Skip to content
Greffon
Tutorial

Self-Host Umami with Greffon

Most analytics tools pay for themselves by selling what they learn about your visitors. Umami does not collect that in the first place, and self-hosting keeps the data on a box you own.

GLGreffon Labs5 min read
~/blog/self-host-umami

Web analytics has a quiet cost: the tool that measures your traffic usually keeps a copy of it, and often pairs your visitors with cookies and a profile they carry across the web. Umami takes the other path. It is cookie-free, it does not build cross-site profiles, and when you host it yourself the numbers sit on a machine you own rather than an account you rent. Greffon takes the fiddly parts of standing it up off your plate.

Why own your analytics

Umami is a lightweight, privacy-focused alternative to Google Analytics. It counts page views, referrers, countries, and devices without setting cookies and without the consent-banner overhead that follows tools which do. The dashboard is clean and fast, and the data behind it never leaves your greffer.

That is the real shift in self-hosting it. With a hosted analytics service, your visitors' activity is data the provider holds too. Grafting Umami onto a greffer means the visit logs, the dashboards, and the database all live on your hardware, under your control, and they are not anyone else's to mine.

Graft it from the catalog

On a greffer you do not hand-write a compose file, provision a database, or wire a reverse proxy. Pick Umami from the catalog and graft it onto your greffer. The app ships with its database alongside it, and Greffon issues the certificate and routes the app, so it comes up reachable over HTTPS from the first start. The signing secret Umami uses for session tokens is generated by the platform when you create the instance, so there is nothing to paste in by hand.

Change the default login

Umami ships with a fixed default account so you can get in on the first load. That convenience is also the first thing you must close off.

Change the default password immediately
The first login uses username admin and password umami. These are the same on every Umami install, so anyone who can reach your dashboard knows them. Log in once, go to settings, and change the password before you point a real site at it.

Add the tracking script

Once you are in, add a website in the Umami dashboard and it gives you a small tracking snippet, a single <script> tag. Drop that into the pages you want to measure and views start showing up. The script is light and loads from your own greffer, so the sites you track are not calling out to a third-party analytics host.

Because the script is served from your greffer, the site you are tracking needs to be able to reach it. If your greffer is on your home network and the site lives on the public internet, see the next section on reaching it from anywhere.

Reaching it, and your data

Umami is an HTTP app, so reaching it from outside your network is straightforward. The simplest option is tunnel mode: a greffer connects outbound to the manager's tunnel and serves its apps without opening a single inbound port, which is the answer for a box behind NAT or CGNAT with no public IP. If you would rather expose the greffer directly, port forwarding plus dynamic DNS still works. Either way the dashboard and the tracking script stay reachable over HTTPS.

The data itself is the part worth a plan. Your analytics history lives in Umami's database on the greffer, and unlike a hosted service there is no provider keeping a copy for you. Greffon handles TLS and routing today, and native one-click backups are coming in M2. Until then, bring your own backup tool (restic or borgbackup are the usual choices), back up the database volume on a schedule, and store a copy off the greffer.

Decide how long you keep visit data
Self-hosting Umami means you, not a vendor, decide retention. Keeping less history is both a privacy posture and a smaller backup. If you only ever look at the last few months, there is no reason to carry years of rows.

Keep it always-on

Analytics only counts what it is up to see. If the greffer is asleep when a visitor arrives, that visit is gone, there is no catching up later. Run Umami on an always-on greffer such as a small VPS, a mini-PC, or a free Oracle Cloud box, rather than a laptop that sleeps at night. The Oracle walkthrough is a good place to get a greffer running before you graft Umami onto it.

FAQ

Is Umami really cookie-free?
Yes. Umami does not set cookies and does not build cross-site visitor profiles. That is why most self-hosters run it without a cookie consent banner, though you should still confirm your own legal obligations for your audience.
Is it a drop-in replacement for Google Analytics?
For the common case of page views, referrers, countries, devices, and per-page traffic, yes. It is deliberately lighter, so if you depend on deep ad-attribution or audience-profiling features you will notice those are not the point of Umami.
What is the admin login on first start?
Username admin, password umami, the same on every install. Change the password the moment you log in, before you track a real site, since anyone who reaches your dashboard knows the default.
Where does my visitor data go?
Into Umami's database on your greffer, and nowhere else. There is no provider copy, which is the upside and also why you should set up your own backups of the database volume.
GL
Greffon Labs
We build Greffon, the simplest way to turn any machine into a server you own.

Ready to turn on your greffer?

Install in minutes. Deploy each app in seconds. Your server, your apps.

Read the docs