> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/server/knowledge-base/how-to-articles/devolutions-server-docker-deployment/advanced-docker-configuration-for-devolutions-server.md). # Advanced Docker configuration for Devolutions Server This article covers advanced configuration options for Devolutions Server's Docker deployment, including complete environment variable reference, certificate management, performance tuning, and security hardening. ### Environment variables reference #### Database connection variables | Variable | Required | Default | Description | | ----------------------------------- | -------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `DATABASE_HOST` | Yes | — | SQL Server hostname. For non-standard ports, use `host,port` format (e.g., `sql.example.com,1433`). | | `AZURE_SQL_HOST` | Yes\* | — | Alias for `DATABASE_HOST` (Azure-specific naming). | | `DATABASE_NAME` | Yes | — | Devolutions Server database name. | | `AZURE_SQL_DATABASE` | Yes\* | — | Alias for `DATABASE_NAME`. | | `DATABASE_USERNAME` | Yes | — | SQL authentication username (use least-privilege account with db\_owner on Devolutions Server database). | | `AZURE_SQL_USERNAME` | Yes\* | — | Alias for `DATABASE_USERNAME`. | | `DATABASE_PASSWORD` | Yes | — | SQL authentication password (treat as secret, use Docker secrets or Azure Key Vault). | | `AZURE_SQL_PASSWORD` | Yes\* | — | Alias for `DATABASE_PASSWORD`. | | `DATABASE_PORT` | No | `1433` | SQL Server port (appended to host if not already specified in `DATABASE_HOST`). | | `AZURE_SQL_PORT` | No | `1433` | Alias for `DATABASE_PORT`. | | `DATABASE_ENCRYPT` | No | `false` | Set to `true` to encrypt the SQL Server connection (TLS). Required when the SQL Server enforces encryption. Read on every container start — pass it on every `docker run`. | | `DATABASE_TRUST_SERVER_CERTIFICATE` | No | false | Set to `true` to trust the SQL Server's certificate without validation. Use with `DATABASE_ENCRYPT=true` when the server presents a self-signed certificate (e.g. SQL Server 2022 in a container). | {% hint style="info" %} Variables marked with \* are aliases. Use either the standard or Azure-specific naming, not both. {% endhint %} #### Web server configuration | Variable | Required | Default | Description | | --------------------- | -------- | -------------------- | ----------------------------------------------------------------------------------- | | `HOSTNAME` | No | `localhost` | Server hostname (overridden by `WEBSITE_HOSTNAME` on Azure). | | `WEB_SCHEME` | No | `http` | Protocol: `http` or `https`. Set to `https` to enable TLS. | | `WEB_PORT` / `PORT` | No | `5000` | Port the container listens on. | | `EXTERNAL_WEB_SCHEME` | No | Mirrors `WEB_SCHEME` | External protocol when behind reverse proxy (e.g., `https` when proxy handles TLS). | | `EXTERNAL_WEB_PORT` | No | Mirrors `WEB_PORT` | External port when behind reverse proxy (e.g., `443` for standard HTTPS). | #### TLS certificate configuration | Variable | Required | Default | Description | | ---------------------- | -------- | ------- | ------------------------------------------------------------------------------------- | | `TLS_CERTIFICATE_FILE` | No\* | — | Path to mounted PEM certificate file (e.g., `/opt/devolutions/dvls/certs/server.pem`) | | `TLS_PRIVATE_KEY_FILE` | No\* | — | Path to mounted PEM private key file (e.g., `/opt/devolutions/dvls/certs/server.key`) | | `TLS_CERTIFICATE_B64` | No\* | — | Base64-encoded certificate content (written to `App_Data/server.pem`) | | `TLS_PRIVATE_KEY_B64` | No\* | — | Base64-encoded private key content (written to `App_Data/server.key`) | {% hint style="info" %} If `WEB_SCHEME=https` and no certificate is provided, a self-signed certificate is auto-generated (valid \~5 years, 2048-bit RSA). Use file mounts or base64 variables for production certificates. {% endhint %} #### Operating mode configuration {% hint style="info" %} `DVLS_INIT` and `DVLS_UPDATE_MODE` are mutually exclusive. Setting both to `true` will cause an error. {% endhint %} | Variable | Required | Default | Description | | ------------------ | -------- | ------------------ | ---------------------------------------------------------------------------------- | | `DVLS_INIT` | No | `false` | Set to `true` to run initialization mode (creates schema, admin user, then exits). | | `DVLS_UPDATE_MODE` | No | `false` | Set to `true` to run update mode (backs up, migrates database, then exits). | | `DVLS_BACKUP_PATH` | No | `/tmp/dvls-backup` | Backup location during updates (mount volume to persist backups). | #### Initialization mode variables These variables are only used during initialization (`DVLS_INIT=true`): | Variable | Required | Default | Description | | --------------------- | -------- | ------------------ | ------------------------------------------------------ | | `DVLS_ADMIN_USERNAME` | No | `dvls-admin` | Admin account username created during initialization. | | `DVLS_ADMIN_PASSWORD` | No | `dvls-admin` | Admin account password. MUST be changed in production! | | `DVLS_ADMIN_EMAIL` | No | `admin@` | Admin account email address | #### System configuration | Variable | Required | Default | Description | | ---------------------------- | -------- | ------------------------------------------ | ----------------------------------------------------------------------------------------------------- | | `DVLS_PATH` | No | `/opt/devolutions/dvls` | Installation root path (appsettings and App\_Data location). | | `DVLS_EXECUTABLE_PATH` | No | `/opt/devolutions/dvls/Devolutions.Server` | Devolutions Server executable path in runtime mode. | | `DVLS_TELEMETRY` | No | `true` | Enable/disable telemetry collection. | | `DVLS_ENCRYPTION_CONFIG_B64` | No | — | Base64-encoded encryption configuration (required for consistent encryption across scaled instances). | #### SSH Access Configuration | Variable | Required | Default | Description | | -------------- | -------- | --------- | ------------------------------------------------------------------------------------- | | `SSH_ENABLED` | No | `false` | Enable SSH daemon for debugging (auto-enabled on Azure unless explicitly disabled), | | `SSH_PORT` | No | `2222` | SSH listen port (publish with `-p 2222:2222`), | | `SSH_PASSWORD` | Yes\* | `Docker!` | Root password for SSH (REQUIRED if `SSH_ENABLED=true`, MUST be changed in production! | {% hint style="info" %} If `SSH_ENABLED=true` without `SSH_PASSWORD`, the container will refuse to start for security reasons. {% endhint %} #### Azure Web App variables These variables are automatically set by Azure App Service: | Variable | Set By | Description | | --------------------- | ------ | ----------------------------------------------------------------------------------------- | | `WEBSITE_HOSTNAME` | Azure | Overrides `HOSTNAME` (e.g., `dvls-prod.azurewebsites.net`) | | `WEBSITE_INSTANCE_ID` | Azure | Presence forces `EXTERNAL_WEB_SCHEME=https` and `EXTERNAL_WEB_PORT=443`, auto-enables SSH | ### TLS certificate configuration #### Auto-generated self-signed certificate When `WEB_SCHEME=https` without certificate variables, Devolutions Server generates a self-signed certificate (valid \~5 years, 2048-bit RSA, CN=hostname): {% tabs %} {% tab title="Windows" %} ```powershell docker run -d --name dvls-server ` -e DATABASE_HOST=your-sql-server ` -e DATABASE_NAME=dvls ` -e DATABASE_USERNAME=dvls_user ` -e DATABASE_PASSWORD='YourPassword!' ` -e HOSTNAME=localhost ` -e WEB_SCHEME=https ` -e PORT=5000 ` -p 5000:5000 ` devolutions/devolutions-server:release-2025.3 ``` {% endtab %} {% tab title="macOS" %} ```bash docker run -d --name dvls-server \ -e DATABASE_HOST=your-sql-server \ -e DATABASE_NAME=dvls \ -e DATABASE_USERNAME=dvls_user \ -e DATABASE_PASSWORD='YourPassword!' \ -e HOSTNAME=localhost \ -e WEB_SCHEME=https \ -e PORT=5000 \ -p 5000:5000 \ devolutions/devolutions-server:release-2025.3 ``` {% endtab %} {% tab title="Linux" %} ```bash docker run -d --name dvls-server \ -e DATABASE_HOST=your-sql-server \ -e DATABASE_NAME=dvls \ -e DATABASE_USERNAME=dvls_user \ -e DATABASE_PASSWORD='YourPassword!' \ -e HOSTNAME=localhost \ -e WEB_SCHEME=https \ -e PORT=5000 \ -p 5000:5000 \ devolutions/devolutions-server:release-2025.3 ``` {% endtab %} {% endtabs %} {% hint style="success" %} For development and testing only. Browsers will show security warnings. {% endhint %} #### Certificate files via volume mount Mount certificate files from the host: {% tabs %} {% tab title="Windows" %} ```powershell mkdir -p /host/certs cp /path/to/server.pem /host/certs/ cp /path/to/server.key /host/certs/ chmod 600 /host/certs/server.key docker run -d --name dvls-server ` -e DATABASE_HOST=your-sql-server ` -e DATABASE_NAME=dvls ` -e DATABASE_USERNAME=dvls_user ` -e DATABASE_PASSWORD='YourPassword!' ` -e HOSTNAME=devolutions-server.company.com ` -e WEB_SCHEME=https ` -e PORT=5000 ` -e TLS_CERTIFICATE_FILE=/opt/devolutions/dvls/certs/server.pem ` -e TLS_PRIVATE_KEY_FILE=/opt/devolutions/dvls/certs/server.key ` -p 5000:5000 ` -v /host/certs:/opt/devolutions/dvls/certs:ro ` devolutions/devolutions-server:release-20XX.X ``` {% endtab %} {% tab title="macOS" %} ```bash mkdir -p /host/certs cp /path/to/server.pem /host/certs/ cp /path/to/server.key /host/certs/ chmod 600 /host/certs/server.key docker run -d --name dvls-server \ -e DATABASE_HOST=your-sql-server \ -e DATABASE_NAME=dvls \ -e DATABASE_USERNAME=dvls_user \ -e DATABASE_PASSWORD='YourPassword!' \ -e HOSTNAME=devolutions-server.company.com \ -e WEB_SCHEME=https \ -e PORT=5000 \ -e TLS_CERTIFICATE_FILE=/opt/devolutions/dvls/certs/server.pem \ -e TLS_PRIVATE_KEY_FILE=/opt/devolutions/dvls/certs/server.key \ -p 5000:5000 \ -v /host/certs:/opt/devolutions/dvls/certs:ro \ devolutions/devolutions-server:release-20XX.X ``` {% endtab %} {% tab title="Linux" %} ```bash mkdir -p /host/certs cp /path/to/server.pem /host/certs/ cp /path/to/server.key /host/certs/ chmod 600 /host/certs/server.key docker run -d --name dvls-server \ -e DATABASE_HOST=your-sql-server \ -e DATABASE_NAME=dvls \ -e DATABASE_USERNAME=dvls_user \ -e DATABASE_PASSWORD='YourPassword!' \ -e HOSTNAME=devolutions-server.company.com \ -e WEB_SCHEME=https \ -e PORT=5000 \ -e TLS_CERTIFICATE_FILE=/opt/devolutions/dvls/certs/server.pem \ -e TLS_PRIVATE_KEY_FILE=/opt/devolutions/dvls/certs/server.key \ -p 5000:5000 \ -v /host/certs:/opt/devolutions/dvls/certs:ro \ devolutions/devolutions-server:release-20XX.X ``` {% endtab %} {% endtabs %} Certificate format requirements: * Certificate: PEM format (`.pem`, `.crt`) * Private key: PEM format (`.key`, `.pem`) * Chain: Include intermediate certificates in the certificate file Example certificate file with chain: ``` -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- ``` #### Base64-encoded certificates Use base64-encoded certificates when working with secrets management systems (Azure Key Vault, Kubernetes Secrets): {% tabs %} {% tab title="Windows" %} ```powershell cat server.pem | base64 > server.pem.b64 cat server.key | base64 > server.key.b64 docker run -d --name dvls-server ` -e DATABASE_HOST=your-sql-server ` -e DATABASE_NAME=dvls ` -e DATABASE_USERNAME=dvls_user ` -e DATABASE_PASSWORD='YourPassword!' ` -e HOSTNAME=devolutions-server.company.com ` -e WEB_SCHEME=https ` -e PORT=5000 ` -e TLS_CERTIFICATE_B64="$(cat server.pem.b64)" ` -e TLS_PRIVATE_KEY_B64="$(cat server.key.b64)" ` -p 5000:5000 ` devolutions/devolutions-server:release-20XX.X ``` {% endtab %} {% tab title="macOS" %} ```bash cat server.pem | base64 > server.pem.b64 cat server.key | base64 > server.key.b64 docker run -d --name dvls-server \ -e DATABASE_HOST=your-sql-server \ -e DATABASE_NAME=dvls \ -e DATABASE_USERNAME=dvls_user \ -e DATABASE_PASSWORD='YourPassword!' \ -e HOSTNAME=devolutions-server.company.com \ -e WEB_SCHEME=https \ -e PORT=5000 \ -e TLS_CERTIFICATE_B64="$(cat server.pem.b64)" \ -e TLS_PRIVATE_KEY_B64="$(cat server.key.b64)" \ -p 5000:5000 \ devolutions/devolutions-server:release-20XX.X ``` {% endtab %} {% tab title="Linux" %} ```bash cat server.pem | base64 > server.pem.b64 cat server.key | base64 > server.key.b64 docker run -d --name dvls-server \ -e DATABASE_HOST=your-sql-server \ -e DATABASE_NAME=dvls \ -e DATABASE_USERNAME=dvls_user \ -e DATABASE_PASSWORD='YourPassword!' \ -e HOSTNAME=devolutions-server.company.com \ -e WEB_SCHEME=https \ -e PORT=5000 \ -e TLS_CERTIFICATE_B64="$(cat server.pem.b64)" \ -e TLS_PRIVATE_KEY_B64="$(cat server.key.b64)" \ -p 5000:5000 \ devolutions/devolutions-server:release-20XX.X ``` {% endtab %} {% endtabs %} Certificate and private key are written to `/opt/devolutions/dvls/App_Data/` and referenced in Devolutions Server configuration. ### Database Configuration #### Connection string format Devolutions Server constructs the SQL Server connection string from environment variables: ``` Encrypt=;TrustServerCertificate=; ``` #### Standard port (1433) {% tabs %} {% tab title="Windows" %} ``` -e DATABASE_HOST=sql.example.com ` -e DATABASE_PORT=1433 ``` Or omit `DATABASE_PORT` (defaults to 1433): ```powershell -e DATABASE_HOST=sql.example.com ``` {% endtab %} {% tab title="macOS" %} ``` -e DATABASE_HOST=sql.example.com \ -e DATABASE_PORT=1433 ``` Or omit `DATABASE_PORT` (defaults to 1433): ```bash -e DATABASE_HOST=sql.example.com ``` {% endtab %} {% tab title="Linux" %} ``` -e DATABASE_HOST=sql.example.com \ -e DATABASE_PORT=1433 ``` Or omit `DATABASE_PORT` (defaults to 1433): ```bash -e DATABASE_HOST=sql.example.com ``` {% endtab %} {% endtabs %} #### Non-standard port {% tabs %} {% tab title="Windows" %} **Option 1**: Include port in hostname: ```powershell -e DATABASE_HOST=sql.example.com,1435 ``` **Option 2**: Separate port variable: ```powershell -e DATABASE_HOST=sql.example.com ` -e DATABASE_PORT=1435 ``` {% endtab %} {% tab title="macOS" %} **Option 1**: Include port in hostname: ```bash -e DATABASE_HOST=sql.example.com,1435 ``` **Option 2**: Separate port variable: ```bash -e DATABASE_HOST=sql.example.com \ -e DATABASE_PORT=1435 ``` {% endtab %} {% tab title="Linux" %} **Option 1**: Include port in hostname: ```bash -e DATABASE_HOST=sql.example.com,1435 ``` **Option 2**: Separate port variable: ```bash -e DATABASE_HOST=sql.example.com \ -e DATABASE_PORT=1435 ``` {% endtab %} {% endtabs %} #### Azure SQL database {% tabs %} {% tab title="Windows" %} ```powershell -e AZURE_SQL_HOST=dvls-sql-server.database.windows.net ` -e AZURE_SQL_DATABASE=dvls ` -e AZURE_SQL_USERNAME=dvls_user@dvls-sql-server ` -e AZURE_SQL_PASSWORD='YourPassword!' ``` {% endtab %} {% tab title="macOS" %} ```bash -e AZURE_SQL_HOST=dvls-sql-server.database.windows.net \ -e AZURE_SQL_DATABASE=dvls \ -e AZURE_SQL_USERNAME=dvls_user@dvls-sql-server \ -e AZURE_SQL_PASSWORD='YourPassword!' ``` {% endtab %} {% tab title="Linux" %} ```bash -e AZURE_SQL_HOST=dvls-sql-server.database.windows.net \ -e AZURE_SQL_DATABASE=dvls \ -e AZURE_SQL_USERNAME=dvls_user@dvls-sql-server \ -e AZURE_SQL_PASSWORD='YourPassword!' ``` {% endtab %} {% endtabs %} #### Encrypted database connection (TLS) By default, Devolutions Server connects to SQL Server without TLS. If your SQL Server enforces encryption (for example SQL Server 2022, which requires TLS by default, or any instance with "Force Encryption" enabled), the connection will fail unless you enable encryption on the client side. {% hint style="warning" %} These variables are read on every container start, not just during initialization. The SQL connection string is regenerated from them on each boot, so pass them on every `docker run` — initialization, runtime, and update. Omitting them at runtime rewrites the connection string with encryption disabled and the connection will fail. {% endhint %} | Scenario | Required variables | | ------------------------------------------------------------------------------ | -------------------------------------------------------------------- | | SQL Server with a CA-trusted certificate | `DATABASE_ENCRYPT=true` | | SQL Server with a self-signed certificate (e.g. containerized SQL Server 2022) | `DATABASE_ENCRYPT=true` and `DATABASE_TRUST_SERVER_CERTIFICATE=true` | #### ```bash docker run -d --name dvls-server \ -e DATABASE_HOST=your-sql-server \ -e DATABASE_NAME=dvls \ -e DATABASE_USERNAME=dvls_user \ -e DATABASE_PASSWORD='YourPassword!' \ -e DATABASE_ENCRYPT=true \ -e DATABASE_TRUST_SERVER_CERTIFICATE=true \ -e HOSTNAME=localhost \ -e WEB_SCHEME=https \ -e PORT=5000 \ -e DVLS_ENCRYPTION_CONFIG_B64="$(cat /tmp/encryption.config.b64)" \ -p 5000:5000 \ devolutions/devolutions-server:release-20XX.X ``` {% hint style="warning" %} Setting `DATABASE_TRUST_SERVER_CERTIFICATE=true` disables certificate validation. Use it only with self-signed certificates in trusted networks; for production, install a CA-trusted certificate on SQL Server and set only `DATABASE_ENCRYPT=true`. {% endhint %} #### SQL Server Authentication vs Windows Authentication Devolutions Server Docker containers only support **SQL Server Authentication** (username/password). Windows Authentication (Integrated Security) is not supported in Linux containers. ### Reverse proxy configuration When Devolutions Server runs behind a reverse proxy, nginx ingress, or Azure App Service, configure external URL settings: {% tabs %} {% tab title="Windows" %} ```powershell docker run -d --name dvls-server ` -e DATABASE_HOST=your-sql-server ` -e DATABASE_NAME=dvls ` -e DATABASE_USERNAME=dvls_user ` -e DATABASE_PASSWORD='YourPassword!' ` -e HOSTNAME=devolutions-server.company.com ` -e WEB_SCHEME=http ` -e PORT=5000 ` -e EXTERNAL_WEB_SCHEME=https ` -e EXTERNAL_WEB_PORT=443 ` devolutions/devolutions-server:release-20XX.X ``` {% endtab %} {% tab title="macOS" %} ```bash docker run -d --name dvls-server \ -e DATABASE_HOST=your-sql-server \ -e DATABASE_NAME=dvls \ -e DATABASE_USERNAME=dvls_user \ -e DATABASE_PASSWORD='YourPassword!' \ -e HOSTNAME=devolutions-server.company.com \ -e WEB_SCHEME=http \ -e PORT=5000 \ -e EXTERNAL_WEB_SCHEME=https \ -e EXTERNAL_WEB_PORT=443 \ devolutions/devolutions-server:release-20XX.X ``` {% endtab %} {% tab title="Linux" %} ```bash docker run -d --name dvls-server \ -e DATABASE_HOST=your-sql-server \ -e DATABASE_NAME=dvls \ -e DATABASE_USERNAME=dvls_user \ -e DATABASE_PASSWORD='YourPassword!' \ -e HOSTNAME=devolutions-server.company.com \ -e WEB_SCHEME=http \ -e PORT=5000 \ -e EXTERNAL_WEB_SCHEME=https \ -e EXTERNAL_WEB_PORT=443 \ devolutions/devolutions-server:release-20XX.X ``` {% endtab %} {% endtabs %} Key settings: * `WEB_SCHEME=http` - Container uses HTTP * `EXTERNAL_WEB_SCHEME=https` - Public URL is HTTPS * `EXTERNAL_WEB_PORT=443` - Standard HTTPS port (omitted in URLs) * `HOSTNAME=devolutions-server.company.com` - Public hostname Devolutions Server generates URLs like `https://devolutions-server.company.com/` in the UI and API responses. ### Security hardening #### Secrets management {% hint style="danger" %} Do NOT hardcode passwords in docker run commands or compose files. {% endhint %} {% tabs %} {% tab title="Windows" %} **Docker Secrets (Swarm mode)** ```powershell echo "YourPassword!" | docker secret create dvls_db_password - docker service create ` --name dvls-server ` --secret dvls_db_password ` -e DATABASE_PASSWORD_FILE=/run/secrets/dvls_db_password ` ... ``` **Environment files** ```powershell # .env file (keep out of version control) DATABASE_PASSWORD=YourPassword! DVLS_ADMIN_PASSWORD=AdminPassword! docker run -d --name dvls-server ` --env-file .env ` -e DATABASE_HOST=your-sql-server ` ... ``` {% endtab %} {% tab title="macOS" %} **Docker Secrets (Swarm mode)** ```bash echo "YourPassword!" | docker secret create dvls_db_password - docker service create \ --name dvls-server \ --secret dvls_db_password \ -e DATABASE_PASSWORD_FILE=/run/secrets/dvls_db_password \ ... ``` **Environment files** ```bash # .env file (keep out of version control) DATABASE_PASSWORD=YourPassword! DVLS_ADMIN_PASSWORD=AdminPassword! docker run -d --name dvls-server \ --env-file .env \ -e DATABASE_HOST=your-sql-server \ ... ``` {% endtab %} {% tab title="Linux" %} **Docker Secrets (Swarm mode)** ```bash echo "YourPassword!" | docker secret create dvls_db_password - docker service create \ --name dvls-server \ --secret dvls_db_password \ -e DATABASE_PASSWORD_FILE=/run/secrets/dvls_db_password \ ... ``` **Environment files** ```bash # .env file (keep out of version control) DATABASE_PASSWORD=YourPassword! DVLS_ADMIN_PASSWORD=AdminPassword! docker run -d --name dvls-server \ --env-file .env \ -e DATABASE_HOST=your-sql-server \ ... ``` {% endtab %} {% endtabs %} **Azure Key Vault** Use ***Managed Identity*** to retrieve secrets from Key Vault at runtime. See [Devolutions Server deployment to Azure App Service using a container](https://docs.devolutions.net/server/kb/how-to-articles/devolutions-server-docker-deployment/azure-app-service-deployment/) for more details. #### Network isolation Use Docker networks to isolate Devolutions Server: {% tabs %} {% tab title="Windows" %} ```powershell docker network create dvls-network docker run -d --name dvls-server ` --network dvls-network ` -p 127.0.0.1:5000:5000 ` -e DATABASE_HOST=sql-server ` ... ``` {% endtab %} {% tab title="macOS" %} ```bash docker network create dvls-network docker run -d --name dvls-server \ --network dvls-network \ -p 127.0.0.1:5000:5000 \ -e DATABASE_HOST=sql-server \ ... ``` {% endtab %} {% tab title="Linux" %} ```bash docker network create dvls-network docker run -d --name dvls-server \ --network dvls-network \ -p 127.0.0.1:5000:5000 \ -e DATABASE_HOST=sql-server \ ... ``` {% endtab %} {% endtabs %} #### SSH access Disable SSH in production unless required for debugging: {% tabs %} {% tab title="Windows" %} ``` -e SSH_ENABLED=false ``` {% endtab %} {% tab title="macOS" %} ``` -e SSH_ENABLED=false ``` {% endtab %} {% tab title="Linux" %} ``` -e SSH_ENABLED=false ``` {% endtab %} {% endtabs %} If SSH is enabled: * Use strong passwords. * Change default password. * Restrict access with firewall rules. * Consider SSH key authentication (requires custom image). #### Version updates **Version tagging** * Images are tagged by release version (e.g., `release-2025.3`, `release-2026.1`) and by specific build (e.g., `2025.3.1.0`, `2025.3.2.0`). * No `latest` tag exists - always specify a version. * Minor/patch updates within the same release version are automatically included when pulling the release tag. * Database update mode is only required when changing major versions (e.g., `release-2025.3` → `release-2026.1`). {% hint style="info" %} Version 2026.1 is used for illustration; replace with the actual latest major version when updating. {% endhint %} {% tabs %} {% tab title="Windows" %} **Major version update** ```powershell docker pull devolutions/devolutions-server:release-2026.1 docker stop dvls-server # Run update mode to migrate database docker run --rm ` -e DATABASE_HOST=your-sql-server ` -e DATABASE_NAME=dvls ` -e DATABASE_USERNAME=dvls_user ` -e DATABASE_PASSWORD='YourPassword!' ` -e DVLS_UPDATE_MODE=true ` -e DVLS_BACKUP_PATH=/backup ` -e DVLS_ENCRYPTION_CONFIG_B64="$(cat /tmp/encryption.config.b64)" ` -v dvls-backups:/backup ` devolutions/devolutions-server:release-2026.1 docker rm dvls-server docker run -d --name dvls-server ` -e DATABASE_HOST=your-sql-server ` -e DATABASE_NAME=dvls ` -e DATABASE_USERNAME=dvls_user ` -e DATABASE_PASSWORD='YourPassword!' ` -e HOSTNAME=localhost ` -e WEB_SCHEME=https ` -e PORT=5000 ` -e DVLS_ENCRYPTION_CONFIG_B64="$(cat /tmp/encryption.config.b64)" ` -p 5000:5000 ` devolutions/devolutions-server:release-2026.1 ``` **Minor/patch update (e.g., 2025.3.1 to 2025.3.2)** ```powershell docker pull devolutions/devolutions-server:release-2025.3 docker stop dvls-server docker rm dvls-server docker run -d --name dvls-server ` -e DATABASE_HOST=your-sql-server ` -e DATABASE_NAME=dvls ` -e DATABASE_USERNAME=dvls_user ` -e DATABASE_PASSWORD='YourPassword!' ` -e HOSTNAME=localhost ` -e WEB_SCHEME=https ` -e PORT=5000 ` -e DVLS_ENCRYPTION_CONFIG_B64="$(cat /tmp/encryption.config.b64)" ` -p 5000:5000 ` devolutions/devolutions-server:release-2025.3 ``` {% endtab %} {% tab title="macOS" %} **Major version update** ```bash docker pull devolutions/devolutions-server:release-2026.1 docker stop dvls-server # Run update mode to migrate database docker run --rm \ -e DATABASE_HOST=your-sql-server \ -e DATABASE_NAME=dvls \ -e DATABASE_USERNAME=dvls_user \ -e DATABASE_PASSWORD='YourPassword!' \ -e DVLS_UPDATE_MODE=true \ -e DVLS_BACKUP_PATH=/backup \ -e DVLS_ENCRYPTION_CONFIG_B64="$(cat /tmp/encryption.config.b64)" \ -v dvls-backups:/backup \ devolutions/devolutions-server:release-2026.1 docker rm dvls-server docker run -d --name dvls-server \ -e DATABASE_HOST=your-sql-server \ -e DATABASE_NAME=dvls \ -e DATABASE_USERNAME=dvls_user \ -e DATABASE_PASSWORD='YourPassword!' \ -e HOSTNAME=localhost \ -e WEB_SCHEME=https \ -e PORT=5000 \ -e DVLS_ENCRYPTION_CONFIG_B64="$(cat /tmp/encryption.config.b64)" \ -p 5000:5000 \ devolutions/devolutions-server:release-2026.1 ``` **Minor/patch update (e.g., 2025.3.1 to 2025.3.2)** ```bash docker pull devolutions/devolutions-server:release-2025.3 docker stop dvls-server docker rm dvls-server docker run -d --name dvls-server \ -e DATABASE_HOST=your-sql-server \ -e DATABASE_NAME=dvls \ -e DATABASE_USERNAME=dvls_user \ -e DATABASE_PASSWORD='YourPassword!' \ -e HOSTNAME=localhost \ -e WEB_SCHEME=https \ -e PORT=5000 \ -e DVLS_ENCRYPTION_CONFIG_B64="$(cat /tmp/encryption.config.b64)" \ -p 5000:5000 \ devolutions/devolutions-server:release-2025.3 ``` {% endtab %} {% tab title="Linux" %} **Major version update** ```bash docker pull devolutions/devolutions-server:release-2026.1 docker stop dvls-server # Run update mode to migrate database docker run --rm \ -e DATABASE_HOST=your-sql-server \ -e DATABASE_NAME=dvls \ -e DATABASE_USERNAME=dvls_user \ -e DATABASE_PASSWORD='YourPassword!' \ -e DVLS_UPDATE_MODE=true \ -e DVLS_BACKUP_PATH=/backup \ -e DVLS_ENCRYPTION_CONFIG_B64="$(cat /tmp/encryption.config.b64)" \ -v dvls-backups:/backup \ devolutions/devolutions-server:release-2026.1 docker rm dvls-server docker run -d --name dvls-server \ -e DATABASE_HOST=your-sql-server \ -e DATABASE_NAME=dvls \ -e DATABASE_USERNAME=dvls_user \ -e DATABASE_PASSWORD='YourPassword!' \ -e HOSTNAME=localhost \ -e WEB_SCHEME=https \ -e PORT=5000 \ -e DVLS_ENCRYPTION_CONFIG_B64="$(cat /tmp/encryption.config.b64)" \ -p 5000:5000 \ devolutions/devolutions-server:release-2026.1 ``` **Minor/patch update (e.g., 2025.3.1 to 2025.3.2)** ```bash docker pull devolutions/devolutions-server:release-2025.3 docker stop dvls-server docker rm dvls-server docker run -d --name dvls-server \ -e DATABASE_HOST=your-sql-server \ -e DATABASE_NAME=dvls \ -e DATABASE_USERNAME=dvls_user \ -e DATABASE_PASSWORD='YourPassword!' \ -e HOSTNAME=localhost \ -e WEB_SCHEME=https \ -e PORT=5000 \ -e DVLS_ENCRYPTION_CONFIG_B64="$(cat /tmp/encryption.config.b64)" \ -p 5000:5000 \ devolutions/devolutions-server:release-2025.3 ``` {% endtab %} {% endtabs %} ### Security checklist Consult [Devolutions Server security hardening](https://docs.devolutions.net/server/getting-started/security-checklist/dvls-security-hardening/) for: * Administration accounts settings * Password policies * Multifactor authentication * IP restrictions * Audit logging * Encryption settings #### See also * [Devolutions Server deployment to Azure App Service using a container](https://docs.devolutions.net/server/kb/how-to-articles/devolutions-server-docker-deployment/azure-app-service-deployment/) * [Deploy Devolutions Server with Docker](https://docs.devolutions.net/server/kb/how-to-articles/devolutions-server-docker-deployment/) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.devolutions.net/server/knowledge-base/how-to-articles/devolutions-server-docker-deployment/advanced-docker-configuration-for-devolutions-server.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.