Verdaccio on AWS User Guide
Overview
Verdaccio is a lightweight open-source private npm registry and proxy built on Node.js. It lets teams publish private packages, cache packages from the public npm registry, and control access with simple htpasswd authentication - without standing up a heavyweight artifact server. The cloudimg image installs Verdaccio on Node.js LTS, runs it as a systemd service behind an nginx reverse proxy on port 80, stores the registry configuration, package storage and the htpasswd auth database on a dedicated data volume, and generates a unique admin account on the first boot of every instance. Backed by 24/7 cloudimg support.
What is included:
- Verdaccio on Node.js LTS, installed globally
- The web UI and npm registry published on port 80 via nginx (with WebSocket upgrade and a 1 GiB body limit for large tarball publishes)
- An uplink to the public npm registry so any package not published locally is proxied and cached
- A dedicated data volume at
/var/lib/verdacciofor config, package storage and the htpasswd auth database - A unique admin account generated on first boot, written to a root-only credentials file
verdaccio.service+nginx.serviceas systemd units, enabled and active- 24/7 cloudimg support
Prerequisites
An Amazon Web Services account where you can launch EC2 instances, an EC2 key pair in the target Region, and a VPC + subnet. m5.large is a good starting point. Security group inbound: allow 22/tcp from your management network and 80/tcp for the registry and web UI (front with TLS for public exposure - see Enabling HTTPS).
Step 1: Launch the Instance from the AWS Marketplace
Sign in to the AWS Management Console, open the EC2 service, and select Launch instance. Under Application and OS Images choose AWS Marketplace AMIs and search for Verdaccio by cloudimg. Select the cloudimg listing and choose Select, then Continue on the subscription summary. Pick your instance type and EC2 key pair, and under Network settings select a security group that allows inbound ports 22 and 80 as described above. Select Launch instance.
Step 2: Launch the Instance from the AWS CLI
aws ec2 run-instances \
--image-id <ami-id> \
--instance-type m5.large \
--key-name <key-name> \
--subnet-id <subnet-id> \
--security-group-ids <security-group-id> \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=verdaccio-01}]'
Step 3: Connect to your Instance
The SSH login user depends on the operating system of the AMI variant you launched:
| AMI variant | SSH login user |
|---|---|
| Verdaccio on Ubuntu 24.04 | ubuntu |
ssh -i <path-to-key>.pem ubuntu@<instance-public-ip>
Step 4: Confirm the services are running
systemctl is-active verdaccio.service nginx.service
Both report active. On first boot Verdaccio generates a unique admin account and writes the htpasswd auth database.
Step 5: Retrieve your admin credentials
The admin password is generated uniquely on the first boot of your instance and written to a root-only file:
sudo cat /root/verdaccio-credentials.txt
This file contains verdaccio.admin.user (admin) and verdaccio.admin.pass. Store the password somewhere safe.
Step 6: Check the health endpoint
Verdaccio exposes a liveness endpoint (returns 200):
curl -s -o /dev/null -w '%{http_code}\n' http://localhost/-/ping
Step 7: Open the web UI
Browse to http://<instance-public-ip>/ and sign in with admin and the password from Step 5.

Use the sign-in dialog in the top-right of the UI to authenticate with your admin account:

The web UI shows installation and login help for each package once you have published one, and the empty-registry welcome until then:

Once signed in, the UI shows you are authenticated and the published package list:

Step 8: Confirm your credentials authenticate
Every package on the registry requires authentication. Confirm the generated admin credentials work by requesting a package with HTTP Basic auth - a valid login returns 200, a missing or wrong password returns 401:
curl -s -o /dev/null -w '%{http_code}\n' -u 'admin:<VERDACCIO_ADMIN_PASSWORD>' http://localhost/lodash
The npm login command (Step 9) performs the same authentication for the npm CLI and stores a token in your ~/.npmrc.
Step 9: Point npm at your registry
From a developer machine, point npm at the registry and log in (user admin, the password from Step 5):
npm set registry http://<instance-public-ip>/
npm login --registry http://<instance-public-ip>/
Install packages as usual - anything not published privately is proxied and cached from the public npm registry:
npm install lodash
Step 10: Publish a private package
In a package directory, publish to your registry:
npm publish --registry http://<instance-public-ip>/
The package and its tarball are stored on the dedicated data volume and appear in the web UI. Use a scope (e.g. @yourorg/pkg) to keep private packages separate from public ones.
Step 11: Confirm storage lives on the dedicated volume
The configuration, package storage and htpasswd auth database are stored on the dedicated data volume so they survive OS changes and can be resized independently:
findmnt /var/lib/verdaccio
The mount is backed by a separate EBS data volume captured into the image and provisioned on every instance.
Enabling HTTPS
The nginx reverse proxy terminates plain HTTP on port 80. For public exposure, put a certificate in front of it - add a DNS name for the instance and install certbot, or use the companion cloudimg nginx-ssl-certbot image as a TLS reverse proxy. Keep Verdaccio bound to loopback (127.0.0.1:4873) so the only public surface is the TLS-terminated proxy. Set url_prefix and the public URL in /var/lib/verdaccio/config.yaml if you serve under a path, then restart Verdaccio. Add 443/tcp to your security group inbound rules.
Maintenance
- Backups: snapshot the
/var/lib/verdacciodata volume to back up the configuration, package storage and auth database. - Users: add or update accounts with
sudo htpasswd /var/lib/verdaccio/htpasswd <username>and restart Verdaccio. - Service:
sudo systemctl restart verdaccioafter configuration changes; logs viajournalctl -u verdaccio. - Security patches: unattended-upgrades remains enabled so the OS continues to receive security updates automatically.
Support
cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.