Tianji on Ubuntu 24.04 on Azure User Guide
Overview
Tianji is an all in one, open source, self hosted insight hub. It brings website analytics, uptime and status monitoring, server telemetry and public status pages together under a single polished dashboard, so you can watch everything that matters about your sites and servers from one place instead of running several separate tools. The website analytics are privacy friendly and cookie free, the monitors probe HTTP, TCP and ping endpoints on a schedule and record uptime history, and the server telemetry accepts metrics pushed from a lightweight reporter, all rendered in real time over WebSockets.
The cloudimg image installs Tianji 1.32.16 and puts its Node.js server behind an nginx reverse proxy on port 80, with PostgreSQL for durable state. The appliance is secure by default: Tianji's own database migration ships a well known admin / admin account, and this image closes that hole. On the first boot of every instance a one shot service rotates the PostgreSQL password, generates a fresh signing secret and replaces the seeded administrator password with a unique random one written to a root only file, so no two deployments share a credential and the default admin / admin login no longer works. Open self registration is disabled, and a demo website and uptime monitor are seeded so the dashboard is a real workspace the moment you sign in.
What is included:
- Tianji 1.32.16 Node.js server (
/opt/tianji/src, entrypointdist/src/server/main.js) - PostgreSQL 16 for durable state (analytics, monitors, users)
tianji.servicerunning as thetianjiuser on127.0.0.1:12345nginx.servicereverse proxy on TCP 80, TLS ready, WebSocket awaretianji-firstboot.servicerotating the DB password, signing secret and admin password on first boot- A unified dashboard with website analytics, uptime monitors, server telemetry and status pages
- A seeded demo website and an uptime monitor so the dashboard is populated on first boot
- Ubuntu 24.04 LTS base, latest patches, unattended security upgrades enabled
- 24/7 cloudimg support, 24h response SLA
Prerequisites
An active Azure subscription, an SSH key, and a VNet with a subnet. Recommended VM size: Standard_B2s (2 vCPU, 4 GB RAM).
Step 1: Deploy from the Azure Portal
Search the Azure Marketplace for Tianji, choose the plan, and create the VM. In the networking step attach an NSG that allows inbound TCP 22 (SSH) and TCP 80 (the dashboard) from your client networks only. Put a TLS reverse proxy in front of port 80 for production. Tianji also listens on port 12345 (TCP and UDP) for its optional server telemetry reporter protocol; open 12345 in the NSG only if you push metrics from remote servers, and only to those hosts.
Step 2: Deploy from the Azure CLI
RG="tianji-prod"; LOCATION="eastus"; VM_NAME="tianji-01"
GALLERY_IMAGE_ID="/subscriptions/<sub-id>/resourceGroups/azure-cloudimg/providers/Microsoft.Compute/galleries/cloudimgGallery/images/tianji-ubuntu-24-04/versions/<version>"
SSH_KEY="$(cat ~/.ssh/id_rsa.pub)"
az group create --name "$RG" --location "$LOCATION"
az network vnet create -g "$RG" --name tj-vnet --address-prefix 10.108.0.0/16 --subnet-name tj-subnet --subnet-prefix 10.108.1.0/24
az network nsg create -g "$RG" --name tj-nsg
az network nsg rule create -g "$RG" --nsg-name tj-nsg --name allow-ssh --priority 100 \
--source-address-prefixes "<your-mgmt-cidr>" --destination-port-ranges 22 --access Allow --protocol Tcp
az network nsg rule create -g "$RG" --nsg-name tj-nsg --name allow-web --priority 110 \
--source-address-prefixes "<your-mgmt-cidr>" --destination-port-ranges 80 --access Allow --protocol Tcp
az vm create -g "$RG" --name "$VM_NAME" --image "$GALLERY_IMAGE_ID" \
--size Standard_B2s --storage-sku StandardSSD_LRS \
--admin-username azureuser --ssh-key-values "$SSH_KEY" \
--vnet-name tj-vnet --subnet tj-subnet --nsg tj-nsg --public-ip-sku Standard
Step 3: Connect via SSH
ssh azureuser@<vm-ip>
tianji.service, nginx.service and postgresql.service all start automatically on first boot, after tianji-firstboot.service has rotated the per instance secrets.
Step 4: Verify the Services
sudo systemctl is-active tianji nginx postgresql tianji-firstboot
sudo test -f /var/lib/cloudimg/tianji-firstboot.done && echo FIRSTBOOT_DONE
sudo ss -tlnp | grep -E ':80 |:12345 '
Expected output — all four units are active, first boot has completed, and nginx is bound to the public port 80 while the Tianji Node.js server listens on 12345:
active
active
active
active
FIRSTBOOT_DONE
LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",...))
LISTEN 0 511 *:12345 *:* users:(("node",...))

Step 5: Retrieve Your Admin Credentials
The administrator password is generated uniquely on this VM's first boot and written to a root only file. Read it, then keep it somewhere safe:
sudo cat /root/tianji-credentials.txt
grep ALLOW_REGISTER /etc/tianji/tianji.env
The file holds the dashboard URL, the admin user and its per instance password, and the PostgreSQL details. Open self registration is disabled (ALLOW_REGISTER=false), so the dashboard cannot be claimed by a visitor:
tianji.url=http://<vm-ip>/
tianji.admin.user=admin
tianji.admin.pass=<unique-per-instance-password>
tianji.db.name=tianji
tianji.db.user=tianji
tianji.db.pass=<unique-per-instance-password>
ALLOW_REGISTER=false

Step 6: Confirm There Is No Default Login
Tianji's database migration ships a default admin / admin account. This image rotates that password on first boot, so the default no longer authenticates. Prove it: a login with your per instance password succeeds, while the default admin / admin is rejected:
ADMIN_PASS=$(sudo grep '^tianji.admin.pass=' /root/tianji-credentials.txt | cut -d= -f2-)
curl -s http://127.0.0.1:12345/health
curl -s -o /dev/null -w 'per-VM login -> HTTP %{http_code}\n' -m 10 -X POST http://127.0.0.1:12345/open/login \
-H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"$ADMIN_PASS\"}"
curl -s -o /dev/null -w 'admin/admin -> HTTP %{http_code}\n' -m 10 -X POST http://127.0.0.1:12345/open/login \
-H 'Content-Type: application/json' -d '{"username":"admin","password":"admin"}'
The health endpoint reports the running version, the per instance password returns HTTP 200 (a token is issued), and the default admin / admin returns a non 200 rejection:
{"status":"healthy","version":"1.32.16","timestamp":"...","duration":0,"checks":{}}
per-VM login -> HTTP 200
admin/admin -> HTTP 500

Step 7: Sign in to the Dashboard
Open the dashboard in a browser at http://<vm-ip>/ and sign in as admin with the password from Step 5:
open http://<vm-ip>/

Step 8: Explore Website Analytics
After signing in you land on the Website Overview. The image seeds a demo website so the workspace is populated. The left sidebar lists every Tianji capability, and each website shows its recent event count:

Open a website to see its analytics dashboard: views, visitors, bounce rate and average visit time, with a time range selector and a visitor trend chart. Add your own site (Step 11) and the charts fill in as real events arrive:

Step 9: Watch Uptime with Monitors
The Monitor section runs scheduled HTTP, TCP and ping checks and records uptime history. The image seeds a demo monitor that watches the Tianji service itself, so you can see a live monitor with response times and an uptime percentage immediately:

Step 10: Server Components
node -v
node -e "console.log('Tianji '+require('/opt/tianji/src/package.json').version)"
ls -1 /opt/tianji/src/src/server/dist/src/server/main.js /etc/tianji/tianji.env /usr/local/sbin/tianji-firstboot.sh
The Node.js runtime, the pinned Tianji version, the seeded demo website and monitor, and the installed component paths:
v22.23.1
Tianji 1.32.16
/etc/tianji/tianji.env
/opt/tianji/src/src/server/dist/src/server/main.js
/usr/local/sbin/tianji-firstboot.sh

Step 11: Add a Website to Track
To collect analytics for your own site, add it in the dashboard under Website, then copy the tracking script Tianji generates for it and paste it into your site's <head>. Tianji records page views and visitors with no cookies. You can also add monitors under Monitor and register servers under Servers to push host metrics.
Step 12: Managing the Service
sudo systemctl status tianji.service --no-pager | head -n 8
sudo journalctl -u tianji.service --no-pager -n 15
The service is managed by systemd with automatic restart on failure. It is hardened with NoNewPrivileges, ProtectSystem=full and ProtectHome, and reads its per instance secrets from /etc/tianji/tianji.env.
Step 13: Configuration
Tianji is configured through the environment file /etc/tianji/tianji.env, which the first boot service writes with per instance values. Useful keys:
| Setting | Meaning | Image default |
|---|---|---|
DATABASE_URL |
PostgreSQL connection string | per instance rotated password |
JWT_SECRET |
Signs login tokens | per instance random value |
ALLOW_REGISTER |
Open self registration | false |
ALLOW_OPENAPI |
Enable the /open REST API |
true |
PORT |
Server listen port | 12345 |
After editing the file, apply changes with sudo systemctl restart tianji.service.
Step 14: Add TLS (Optional)
For production, terminate TLS at nginx. Point a DNS record at the VM, then use the packaged nginx with a certificate from Let's Encrypt:
sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d <your-domain>
certbot installs the certificate, rewrites the nginx server block to listen on 443 and sets up automatic renewal.
Step 15: Security Recommendations
- Restrict the NSG so ports 80 and 22 only reach trusted networks, and keep 12345 closed unless you push remote server telemetry.
- Terminate TLS at nginx (Step 14) so the dashboard and API travel encrypted.
- Change the admin password from the dashboard after first sign in if you prefer your own, and add named users instead of sharing the admin account.
- Keep open registration off (
ALLOW_REGISTER=false) unless you deliberately want public sign ups. - Back up PostgreSQL with
pg_dumpif you need your analytics and uptime history to survive a rebuild. - Patch the OS monthly with
sudo apt-get update && sudo apt-get upgrade; unattended security upgrades are already enabled.
Step 16: Support and Licensing
Tianji is licensed under the Apache License 2.0 — no per CPU or per user fee. cloudimg provides commercial support separately.
- Email: support@cloudimg.co.uk
- Website: www.cloudimg.co.uk
- Support hours: 24/7, 24h response SLA
Deploy on Azure
Launch Tianji on Ubuntu 24.04 with 24/7 support from cloudimg.
View on Marketplace
Need Help?
Our support team is available 24/7. support@cloudimg.co.uk