Securely self host ESPOCRM

Hi,
for your installation I recommend 2 Factor Authentication, which is built in into espoCRM.

For Backup:

You need a working backup of your MySQL database
You must also backup following folders:

- data
- custom
- client/custom

I always have at least two backups in two different locations and always the last three backups saved. One complete backup should be outside of your house/office, in a cloud for example.

Change all passwords from time to time (FTP, MySQL and espoCRM) and also test a backup from time to time, if it is working.

And never forget: there is no 100% security. But you can achieve perhaps 99%.

If you consider Borg as your backup program, have a look into borgmatic as well: https://wiki.archlinux.org/title/Borgmatic

Hello,
I also want a self hosted / onPrem Version from EspoCRM and I am searching for hardening options.
- SSL
- 2FA
- Backup
OK, that's default, I think.

But I am think about a Proxy Server, like Caddy, HAProxy,... or a Tunnel Solution, like Cloudflare, Pangolin,..

Or is that not necessary?
Or is that an exaggeration?

Hey, really interesting thread! 😄 I’m also planning to self-host EspoCRM for a small project and security/backup is something I’m still figuring out. I agree with 2FA, SSL, and keeping multiple backups in different locations — seems like the basics we shouldn’t skip.

I’m curious about the proxy/tunnel suggestions too. Do people here usually run something like Caddy or HAProxy in front of EspoCRM, or is it overkill for a small-scale setup? Would love to hear what has worked in practice, especially for keeping customer data secure without adding too much complexity

My use-case might different as I am a start-up business with only me as the user but found the EspoCRM as a great solution for self-hosting on my infrastruture which is of the SmallOffice HomeOffice (SOHO) type.

I am running EspoCRM as a Docker container on a Network Attached Storage (NAS). This isolate the EspoCRM instance and the NAS provides automatic backup and snapshot of the CRM.
I am using Ubiquiti networking (UDM Pro) for routing and switching which comes built-in with a VPN server. Clients use their Wifiman app for connecting.
I do have a reverse proxy using NGINX (also in a container) for SSL certificate for local access.

I do not expose any of my infrastructure, meaning opening ports for ports forwarding, for remote access.
All remote users must use a VPN client to access. I know it is inconvenient for users to have extra steps to connect but looking at cybernews everyday, I wouldnt expose personal data unless having strong security process and practices that are monitored daily.

Hope this help and would love to connect with others doing similar deployment.

I did some research on the web.
Most people don't use a reverse proxy.

The following is usually done:
- SSH with key only
- Root login
- UFW active
- Fail2Ban
- SSL with HSTS
- Security headers
- MariaDB not publicly accessible
- Regular updates
- Automate backups
- MFA for SSH

Maybe it is enough

I would tend to agree. The reverse proxy is a nice to have to use https without getting a certficate error. I currently point the proxy to the EspoCRM instance over http anyway.

Ah, OK, but that means you're using a reverse proxy.
VPN is also a solution, but not as comfortable because the tunnel connection is always required.

I recommend locking down SSH access to only specific IPs. If you need to add one, you can use the control panel for your host.