Production Checklist
Checklist
Section titled “Checklist”Security
Section titled “Security”- Strong admin password — minimum 10 characters, use a password manager
- TLS enabled — always run behind a reverse proxy with HTTPS
- Trusted proxies configured — set
RUSTYFILE_TRUSTED_PROXIESto your proxy IPs so rate limiting uses real client IPs - CORS restricted — set
RUSTYFILE_CORS_ORIGINSto your domain (default issame-origin) - Secure cookies enabled —
RUSTYFILE_SECURE_COOKIE=true(default) requires HTTPS; set tofalseonly for local development - Blocked extensions reviewed —
RUSTYFILE_BLOCKED_UPLOAD_EXTENSIONSblocks dangerous file types by default (.php,.exe,.sh, etc.); customize if needed - API rate limit tuned —
RUSTYFILE_API_RATE_LIMIT(default 60/min per IP) protects search, thumbnail, and HLS endpoints
Storage
Section titled “Storage”- Root directory correct —
--rootpoints to the files you want to serve, not/or a system directory - Data directory persistent — database and caches survive restarts (named Docker volume or persistent path)
- Disk space — enough room for database, thumbnail cache, HLS cache, and TUS temp files
Operations
Section titled “Operations”- JSON logs — use
--log-format jsonfor structured log ingestion - Log level — set to
infoorwarn(notdebugin production) - Reverse proxy body limit — nginx
client_max_body_sizematches your upload needs - Health check — monitor
GET /api/healthfor{"status": "ok"} - Restart policy — Docker
restart: unless-stoppedor systemdRestart=on-failure
Optional
Section titled “Optional”- FFmpeg installed — required only if you need HLS video transcoding
- JWT expiry tuned — default 2 hours, adjust for your security needs
- Setup timeout — consider reducing
setup_timeout_minutesin sensitive environments
Systemd unit (non-Docker)
Section titled “Systemd unit (non-Docker)”[Unit]Description=RustyFile File BrowserAfter=network.target
[Service]Type=simpleUser=rustyfileExecStart=/usr/local/bin/rustyfile --root /srv/files --data-dir /var/lib/rustyfile --log-format jsonRestart=on-failureRestartSec=5
[Install]WantedBy=multi-user.targetsudo systemctl enable --now rustyfileMonitoring
Section titled “Monitoring”The health endpoint reports both service and database status:
curl http://localhost:8080/api/health# {"status": "ok", "db": "connected"}# {"status": "degraded", "db": "unreachable"}Use this with your monitoring tool (Uptime Kuma, Grafana, etc.) to alert on degraded status.