-% Installation Guide
-**As of 2022, I recommend everyone to use Docker Hub images. Those are generated through a proper CI/CD pipeline which involves basic unit tests and static code analysis. This means you're less likely to receive a broken image. You get no such guarantees when using git master branch. You won't be able to easily rollback to an earlier image either.**
-Docker(-compose) is the only supported way to deploy tt-rss.
-### Static: uses pre-built images provided via Docker Hub ← recommended for users
-This seems to be a more commonly used pattern for Docker containers: images (including a snapshot of tt-rss source code) are built automatically on master branch updates and - if build succeeds - pushed to [Docker Hub](
-This is recommended for users.
-→ [Installation guide (static)]( )
-Updates are handled the usual way. Either run `docker-compose pull` etc. when appropriate or use something like [Watchtower]( to apply updates automatically.
-### Dynamic: uses git master branch ← for developers
-Use this if you want to always run latest tt-rss code and/or don't want to rely on Docker Hub. Also, using dynamic image makes more sense [for development](
-→ [Installation guide (dynamic)](
-Updates are applied automatically from git master branch on container restart.
-See also: [Host installation (not supported)](InstallationNotesHost).
+% Installation Guide
+The only supported way to run tt-rss is under Docker. You can use official images off Docker Hub (AMD64 only) or make your own if you're running another architecture or simply want to.
+See also: [Host installation (not supported)](InstallationNotesHost).
+This setup uses PostgreSQL and runs tt-rss using several containers as outlined below.
+## .env
+# Copy this file to .env before building the container.
+# Put any local modifications here.
+# Run under this UID/GID.
+# OWNER_UID=1000
+# OWNER_GID=1000
+# FPM settings.
+# ADMIN_USER_* settings are applied on every startup.
+# Set admin user password to this value. If not set, random password will be
+# generated if default password is being used, look for it in the 'app'
+# container logs.
+# Sets admin user access level to this value.
+# Valid values:
+# -2 - forbidden to login
+# -1 - readonly
+# 0 - default user
+# 10 - admin
+# Auto create another user (in addition to built-in admin) unless it
+# already exists.
+# Default database credentials.
+# You will likely need to set this to the correct value, see
+# for more information.
+# You can customize other config.php defines by setting overrides here.
+# See app/Dockerfile for complete list. Examples:
+# TTRSS_PLUGINS=auth_remote
+# etc, etc.
+# bind exposed port to by default in case reverse proxy is used.
+# if you plan to run the container standalone and need origin port exposed
+# use next HTTP_PORT definition (or remove "").
+## docker-compose.yml
+version: '3'
+ db:
+ image: postgres:15-alpine
+ restart: unless-stopped
+ environment:
+ volumes:
+ - db:/var/lib/postgresql/data
+ app:
+ image: cthulhoo/ttrss-fpm-pgsql-static:latest
+ build:
+ dockerfile: .docker/app/Dockerfile
+ context:
+ restart: unless-stopped
+ env_file:
+ - .env
+ volumes:
+ - app:/var/www/html
+ - ./config.d:/opt/tt-rss/config.d:ro
+ depends_on:
+ - db
+# optional, makes weekly backups of your install
+# backups:
+# image: cthulhoo/ttrss-fpm-pgsql-static:latest
+# restart: unless-stopped
+# env_file:
+# - .env
+# volumes:
+# - backups:/backups
+# - app:/var/www/html
+# depends_on:
+# - db
+# command: /opt/tt-rss/ -f
+ updater:
+ image: cthulhoo/ttrss-fpm-pgsql-static:latest
+ restart: unless-stopped
+ env_file:
+ - .env
+ volumes:
+ - app:/var/www/html
+ - ./config.d:/opt/tt-rss/config.d:ro
+ depends_on:
+ - app
+ command: /opt/tt-rss/
+ web-nginx:
+ image: cthulhoo/ttrss-web-nginx:latest
+ build:
+ dockerfile: .docker/web-nginx/Dockerfile
+ context:
+ restart: unless-stopped
+ env_file:
+ - .env
+ ports:
+ - ${HTTP_PORT}:80
+ volumes:
+ - app:/var/www/html:ro
+ depends_on:
+ - app
+ db:
+ app:
+ backups:
+## FAQ
+### I'm using docker-compose.override.yml and now I'm getting schema update (and other) strange issues
+Alternatively, you've changed something related to `/var/www/html/tt-rss` in `docker-compose.yml`.
+You screwed up your docker setup somehow, so tt-rss can't update itself to the persistent storage location on startup (this is just an example of one issue, there could be many others).
+Related threads:
+ -
+ -
+Either undo your changes or figure how to fix the problem you created and everything should work properly.
+### How do I make it run without /tt-rss/ in the URL, i.e. at website root?
+Set the following variables in `.env`:
+Don't forget to remove `/tt-rss/` from `TTRSS_SELF_URL_PATH`.
+### How do I apply configuration options?
+There are two sets of options you can change through the environment - options specific to tt-rss (those are prefixed with `TTRSS_`) and options affecting container behavior.
+#### Options specific to tt-rss
+For example, to set tt-rss global option `SELF_URL_PATH`, add the following to `.env`:
+Don't use quotes around values. Note the prefix (`TTRSS_`) before the value.
+Look [here]( for more information.
+#### Container options
+Some options, but not all, are mentioned in `.env-dist`. You can see all available options in the Dockerfile:
+- (static)
+- (dynamic)
+### How do I customize the YML without commiting my changes to git?
+You can use [docker-compose.override.yml]( For example, customize `db` to use a different postgres image:
+version: '3'
+ db:
+ image: postgres:13-alpine
+### I'm trying to run CLI tt-rss scripts inside the container and they complain about root
+(run in the compose script directory)
+docker-compose exec --user app app php8 /var/www/html/tt-rss/update.php --help
+# ^ ^
+# | |
+# | +- service (container) name
+# +----- run as user
+docker-compose exec app sudo -Eu app php8 /var/www/html/tt-rss/update.php --help
+docker exec -it <container_id> sudo -Eu app php8 /var/www/html/tt-rss/update.php --help
+Note: `sudo -E` is needed to keep environment variables.
+### How do I add plugins and themes?
+For official plugins, you can use plugin installer in `Preferences` &rarr; `Plugins`.
+By default, tt-rss code is stored on a persistent docker volume (``app``). You can find
+its location like this:
+docker volume inspect ttrss-docker_app | grep Mountpoint
+Alternatively, you can mount any host directory as ``/var/www/html`` by updating ``docker-compose.yml``, i.e.:
+ - app:/var/www/html
+Replace with:
+ - /opt/tt-rss:/var/www/html
+Copy and/or git clone any third party plugins into ``plugins.local`` as usual.
+### How do I use dynamic image for development?
+The idea is to map source code someplace more accessible than a docker volume. Example `docker-compose.override.yml`:
+version: '3'
+ app:
+ build:
+ context:
+ ./app
+ volumes:
+ - ./html:/var/www/html
+ env_file:
+ - .env
+ updater:
+ build:
+ context:
+ ./app
+ volumes:
+ - ./html:/var/www/html
+ env_file:
+ - .env
+ web-nginx:
+ build: ./web-nginx
+ volumes:
+ - ./html:/var/www/html
+ env_file:
+ - .env
+Then open `html/tt-rss` in your source code editor of choice. You can enable PHP debugging using `.env`:
+# defaults to host IP
+### I'm running into 502 errors and/or other connectivity issues
+First, check that all containers are running:
+$ docker-compose ps
+ Name Command State Ports
+ttrss-docker-demo_app_1_f49351cb24ed /bin/sh -c / Up 9000/tcp
+ttrss-docker-demo_backups_1_8d2aa404e31a / -f Up 9000/tcp
+ttrss-docker-demo_db_1_fc1a842fe245 postgres Up 5432/tcp
+ttrss-docker-demo_updater_1_b7fcc8f20419 / Up 9000/tcp
+ttrss-docker-demo_web-nginx_1_fcef07eb5c55 / ngin ... Up>80/tcp
+Then, ensure that frontend (`web-nginx` or `web`) container is up and can contact FPM (`app`) container:
+$ docker-compose exec web-nginx ping app
+PING app ( 56 data bytes
+64 bytes from seq=0 ttl=64 time=0.144 ms
+64 bytes from seq=1 ttl=64 time=0.128 ms
+64 bytes from seq=2 ttl=64 time=0.206 ms
+--- app ping statistics ---
+3 packets transmitted, 3 packets received, 0% packet loss
+round-trip min/avg/max = 0.128/0.159/0.206 ms
+Containers communicate via DNS names assigned by Docker based on service names defined in `docker-compose.yml`. This means that services (specifically, `app`) in the YML must not be renamed, and Docker DNS service should be functional.
+Similar issues may be also caused by Docker `iptables` functionality either being disabled or conflicting with `nftables`.
+### How do I put this container behind a reverse proxy?
+- Don't forget to pass `X-Forwarded-Proto` to the container if you're using HTTPS, otherwise tt-rss would generate plain HTTP URLs.
+- You will need to set ``SELF_URL_PATH`` to a correct (i.e. visible from the outside) value in the ``.env`` file.
+- Address and port correspond to `HTTP_PORT` in `.env`, default:
+##### Nginx:
+location /tt-rss/ {
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_pass;
+ break;
+If you run into problems with global PHP-to-FPM handler taking priority over proxied location, define tt-rss location like this so it takes higher priority:
+location ^~ /tt-rss/ {
+ ....
+If you want to pass an entire nginx virtual host to tt-rss:
+server {
+ server_name;
+ ...
+ location / {
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_pass;
+ break;
+ }
+Note that `proxy_pass` in this example points to container website root.
+##### Apache
+<IfModule mod_proxy.c>
+ <Location /tt-rss>
+ ProxyPreserveHost On
+ ProxyPass http://localhost:8280/tt-rss
+ ProxyPassReverse http://localhost:8280/tt-rss
+ RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
+ </Location>
+ </IfModule>
+### I have internal web services tt-rss is complaining about (URL is invalid, loopback address, disallowed ports)
+Put your local services on the same docker network with tt-rss, then access them by service (= host) names, i.e. `http://rss-bridge/`.
+ rss-bridge:
+ default:
+ external:
+ name: ttrss-docker_default
+If your service uses a non-standard (i.e. not 80 or 443) port, make an internal reverse proxy sidecar container for it.
+See also:
+### Backup and restore
+If you have `backups` container enabled, stock configuration makes automatic backups (database, local plugins, etc.) once a week to a separate storage volume.
+Note that this container is included as a safety net for people who wouldn't bother with backups otherwise. If you value your data, you should invest your time into setting up something like [WAL-G]( instead.
+A process to restore the database from such backup would look like this:
+1. Enter `backups` container shell: `docker-compose exec backups /bin/sh`
+2. Inside the container, locate and choose the backup file: `ls -t /backups/*.sql.gz`
+3. Clear database (**THIS WOULD DELETE EVERYTHING IN THE DB**): `psql -h db -U $TTRSS_DB_USER $TTRSS_DB_NAME -e -c "drop schema public cascade; create schema public"`
+3. Restore the backup: `zcat /backups/ttrss-backup-yyyymmdd.sql.gz | psql -h db -U $TTRSS_DB_USER $TTRSS_DB_NAME`
+Alternatively, if you want to initiate backups from the host, you can use something like this:
+source .env
+docker-compose exec db /bin/bash \
+ && pg_dump -U $TTRSS_DB_USER $TTRSS_DB_NAME" \
+ | gzip -9 > backup.sql.gz
+### How do I use custom certificates?
+You need to mount custom certificates into the *app* and *updater* containers like this:
+ ....
+ ./ca1.crt:/usr/local/share/ca-certificates/ca1.crt:ro
+ ./ca2.crt:/usr/local/share/ca-certificates/ca2.crt:ro
+ ....
+Don't forget to restart the containers.
+See also: