Overview
This guide documents production deployment of the VAGUS relay server from
../relay-server using:
- Node.js runtime for the relay process.
systemdfor daemon lifecycle management.nginxas TLS terminator and reverse proxy.- Optional Redis persistence (recommended production mode).
Public URL: wss://relay.example.com
Health endpoint: https://relay.example.com/health
Code source: ../relay-server/src/server.js
Note: domain, paths, and port values in this guide are examples; replace with your environment.
Related: Server (Android App) for MCP runtime behavior and Node Client for client-side CLI usage.
Architecture
| Layer | Role | Port |
|---|---|---|
| nginx | TLS termination, HTTP/WebSocket proxy, public ingress. | 443 |
| Relay Node process | Pairing API + WSS routing + session logic. | 18087 (loopback) |
| Redis (optional) | Session/pair persistence across relay restarts. | 6379 |
Endpoints served by relay:
POST /pairPOST /revokeGET /healthWSS /connect/<session_token>?role=app|client
Prerequisites
- Ubuntu/Debian VPS with sudo access.
- Domain DNS
relay.example.compointing to the VPS. - Node 20+ installed at
/usr/bin/node. nginxandsystemdinstalled.- Optional: Redis available locally for persistence.
# one-time packages
sudo apt update
sudo apt install -y nginx redis-server certbot python3-certbot-nginx
Install Relay Server
1. Provision target directory
sudo mkdir -p
sudo chown -R $USER:$USER
2. Copy relay source
# from your repo host
cp -R ../relay-server/. /
3. Install dependencies
cd
npm install --omit=dev
Environment Configuration
Use .env.example as baseline. Key production settings:
| Variable | Recommended Production Value |
|---|---|
PORT | 18087 (bind on localhost behind nginx) |
TRUST_PROXY | true (required behind nginx) |
REQUIRE_REDIS | true |
REDIS_URL | |
REDIS_PREFIX | vagus:relay: (or tenant-specific) |
RELAY_BUILD | release identifier (example 2026.02.25) |
REQUIRE_ORIGIN | false unless strict browser-only flows are required |
MAX_MESSAGE_BYTES | 1048576 (1MB default) |
Example env file
sudo tee >/dev/null <<'EOF'
NODE_ENV=production
PORT=
TRUST_PROXY=true
RELAY_BUILD=2026.02.25
REQUIRE_REDIS=true
REDIS_URL=
REDIS_PREFIX=vagus:relay:
REQUIRE_ORIGIN=false
EOF
systemd Service (Daemon)
Service template is provided at
../relay-server/deploy/systemd/vagus-relay.service.
Install service
sudo cp /deploy/systemd/vagus-relay.service /etc/systemd/system/vagus-relay.service
# recommended: use env file instead of inline Environment lines
sudo sed -i 's|^# EnvironmentFile=|EnvironmentFile=|' /etc/systemd/system/vagus-relay.service
sudo systemctl daemon-reload
sudo systemctl enable vagus-relay
sudo systemctl restart vagus-relay
sudo systemctl status vagus-relay --no-pager
Logs
journalctl -u vagus-relay -f
Nginx + SSL
Nginx template is provided at
../relay-server/deploy/nginx/relay.example.com.conf.
1. Install nginx site config
sudo cp /deploy/nginx/relay.example.com.conf /.conf
sudo ln -sf /.conf /.conf
sudo nginx -t
sudo systemctl reload nginx
2. Issue SSL certificate (Let's Encrypt)
sudo certbot --nginx -d relay.example.com
sudo nginx -t
sudo systemctl reload nginx
3. Firewall (if UFW is enabled)
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw status
Relay listens on . Do not expose
Verification
Health endpoint
curl -sS https://relay.example.com/health | jq
Expected fields include:
status: "ok"mode: "multi-client"relay_buildpersistence: "redis"(if Redis configured)
Smoke test
cd
node scripts/smoke-test.js
Operations
Restart relay
sudo systemctl restart vagus-relay
Deploy update
cd
# sync updated source here
npm install --omit=dev
sudo systemctl restart vagus-relay
curl -sS https://relay.example.com/health
Zero-data guarantees
- Payloads are relayed in memory and not persisted by relay.
- Redis stores session metadata only (token/code/session state), not message bodies.
Troubleshooting
| Symptom | Check | Fix |
|---|---|---|
/health returns 502 |
systemctl status vagus-relay |
Start/restart service and inspect journal logs. |
| WSS handshake fails | nginx -t, cert validity, DNS |
Fix TLS config/cert and reload nginx. |
| Service exits on boot | journal logs for Redis error | Set REDIS_URL or disable REQUIRE_REDIS temporarily. |
| Pair requests rate limited | HTTP 429 on /pair |
Tune MAX_PAIR_REQUESTS_PER_WINDOW and RATE_LIMIT_WINDOW_MS. |
Security Checklist
- Run behind TLS only. Enforce HTTP-to-HTTPS redirect.
- Keep relay port private (loopback), expose only 443/80 via nginx.
- Use Redis persistence for restart safety and controlled session cleanup.
- Set
TRUST_PROXY=truewhen behind nginx for correct client IP rate limiting. - Set
RELAY_BUILDper release for traceable health diagnostics. - Review
ORIGIN_ALLOWLIST/REQUIRE_ORIGINonly if browser-origin restrictions are needed. - Monitor logs and alert on relay start failures, 5xx spikes, and pair abuse events.