Observability Azure

Tianji on Ubuntu 24.04 on Azure User Guide

| Product: Tianji on Ubuntu 24.04 LTS on Azure

Overview

Tianji is an all in one, open source, self hosted insight hub. It brings website analytics, uptime and status monitoring, server telemetry and public status pages together under a single polished dashboard, so you can watch everything that matters about your sites and servers from one place instead of running several separate tools. The website analytics are privacy friendly and cookie free, the monitors probe HTTP, TCP and ping endpoints on a schedule and record uptime history, and the server telemetry accepts metrics pushed from a lightweight reporter, all rendered in real time over WebSockets.

The cloudimg image installs Tianji 1.32.16 and puts its Node.js server behind an nginx reverse proxy on port 80, with PostgreSQL for durable state. The appliance is secure by default: Tianji's own database migration ships a well known admin / admin account, and this image closes that hole. On the first boot of every instance a one shot service rotates the PostgreSQL password, generates a fresh signing secret and replaces the seeded administrator password with a unique random one written to a root only file, so no two deployments share a credential and the default admin / admin login no longer works. Open self registration is disabled, and a demo website and uptime monitor are seeded so the dashboard is a real workspace the moment you sign in.

What is included:

  • Tianji 1.32.16 Node.js server (/opt/tianji/src, entrypoint dist/src/server/main.js)
  • PostgreSQL 16 for durable state (analytics, monitors, users)
  • tianji.service running as the tianji user on 127.0.0.1:12345
  • nginx.service reverse proxy on TCP 80, TLS ready, WebSocket aware
  • tianji-firstboot.service rotating the DB password, signing secret and admin password on first boot
  • A unified dashboard with website analytics, uptime monitors, server telemetry and status pages
  • A seeded demo website and an uptime monitor so the dashboard is populated on first boot
  • Ubuntu 24.04 LTS base, latest patches, unattended security upgrades enabled
  • 24/7 cloudimg support, 24h response SLA

Prerequisites

An active Azure subscription, an SSH key, and a VNet with a subnet. Recommended VM size: Standard_B2s (2 vCPU, 4 GB RAM).

Step 1: Deploy from the Azure Portal

Search the Azure Marketplace for Tianji, choose the plan, and create the VM. In the networking step attach an NSG that allows inbound TCP 22 (SSH) and TCP 80 (the dashboard) from your client networks only. Put a TLS reverse proxy in front of port 80 for production. Tianji also listens on port 12345 (TCP and UDP) for its optional server telemetry reporter protocol; open 12345 in the NSG only if you push metrics from remote servers, and only to those hosts.

Step 2: Deploy from the Azure CLI

RG="tianji-prod"; LOCATION="eastus"; VM_NAME="tianji-01"
GALLERY_IMAGE_ID="/subscriptions/<sub-id>/resourceGroups/azure-cloudimg/providers/Microsoft.Compute/galleries/cloudimgGallery/images/tianji-ubuntu-24-04/versions/<version>"
SSH_KEY="$(cat ~/.ssh/id_rsa.pub)"
az group create --name "$RG" --location "$LOCATION"
az network vnet create -g "$RG" --name tj-vnet --address-prefix 10.108.0.0/16 --subnet-name tj-subnet --subnet-prefix 10.108.1.0/24
az network nsg create -g "$RG" --name tj-nsg
az network nsg rule create -g "$RG" --nsg-name tj-nsg --name allow-ssh --priority 100 \
  --source-address-prefixes "<your-mgmt-cidr>" --destination-port-ranges 22 --access Allow --protocol Tcp
az network nsg rule create -g "$RG" --nsg-name tj-nsg --name allow-web --priority 110 \
  --source-address-prefixes "<your-mgmt-cidr>" --destination-port-ranges 80 --access Allow --protocol Tcp
az vm create -g "$RG" --name "$VM_NAME" --image "$GALLERY_IMAGE_ID" \
  --size Standard_B2s --storage-sku StandardSSD_LRS \
  --admin-username azureuser --ssh-key-values "$SSH_KEY" \
  --vnet-name tj-vnet --subnet tj-subnet --nsg tj-nsg --public-ip-sku Standard

Step 3: Connect via SSH

ssh azureuser@<vm-ip>

tianji.service, nginx.service and postgresql.service all start automatically on first boot, after tianji-firstboot.service has rotated the per instance secrets.

Step 4: Verify the Services

sudo systemctl is-active tianji nginx postgresql tianji-firstboot
sudo test -f /var/lib/cloudimg/tianji-firstboot.done && echo FIRSTBOOT_DONE
sudo ss -tlnp | grep -E ':80 |:12345 '

Expected output — all four units are active, first boot has completed, and nginx is bound to the public port 80 while the Tianji Node.js server listens on 12345:

active
active
active
active
FIRSTBOOT_DONE
LISTEN 0 511  0.0.0.0:80    0.0.0.0:*  users:(("nginx",...))
LISTEN 0 511  *:12345       *:*        users:(("node",...))

Tianji, nginx, PostgreSQL and the firstboot service all active, first boot complete, with nginx bound to public port 80 and the Node.js server on 12345

Step 5: Retrieve Your Admin Credentials

The administrator password is generated uniquely on this VM's first boot and written to a root only file. Read it, then keep it somewhere safe:

sudo cat /root/tianji-credentials.txt
grep ALLOW_REGISTER /etc/tianji/tianji.env

The file holds the dashboard URL, the admin user and its per instance password, and the PostgreSQL details. Open self registration is disabled (ALLOW_REGISTER=false), so the dashboard cannot be claimed by a visitor:

tianji.url=http://<vm-ip>/
tianji.admin.user=admin
tianji.admin.pass=<unique-per-instance-password>
tianji.db.name=tianji
tianji.db.user=tianji
tianji.db.pass=<unique-per-instance-password>
ALLOW_REGISTER=false

The per VM Tianji credentials file with the admin and database passwords masked, and open registration disabled in the environment file

Step 6: Confirm There Is No Default Login

Tianji's database migration ships a default admin / admin account. This image rotates that password on first boot, so the default no longer authenticates. Prove it: a login with your per instance password succeeds, while the default admin / admin is rejected:

ADMIN_PASS=$(sudo grep '^tianji.admin.pass=' /root/tianji-credentials.txt | cut -d= -f2-)
curl -s http://127.0.0.1:12345/health
curl -s -o /dev/null -w 'per-VM login  -> HTTP %{http_code}\n' -m 10 -X POST http://127.0.0.1:12345/open/login \
  -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"$ADMIN_PASS\"}"
curl -s -o /dev/null -w 'admin/admin   -> HTTP %{http_code}\n' -m 10 -X POST http://127.0.0.1:12345/open/login \
  -H 'Content-Type: application/json' -d '{"username":"admin","password":"admin"}'

The health endpoint reports the running version, the per instance password returns HTTP 200 (a token is issued), and the default admin / admin returns a non 200 rejection:

{"status":"healthy","version":"1.32.16","timestamp":"...","duration":0,"checks":{}}
per-VM login  -> HTTP 200
admin/admin   -> HTTP 500

The health endpoint reporting version 1.32.16, the default admin/admin login rejected, and the credential round-trip helper confirming a real login succeeds while every default credential is rejected

Step 7: Sign in to the Dashboard

Open the dashboard in a browser at http://<vm-ip>/ and sign in as admin with the password from Step 5:

open http://<vm-ip>/

The Tianji sign in page with the username and password fields and the Login button

Step 8: Explore Website Analytics

After signing in you land on the Website Overview. The image seeds a demo website so the workspace is populated. The left sidebar lists every Tianji capability, and each website shows its recent event count:

The Tianji dashboard Website Overview showing the seeded Demo Site and the full feature sidebar, signed in as admin

Open a website to see its analytics dashboard: views, visitors, bounce rate and average visit time, with a time range selector and a visitor trend chart. Add your own site (Step 11) and the charts fill in as real events arrive:

The Demo Site analytics dashboard showing Views, Visitors, Bounce Rate and Average Visit Time metric tiles with a time range selector

Step 9: Watch Uptime with Monitors

The Monitor section runs scheduled HTTP, TCP and ping checks and records uptime history. The image seeds a demo monitor that watches the Tianji service itself, so you can see a live monitor with response times and an uptime percentage immediately:

The Tianji Service Health monitor showing an UP status, current and average response times, 100 percent uptime over 24 hours and 30 days, and a response time chart

Step 10: Server Components

node -v
node -e "console.log('Tianji '+require('/opt/tianji/src/package.json').version)"
ls -1 /opt/tianji/src/src/server/dist/src/server/main.js /etc/tianji/tianji.env /usr/local/sbin/tianji-firstboot.sh

The Node.js runtime, the pinned Tianji version, the seeded demo website and monitor, and the installed component paths:

v22.23.1
Tianji 1.32.16
/etc/tianji/tianji.env
/opt/tianji/src/src/server/dist/src/server/main.js
/usr/local/sbin/tianji-firstboot.sh

The Node.js version, the pinned Tianji 1.32.16 version, the seeded demo website and monitor counts, and the installed Tianji component paths

Step 11: Add a Website to Track

To collect analytics for your own site, add it in the dashboard under Website, then copy the tracking script Tianji generates for it and paste it into your site's <head>. Tianji records page views and visitors with no cookies. You can also add monitors under Monitor and register servers under Servers to push host metrics.

Step 12: Managing the Service

sudo systemctl status tianji.service --no-pager | head -n 8
sudo journalctl -u tianji.service --no-pager -n 15

The service is managed by systemd with automatic restart on failure. It is hardened with NoNewPrivileges, ProtectSystem=full and ProtectHome, and reads its per instance secrets from /etc/tianji/tianji.env.

Step 13: Configuration

Tianji is configured through the environment file /etc/tianji/tianji.env, which the first boot service writes with per instance values. Useful keys:

Setting Meaning Image default
DATABASE_URL PostgreSQL connection string per instance rotated password
JWT_SECRET Signs login tokens per instance random value
ALLOW_REGISTER Open self registration false
ALLOW_OPENAPI Enable the /open REST API true
PORT Server listen port 12345

After editing the file, apply changes with sudo systemctl restart tianji.service.

Step 14: Add TLS (Optional)

For production, terminate TLS at nginx. Point a DNS record at the VM, then use the packaged nginx with a certificate from Let's Encrypt:

sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d <your-domain>

certbot installs the certificate, rewrites the nginx server block to listen on 443 and sets up automatic renewal.

Step 15: Security Recommendations

  • Restrict the NSG so ports 80 and 22 only reach trusted networks, and keep 12345 closed unless you push remote server telemetry.
  • Terminate TLS at nginx (Step 14) so the dashboard and API travel encrypted.
  • Change the admin password from the dashboard after first sign in if you prefer your own, and add named users instead of sharing the admin account.
  • Keep open registration off (ALLOW_REGISTER=false) unless you deliberately want public sign ups.
  • Back up PostgreSQL with pg_dump if you need your analytics and uptime history to survive a rebuild.
  • Patch the OS monthly with sudo apt-get update && sudo apt-get upgrade; unattended security upgrades are already enabled.

Step 16: Support and Licensing

Tianji is licensed under the Apache License 2.0 — no per CPU or per user fee. cloudimg provides commercial support separately.

  • Email: support@cloudimg.co.uk
  • Website: www.cloudimg.co.uk
  • Support hours: 24/7, 24h response SLA

Deploy on Azure

Launch Tianji on Ubuntu 24.04 with 24/7 support from cloudimg.

View on Marketplace

Need Help?

Our support team is available 24/7. support@cloudimg.co.uk