Skip to content

Run A Relay

Run your own nostr relay!


In order to have a resilient decentralized nostr network there needs to be a good distribution of relays. Avoiding the caveat of too many large (centralized) relays, many of unknown architecture and availability. It is not too difficult to run your own private relay at home or on an inexpensive cloud provider.

Digital Ocean $200 Credit

The following is based on the unofficial strfry docker repo:

Install Requirements

(In this example we're assuming your host is running Ubuntu 22.04 but should work with most Debian based OSs)

On your cloud server or home server be sure to install Docker.

Now install docker-compose:

curl -SL -o /usr/local/bin/docker-compose

Make executable:

sudo chmod +x /usr/local/bin/docker-compose

Point DNS to IP of Relay

In your DNS registrar or hosting control panel add an A record for to your instance public IP. You can alternatively use dynamic DNS if hosting from home. If using from home I recommend using a free CloudFlare account to proxy DNS to your home IP to obfuscate it. There are many videos and howtos on this.

Create docker-compose.yml

Make a docker-compose.yml file with contents below:

    image: relayable/strfry:latest
    restart: unless-stopped
      - /local/path/to/strfry-data/etc:/etc/
      - /local/path/to/strfry-data/strfry-db:/app/strfry-db
      - /local/path/to/strfry-data/plugins:/app/plugins
      - "7777:7777"

Add whitelist.js Plugin to Lock Down Relay

** Another approach to strfry policies option. **

Add the following to you plugins directory:

#!/usr/bin/env node

const whiteList = {
    '003ba9b2c5bd8afeed41a4ce362a8b7fc3ab59c25b6a1359cae9093f296dac01': true,

const rl = require('readline').createInterface({
  input: process.stdin,
  output: process.stdout,
  terminal: false

rl.on('line', (line) => {
    let req = JSON.parse(line);

    if (req.type === 'lookback') { 
        return; // do nothing

    if (req.type !== 'new') {
        console.error("unexpected request type"); // will appear in strfry logs

    let res = { id: }; // must echo the event's id

    if (whiteList[req.event.pubkey]) {
        res.action = 'accept';
    } else {
        res.action = 'reject';
        res.msg = 'blocked: not on white-list';


Change the hex public key (003ba9b2c5bd8afeed41a4ce362a8b7fc3ab59c25b6a1359cae9093f296dac01) to yours and add others you want to allow to use the relay.

Make it executable:

sudo chmod +x whitelist.js

Create your strfry.conf in your /etc directory from above docker-compose.yml

## Default strfry config for relayable/strfry Docker

# Directory that contains the strfry LMDB database (restart required)
db = "./strfry-db/"

dbParams {
    # Maximum number of threads/processes that can simultaneously have LMDB transactions open (restart required)
    maxreaders = 256

    # Size of mmap() to use when loading LMDB (default is 10TB, does *not* correspond to disk-space used) (restart required)
    mapsize = 10995116277760

relay {
    # Interface to listen on. Use to listen on all interfaces (restart required)
    bind = ""

    # Port to open for the nostr websocket protocol (restart required)
    port = 7777

    # Set OS-limit on maximum number of open files/sockets (if 0, don't attempt to set) (restart required)
    nofiles = 1000000

    # HTTP header that contains the client's real IP, before reverse proxying (ie x-real-ip) (MUST be all lower-case)
    realIpHeader = ""

    info {
        # NIP-11: Name of this server. Short/descriptive (< 30 characters)
        name = "strfry docker test"

        # NIP-11: Detailed information about relay, free-form
        description = "This is a strfry instance."

        # NIP-11: Administrative nostr pubkey, for contact purposes
        pubkey = "unset"

        # NIP-11: Alternative administrative contact (email, website, etc)
        contact = "unset"

    # Maximum accepted incoming websocket frame size (should be larger than max event and yesstr msg) (restart required)
    maxWebsocketPayloadSize = 131072

    # Websocket-level PING message frequency (should be less than any reverse proxy idle timeouts) (restart required)
    autoPingSeconds = 55

    # If TCP keep-alive should be enabled (detect dropped connections to upstream reverse proxy)
    enableTcpKeepalive = false

    # How much uninterrupted CPU time a REQ query should get during its DB scan
    queryTimesliceBudgetMicroseconds = 10000

    # Maximum records that can be returned per filter
    maxFilterLimit = 500

    # Maximum number of subscriptions (concurrent REQs) a connection can have open at any time
    maxSubsPerConnection = 20

    writePolicy {
        # If non-empty, path to an executable script that implements the writePolicy plugin logic
        plugin = "./plugins/whitelist.js"

        # Number of seconds to search backwards for lookback events when starting the writePolicy plugin (0 for no lookback)
        lookbackSeconds = 0

    compression {
        # Use permessage-deflate compression if supported by client. Reduces bandwidth, but slight increase in CPU (restart required)
        enabled = true

        # Maintain a sliding window buffer for each connection. Improves compression, but uses more memory (restart required)
        slidingWindow = true

    logging {
        # Dump all incoming messages
        dumpInAll = false

        # Dump all incoming EVENT messages
        dumpInEvents = false

        # Dump all incoming REQ/CLOSE messages
        dumpInReqs = false

        # Log performance metrics for initial REQ database scans
        dbScanPerf = false

    numThreads {
        # Ingester threads: route incoming requests, validate events/sigs (restart required)
        ingester = 3

        # reqWorker threads: Handle initial DB scan for events (restart required)
        reqWorker = 3

        # reqMonitor threads: Handle filtering of new events (restart required)
        reqMonitor = 3

        # yesstr threads: Experimental yesstr protocol (restart required)
        yesstr = 1

events {
    # Maximum size of normalised JSON, in bytes
    maxEventSize = 65536

    # Events newer than this will be rejected
    rejectEventsNewerThanSeconds = 900

    # Events older than this will be rejected
    rejectEventsOlderThanSeconds = 94608000

    # Ephemeral events older than this will be rejected
    rejectEphemeralEventsOlderThanSeconds = 60

    # Ephemeral events will be deleted from the DB when older than this
    ephemeralEventsLifetimeSeconds = 300

    # Maximum number of tags allowed
    maxNumTags = 2000

    # Maximum size for tag values, in bytes
    maxTagValSize = 1024

Under the info section can add name, description, pubkey, and contact to fit your relay.

If using below nginx config you can change bind back to to make it more secure. Change any other settings you feel confident you need to alter.

Start your container with docker-compose to test working from directory with the docker-compose.yml file: sudo docker-compose up

This will start container in terminal. Once you are happy configuration is working can start as a daemon: sudo docker-compose up -d

Add Nginx Reverse Proxy and SSL

Install nginx on your relay: sudo apt-get update && sudo apt-get install nginx certbot python3-certbot-nginx

Remove default config: sudo rm -rf /etc/nginx/sites-available/default

Create new default config: sudo nano /etc/nginx/sites-available/default Add new reverse proxy config:

        location / {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $host;
            proxy_http_version 1.1;
            proxy_read_timeout 300s;
            proxy_connect_timeout 300s;
            proxy_send_timeout 300s;
            send_timeout 300s;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";

Change to your DNS name.

Restart nginx: sudo systemctl restart nginx

Add LetsEncrypt SSL Certificate

Use certbot to create new SSL and install it with nginx-plugin (replace with your DNS name): sudo certbot --nginx -d

Restart nginx again: sudo systemctl restart nginx

If no errors then good to go!

Testing and Usage

You can now install something like nostril to test your relay. Just use a testing nostr account you add to whitelist.js to test with. Or add relay to your client.

nostril --envelope --sec <your sec hex key> --content "docker container is working and whitelisting!" | websocat ws://localhost:7777

Using Other strfry Commands

See container name or ID: sudo docker ps

Enter container to get bash access: sudo docker exec -it <container> /bin/bash

This will show you have entered the running container. You can now run any strfry commands needed. See strfry readme for more.

bash-5.1# ./strfry --help

Congrats you now have a working strfry nostr relay!