |
        +-----+------+      +------+-----+  +-+----------+
        |  Frontend  |      |  Backend   |  |    Docs    |
        |  (Next.js) |      | (Rust/Axum)|  | (Docusaurus)|
        |   :3000    |      |   :3001    |  |   :3002    |
        +------------+      +-----+------+  +------------+
                                  |
                       +----------+----------+
                       |                     |
                 +-----+------+       +------+-----+
                 | PostgreSQL |       |   Redis    |
                 |    16      |       |     7      |
                 +------------+       +------------+

Service Descriptions

Service	Image	Purpose
PostgreSQL 16	postgres:16-alpine	Primary application database. Stores all user accounts, workspaces, engagements, vulnerabilities, assets, and encrypted data.
Redis 7	redis:7-alpine	In-memory cache and job queue. Used for session caching, rate limiting, and background task coordination.
Backend	ghcr.io/reconhawk/hawkra-backend	Rust/Axum API server. Handles all business logic, authentication, authorization, vulnerability management, and scanning operations. Runs with NET_RAW, NET_ADMIN, and NET_BIND_SERVICE capabilities to enable nmap network scanning.
Frontend	ghcr.io/reconhawk/hawkra-frontend	Next.js web application. Serves the browser-based user interface. Communicates with the backend exclusively through the Caddy reverse proxy.
Docs	ghcr.io/reconhawk/hawkra-docs	Docusaurus documentation site. Serves the self-hosted documentation and guides.
Caddy	caddy:2-alpine	Reverse proxy with automatic HTTPS. Routes /api/* requests to the backend and all other requests to the frontend. Handles TLS certificate provisioning (self-signed, custom, or Let's Encrypt).

Data Flow

1. All client traffic enters through Caddy on ports 80 and 443.
2. Caddy terminates TLS and routes requests based on path:
   • /api/* requests are proxied to the backend on port 3001.
   • All other requests are proxied to the frontend on port 3000.
3. The backend communicates directly with PostgreSQL and Redis over the internal Docker network. These services are not exposed to the host.
4. The frontend is a server-rendered Next.js application. It does not connect to the database directly.

Security Headers

Caddy injects security headers on all responses, including:

• Strict-Transport-Security with HSTS preload
• X-Content-Type-Options: nosniff
• X-Frame-Options: SAMEORIGIN
• Referrer-Policy: strict-origin-when-cross-origin
• Cross-Origin-Resource-Policy: same-origin
• Cross-Origin-Opener-Policy: same-origin

The Server header is stripped from all responses.

TLS Certificate Options

Caddy supports three TLS modes, selected automatically based on your configuration:

Mode	When Used	Configuration
Self-Signed	No custom certs, LETS_ENCRYPT not set	Default -- no configuration needed
Custom Certificates	cert.pem and key.pem found in /opt/hawkra/certs directory	Place certificate files before starting
Let's Encrypt	LETS_ENCRYPT=true in /opt/hawkra/.env	Requires a public domain pointing to the server and ports 80/443 open to the internet

Docker Volumes

Hawkra uses named Docker volumes to persist data across container restarts and updates:

Volume	Purpose	Critical
postgres_data	PostgreSQL database files	Yes -- contains all application data
backend_config	Auto-generated encryption keys (JWT secret, master encryption key)	Yes -- loss means encrypted data is unrecoverable
file_storage	Uploaded files (reports, imports, attachments)	Yes
caddy_data	TLS certificates and Caddy state	No -- regenerated automatically
caddy_config	Caddy runtime configuration	No -- regenerated automatically

Critical Backup Requirement

The backend_config volume contains auto-generated encryption keys. If this volume is lost, all encrypted data (credentials, sensitive findings, encrypted fields) becomes permanently unrecoverable. Back up this volume regularly and store backups securely.

Next Steps

Choose your preferred installation method:

• Automated Installation -- Single command to install and configure everything automatically.
• Manual Installation -- Step-by-step guide with full control over every configuration option.

After installation, proceed to Licensing to activate your instance.