Self-Hosted Overview

Hawkra Self-Hosted is the full vulnerability management and penetration testing platform deployed entirely on your own infrastructure. Every feature available in the SaaS Premium tier is included out of the box, and all data remains within your network at all times.

Why Self-Host?

Data Sovereignty

All vulnerability data, scan results, credentials, and reports stay on servers you control. Nothing is transmitted to external services. This makes Hawkra Self-Hosted suitable for environments that handle classified or regulated data where third-party cloud storage is not permitted.

All Premium Features Unlocked

A self-hosted license unlocks every feature in the platform without tier restrictions:

Unlimited workspaces and engagements
TalonStrike advanced active reconnaissance
AI-powered vulnerability analysis
Full OSINT toolkit (WHOIS, DNS, Shodan, HIBP integrations)
Customizable report generation with branding
Team collaboration with role-based access control
Threat intelligence dashboard

Local LLM Support

Self-hosted deployments can connect to a local LLM server (Ollama, llama.cpp, vLLM, or any OpenAI-compatible API) instead of cloud-based AI providers. This keeps AI interactions entirely on-premises with no data sent to external APIs.

No API Usage Limits

There are no rate limits on AI assistant messages or API calls beyond what your hardware can handle. Premium tier message quotas are bypassed entirely in self-hosted mode.

Compliance and Data Residency

Self-hosted deployment satisfies data residency requirements by keeping all data within your chosen jurisdiction. There is no dependency on external infrastructure for core platform functionality.

System Requirements

Hardware

Component	Minimum	Recommended
CPU	4 cores	8+ cores
RAM	8 GB	16 GB (required for TalonStrike)
Disk	50 GB	100+ GB (depends on scan data volume)

Operating System

Hawkra Self-Hosted runs on any Linux distribution that supports Docker. The following are tested and recommended:

Ubuntu 22.04 LTS or later
Debian 12 (Bookworm) or later
RHEL 9 / Rocky Linux 9 / AlmaLinux 9 or later
Fedora 39 or later

Software

Software	Minimum Version
Docker Engine	24.0+
Docker Compose	v2.0+ (included with `docker-compose-plugin`)

Networking

Port 80 (HTTP) -- used by Caddy for HTTP-to-HTTPS redirect and Let's Encrypt ACME challenges
Port 443 (HTTPS) -- the primary access point for the web interface and API
A domain name is optional but recommended for automatic TLS certificate provisioning via Let's Encrypt

info

If you do not have a domain name, you can use a hostname or IP address. Caddy will generate self-signed certificates automatically. Browsers will display a certificate warning that can be accepted.

Architecture

Hawkra Self-Hosted consists of five containerized services orchestrated with Docker Compose:

                    Internet / LAN
                         |
                    +---------+
                    |  Caddy  |  :80, :443
                    | (Proxy) |  Reverse proxy + automatic HTTPS
                    +----+----+
                         |
              +----------+----------+
              |                     |
        +-----+------+      +------+-----+
        |  Frontend  |      |  Backend   |
        |  (Next.js) |      | (Rust/Axum)|
        |   :3000    |      |   :3001    |
        +------------+      +-----+------+
                                  |
                       +----------+----------+
                       |                     |
                 +-----+------+       +------+-----+
                 | PostgreSQL |       |   Redis    |
                 |    16      |       |     7      |
                 +------------+       +------------+

Service Descriptions

Service	Image	Purpose
PostgreSQL 16	`postgres:16-alpine`	Primary application database. Stores all user accounts, workspaces, engagements, vulnerabilities, assets, and encrypted data.
Redis 7	`redis:7-alpine`	In-memory cache and job queue. Used for session caching, rate limiting, and background task coordination.
Backend	`ghcr.io/reconhawk/hawkra-backend`	Rust/Axum API server. Handles all business logic, authentication, authorization, vulnerability management, and scanning operations. Runs with `NET_RAW`, `NET_ADMIN`, and `NET_BIND_SERVICE` capabilities to enable nmap network scanning.
Frontend	`ghcr.io/reconhawk/hawkra-frontend`	Next.js web application. Serves the browser-based user interface. Communicates with the backend exclusively through the Caddy reverse proxy.
Caddy	`caddy:2-alpine`	Reverse proxy with automatic HTTPS. Routes `/api/*` requests to the backend and all other requests to the frontend. Handles TLS certificate provisioning (self-signed, custom, or Let's Encrypt).

Data Flow

All client traffic enters through Caddy on ports 80 and 443.
Caddy terminates TLS and routes requests based on path:
- /api/* requests are proxied to the backend on port 3001.
- All other requests are proxied to the frontend on port 3000.
The backend communicates directly with PostgreSQL and Redis over the internal Docker network. These services are not exposed to the host.
The frontend is a server-rendered Next.js application. It does not connect to the database directly.

Security Headers

Caddy injects security headers on all responses, including:

Strict-Transport-Security with HSTS preload
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Cross-Origin-Resource-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin

The Server header is stripped from all responses.

Request Size Limits

Caddy enforces request body size limits at the proxy level:

Route	Max Body Size	Purpose
`/api/agent/connect`, `/api/agent/poll`	8 KB	Agent polling (small payloads only)
`/api/agent/tasks/*`	10 MB	Agent task results
All other `/api/*` routes	1000 MB	General API including file uploads

TLS Certificate Options

Caddy supports three TLS modes, selected automatically based on your configuration:

Mode	When Used	Configuration
Self-Signed	No custom certs, `LETS_ENCRYPT` not set	Default -- no configuration needed
Custom Certificates	`cert.pem` and `key.pem` found in `certs/` directory	Place certificate files before starting
Let's Encrypt	`LETS_ENCRYPT=true` in `.env`	Requires a public domain pointing to the server and ports 80/443 open to the internet

Docker Volumes

Hawkra uses named Docker volumes to persist data across container restarts and updates:

Volume	Purpose	Critical
`postgres_data`	PostgreSQL database files	Yes -- contains all application data
`backend_config`	Auto-generated encryption keys (JWT secret, master encryption key)	Yes -- loss means encrypted data is unrecoverable
`file_storage`	Uploaded files (reports, imports, attachments)	Yes
`caddy_data`	TLS certificates and Caddy state	No -- regenerated automatically
`caddy_config`	Caddy runtime configuration	No -- regenerated automatically

Critical Backup Requirement

The backend_config volume contains auto-generated encryption keys. If this volume is lost, all encrypted data (credentials, sensitive findings, encrypted fields) becomes permanently unrecoverable. Back up this volume regularly and store backups securely.

Next Steps

Choose your preferred installation method:

Automated Installation -- Single command to install and configure everything automatically.
Manual Installation -- Step-by-step guide with full control over every configuration option.

After installation, proceed to Licensing to activate your instance.

Why Self-Host?​

Data Sovereignty​

All Premium Features Unlocked​

Local LLM Support​

No API Usage Limits​

Compliance and Data Residency​

System Requirements​

Hardware​

Operating System​

Software​

Networking​

Architecture​

Service Descriptions​

Data Flow​

Security Headers​

Request Size Limits​

TLS Certificate Options​

Docker Volumes​

Next Steps​