Why Self-Host Your Web Stack?
Cloud platforms (Vercel, Heroku, AWS, Firebase) promise simplicity but impose costs and constraints:
- Vendor Lock-In: Switching platforms requires rewriting auth, database queries, deployment scripts. Weeks of work.
- Scaling Costs: Each serverless function invocation costs money. A successful startup’s AWS bill can exceed revenue.
- Data Jurisdiction: Verify where your data actually lives. GDPR/CCPA/HIPAA audits may require self-hosted infrastructure in specific countries.
- Rate Limiting: PaaS platforms often forbid certain workloads (Bitcoin mining, ML training, bulk processing). You own the rules on self-hosted.
Self-hosting solves all four:
- Own the infrastructure → switch hosting providers without code changes
- Fixed monthly cost (~$10–50/month for a small startup) regardless of traffic
- Data stays in your chosen jurisdiction — proven compliance
- Run any workload — no restrictions
The Complete Self-Hosted Web Stack
┌───────────────────────────────────────────────────────────┐
│ Your VPS (Ubuntu 24.04) │
├───────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ Internet │ │
│ └──────────────────┬──────────────────────────────────┘ │
│ │ │
│ ┌──────────────────▼──────────────────┐ │
│ │ Nginx Reverse Proxy │ │
│ │ • HTTPS (Let's Encrypt) │ │
│ │ • Static file serving (React dist/) │ │
│ │ • Rate limiting │ │
│ │ • Security headers │ │
│ └──────────────────┬──────────────────┘ │
│ │ 127.0.0.1:3000 │
│ ┌──────────────────▼──────────────────┐ │
│ │ Fastify Backend (Node.js 22) │ │
│ │ • RESTful API routes │ │
│ │ • JWT authentication │ │
│ │ • Request validation │ │
│ │ • PostgreSQL queries │ │
│ └──────────────────┬──────────────────┘ │
│ (docker-internal-network) │
│ │ │
│ ┌──────────────────▼──────────────────┐ │
│ │ PostgreSQL Database │ │
│ │ • Persistent data storage │ │
│ │ • Automated backups │ │
│ │ • No ports exposed │ │
│ └──────────────────────────────────────┘ │
│ │
└───────────────────────────────────────────────────────────┘Every component is replaceable. Swap Fastify for Django/Flask, Nginx for Caddy, PostgreSQL for MySQL — the architecture remains identical.
🎯 Self-Hosted Architecture Decision Tree
Choose your deployment strategy based on your needs:
What are you deploying?
│
├─ Static site (HTML/CSS/JS)? → Nginx alone (simplest)
│ Example: marketing site, blog, documentation
│
├─ Single-page app (React/Vue)? → Nginx + storage account
│ Example: dashboard, internal tools
│
├─ Simple backend? → Nginx + simple API server
│ Example: form submission handler, webhook receiver
│
├─ Database-backed web app? → Full stack (Nginx + API + PostgreSQL)
│ Example: startup MVP, SaaS application, web service
│
└─ Complex microservices? → Kubernetes on self-hosted infrastructure
Example: high-traffic platform, multi-team projectThis guide covers “Database-backed web app” — the sweet spot for 90% of projects.
Complete Learning Path
1. Frontend: React without Vercel (1–2 hours)
Deploy your frontend as static files, served by Nginx.
- Deploy React Apps Without Vercel: Self-Hosted VPS Guide 2026
- Static build (Vite), Nginx configuration for React Router SPA, GitHub Actions CI/CD.
- Deploy on every push to main:
npm run build && rsync dist/ to VPS. - Cost: $0 beyond VPS hosting.
2. Reverse Proxy: HTTPS & Security Headers (1 hour)
Nginx handles HTTPS (Let’s Encrypt), redirects HTTP to HTTPS, adds security headers.
- Nginx Reverse Proxy Tutorial 2026
- Configuration for React SPA static serving + API proxying.
- Security headers (X-Frame-Options, X-Content-Type-Options, CSP).
- Rate limiting (prevent brute force, DDoS mitigation).
3. Backend: Fastify REST API (2–3 hours)
Write your business logic in Fastify, listen on 127.0.0.1:3000 (localhost only).
- Build a REST API with Fastify & Node.js 2026: Self-Hosted Guide
- Authentication (JWT tokens), validation (JSON Schema), PostgreSQL integration (Prisma ORM).
- Rate limiting, password hashing (Argon2), CORS configuration.
- Docker packaging for easy deployment.
4. Database: PostgreSQL Persistence (1–2 hours)
Set up PostgreSQL for persistent data, automate backups, monitor performance.
-
How to Install PostgreSQL 17 on Ubuntu 24.04 2026
- PostgreSQL installation, basic setup, connection from Fastify.
-
PostgreSQL Performance Tuning 2026 (optional)
- Optimize queries, create indices, monitor slow queries.
5. Orchestration: Docker Compose (1 hour)
Run all services (Nginx, Fastify, PostgreSQL) with one command.
- Docker Compose: Full Stack Setup 2026
- docker-compose.yml with all services: Nginx, Fastify, PostgreSQL.
- Health checks, restart policies, volume management.
- One
docker compose up -ddeploys your entire stack.
6. Network Security: Isolation & Firewall (1 hour)
Ensure PostgreSQL is never directly exposed, firewall rules protect the server.
- Docker Networking 2026: Network Isolation
- Internal networks: frontend (public) vs backend (internal) vs database (isolated).
- Tailscale VPN for remote access without opening ports.
- UFW firewall configuration: block all ports except 80/443.
7. Backups: 3-2-1 Strategy (30 mins)
Automated daily backups: 3 copies, 2 different media, 1 offsite.
- Docker Volumes Guide 2026
- Named volumes for PostgreSQL persistence.
- Backup scripts, encryption at rest (LUKS), automated systemd timers.
📊 Cost & Scaling Comparison
Small Startup (500 daily active users)
| Platform | Monthly Cost | Setup Time | Vendor Lock-In |
|---|---|---|---|
| Vercel + Firebase | $100–500 | 1 day | High (proprietary APIs) |
| AWS + RDS | $200–1000 | 3 days | High (AWS-specific services) |
| Self-Hosted (Hetzner CX22) | $10–15 | 2 days | None (portable code) |
Medium Startup (50K daily active users)
| Platform | Monthly Cost | Setup Time | Vendor Lock-In |
|---|---|---|---|
| Vercel + Firebase | $5,000–20,000 | 1 day | High |
| AWS + RDS | $5,000–15,000 | 3 days | High |
| Self-Hosted (Hetzner CX62) | $100–200 | 2 days | None |
The crossover point: ~1,000 daily active users. Beyond that, self-hosting saves $100,000s annually.
🔐 Sovereignty Guarantees
| Layer | Guarantee |
|---|---|
| Nginx | HTTPS certs are yours (Let’s Encrypt), no proxy logging to third parties |
| Fastify | Code runs on your server, no vendor access, full visibility into requests |
| PostgreSQL | Data stored on your disk, encrypted at rest (optional LUKS), no cloud backup by default |
| Docker | Container images built locally, no artifact registry required (optional) |
| Backups | Your choice: local NAS, AWS S3 (your account), IPFS, or tape offsite |
You control every layer. Audits reveal the complete stack.
Common Questions
Can I use this stack with a domain name?
Yes. Point your domain’s DNS to your VPS IP, use Let’s Encrypt certbot to generate HTTPS certificates (free), Nginx serves them automatically.
What if my VPS goes down?
Self-hosted infrastructure has no built-in redundancy. Solutions:
- Multi-region setup: Deploy identical stacks on 2–3 regions, use DNS failover (Route53, Cloudflare).
- Kubernetes: Orchestrate containers across multiple nodes for automatic failover.
- Simple backup: Automated nightly backups let you restore quickly on another VPS.
For 99.9% uptime, use multiple VPSs. For MVP (99% uptime acceptable), one VPS is fine.
How do I scale to millions of users?
The stack itself scales horizontally:
- Load Balancer: HAProxy/Nginx load balance traffic across multiple Fastify instances.
- Database Replication: PostgreSQL primary-replica setup for read scaling.
- Caching: Redis for session storage, query results.
- Multiple Servers: Distribute Nginx, Fastify, PostgreSQL across different machines.
The difference: you decide when and how to scale. Cloud platforms auto-scale but bill you heavily.
Is this secure?
Yes, if you follow these rules:
- Keep systems patched (Ubuntu unattended-upgrades)
- Use UFW firewall (default: block all, allow only 22/80/443)
- SSH key authentication (no password login)
- HTTPS everywhere (Let’s Encrypt, Nginx enforces)
- Input validation (Fastify JSON Schema)
- Rate limiting (prevent brute force)
Larger teams should add:
- Intrusion detection (fail2ban, Wazuh)
- Security headers (CSP, HSTS, X-Frame-Options)
- Secrets management (HashiCorp Vault)
- Monitoring (Prometheus, Grafana)
Sovereignty Audit Checklist
Use this checklist to verify your self-hosted web stack is truly sovereign:
Data Sovereignty
- User data stored in your own database (PostgreSQL, not Firebase/Supabase)
- Database runs on infrastructure you control — verify with
psql -U youruser -d yourdb -c "SELECT version();" - No analytics sent to third-party services (self-host Plausible, Umami, or Matomo)
- Backups stored on your infrastructure — test restore from your 3-2-1 backup
- No tracking cookies or third-party JavaScript — audit with browser DevTools
Operational Sovereignty
- No vendor lock-in — deployment is Docker-based and portable (switch VPS providers with zero code changes)
- All code is version-controlled (GitHub, Gitea, etc.) and auditable
- Deployment is declarative (Docker Compose, Terraform) — can redeploy from scratch
- CI/CD pipeline is self-hosted (GitHub Actions + rsync, or GitOps + ArgoCD)
- Cost is predictable (fixed monthly VPS) — no serverless scaling surprises
Security Sovereignty
- Network isolation: backend bound to 127.0.0.1, no direct internet access
- HTTPS enforced with Let’s Encrypt (free) — verify with
openssl s_client - Security headers configured (@fastify/helmet, nginx security headers)
- SQL injection protected (use parameterized queries, Prisma ORM)
- CORS and CSRF protections enabled
Compliance & Control
- Zero data sent to cloud vendors — audit with network monitoring (
tcpdump) - GDPR compliant (users can export/delete data, no third-party processing)
- You own the infrastructure (or have complete access via SSH)
- Encryption at rest for sensitive data (passwords, tokens, PII)
- Rate limiting prevents DDoS and abuse
Score: If you checked ≥12 boxes, your self-hosted stack is production-ready.
- Start small: Deploy React without Vercel — 15 minutes, static site on Nginx.
- Add a backend: Fastify REST API — 2 hours, full auth + DB integration.
- Compose it all: Docker Compose — one
docker compose up -ddeploys everything. - Secure it: Docker Networking — isolate services, protect data with network zones.
- Back it up: Volume Management — automate daily backups using systemd timers.
Your stack, your rules, your data. Build today.
Related Cluster Articles
- Deploy React Without Vercel 2026 — frontend only
- Fastify REST API: Self-Hosted Guide — backend API
- PostgreSQL 17 Installation 2026 — database
- Docker Compose Full Stack 2026 — orchestration
- Docker Networking 2026 — network isolation
- Docker Volumes Guide 2026 — persistent storage & backups
- Nginx Reverse Proxy 2026 — HTTPS & proxying
- Sovereign AI Agents Hub — local AI orchestration (complementary stack)
Further Reading
Infrastructure & DevOps
- Hetzner Cloud Documentation — affordable, reliable VPS provider
- Let’s Encrypt Documentation — free HTTPS certificates
- Ubuntu Server Guide — official Ubuntu documentation
- Docker Documentation — containerization framework
Application Development
- Fastify Official Docs — Node.js web framework
- React Official Docs — frontend library
- PostgreSQL Official Docs — database
- Prisma ORM Docs — type-safe database access
