ThreatGet can be deployed on any server, Windows or Linux. We will demonstrate deployment using as an example Ubuntu LTS.


One first needs to install Docker and Docker Compose on the server. The setup of Docker is described here. The setup of Docker Compose is described here.

The next step is to log in to the docker repository of AIT.

sudo docker login

The username and password have been supplied to you by AIT.

Finally, we need a folder for the database backups:

sudo mkdir -p /var/backups/postgres

Setting up a docker configuration

Create a folder name threatget. The folder can be anywhere. We assume it to be in your home directory for this manual. In that folder create a file docker-compose.yml with he following content:

version: '3'

    image: postgres:10
    restart: always
        - POSTGRES_DB=threatget
        - POSTGRES_USER=threatget
        - data:/var/lib/postgresql/data
      - db
    restart: always
      - "80:8080"

      - db
    image: postgres:10
      - /var/backups/postgres:/var/backups
    command: /bin/bash -c  'pg_dump --dbname=postgresql://threatget:${DATABASE_PASSWORD}@db:5432/threatget -F c -f /var/backups/${HOST}-$$(date +%F_%H-%M-%S).dump'


and also create a config file called .env. Note the dot (.) in the beginning.

# User Config

The THREATGET_VERSION should contain the latest threatget release. AIT will notify you when new releases are available.
The HOST should be the hostname the server will later be available under. PROTOCOL specifies the protocol the server is available under. We will discuss HTTPS setup below.
The DATABASE_PASSWORD should be changed to a random password. It is only used for the two docker instance to communicate securely.
The INITIAL_ADMIN_PASSWORD specifies the password of the admin user on the web interface. This setting only takes effect on first start. Aftewards the admin password can be changed in the web interface.
The INITIAL_LICENSE_KEY is the license key you received from AIT. This setting only takes effect on first start. Aftewards the license key can be changed in the web interface.

Proxy Server

ThreatGet needs to establish outgoing connections to for license verification and updates of elements and rules. If outgoing connections require a proxy server it can be configured as follows:

        - HTTPS_PROXY_PORT=8888
        - HTTPS_PIN_CERT=MIIDsjCCApqgAwI...pxpX/Ic=
        - HTTPS_IGNORE_CERTS=false

ThreatGet respects environment variables HTTPS_PROXY_HOST and HTTPS_PROXY_PORT to specific the proxy server and port.

Further some proxy servers open TLS connections and reencrypt the connection using their own root certificate. The variable HTTPS_PIN_CERT can be used to supply the root certificate. ThreatGet will then only accept this certificate as a root certificate. The value of the variable is a base64 encoded DER certificate without newline. This can be obtained using cat rootCA.cer| base64 -w 0, where rootCA.cer is a DER encoded certifacte. A PAM encoded certificate can be encoded to DER using openssl x509 -in rootCA.pem -outform DER -out rootCA.cer. If a root certificate cannot be specified it is possible to completely disable certificate checking by specifying HTTPS_IGNORE_CERTS=true. Note that HTTPS_IGNORE_CERTS is ignored when HTTPS_PIN_CERT is set. HTTPS_IGNORE_CERTS is dangerous as it allows the connection to be manipulated by a man-in-the-middle attack. Setting HTTPS_IGNORE_CERTS is not recommended.

Starting and stopping the containers

The containers can be started using

cd ~/threatget
sudo docker-compose up -d

The containers can be stopped using

cd ~/threatget
sudo docker-compose down


It is best practice to make a backup of the database as often as possible, at least daily.

The database backup can be initiated as root using cd /home/username/docker; docker-compose start backup. Subsequently the backup is stored in /var/backups/postgres. From there it should be copied off the machine to a secure backup location.


This operation will erase all content of the database. Please create a backup before initiating a restore.

Make sure that the db container is up and running, but the threatget container is stopped.

cd ~/threatget
sudo docker-compose start db
sudo docker-compose stop threatget

Then we are ready to restore the database. The file with the backup on the host machine in this example is /var/backups/postgres/

sudo docker-compose exec -T db pg_restore -C -c -F c -d postgres -U threatget < /var/backups/postgres/

Then we can start the threatget container again.

sudo docker-compose start threatget

SSL connectivity

To allow access to the website via SSL you will need a certificate for the desired domain. SSL certificates are sold by certification authorities. If the website is reachable from the Internet (as opposed to being firewalled) Let's Encrypt can be used to obtain a free certificate.

The recommended setup is to have the ThreatGet administration interface only available from the company network and use a commercial certificate.

To this end the following lines in the docker-compose.yml file above need to be adjusted:

      - "80:8080"


      - "8080:8080"

As well as adjusting PROTOCOL=http to PROTOCOL=https in the .env file.

After that the containers need to be restarted:

cd ~/threatget
sudo docker-compose down
sudo docker-compose up -d

Reverse proxy

Any reverse proxy that can terminate SSL is suitable. We will demonstrate the configuration using apache2. Apache2 can be installed using

sudo apt-get install apache2
sudo a2enmod proxy_http ssl rewrite

We will then create a file /etc/apache2/sites-available/threatget.conf with the following content. Note that /etc/ssl/certificate.pem and /etc/ssl/privkey.pem are provided by your SSL certificate vendor and must be installed prior. Also the hostname needs to be adjusted to your domain name.

<VirtualHost *:80>

RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<VirtualHost *:443>

ProxyPass "/"  "http://localhost:8080/"
ProxyPassReverse "/"  "http://localhost:8080/"

SSLCertificateFile /etc/ssl/certificate.pem
SSLCertificateKeyFile /etc/ssl/privkey.pem

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLHonorCipherOrder     on
SSLCompression          off

SSLOptions +StrictRequire

Finally you can enable the site and reload the apache config:

sudo a2ensite threatget
sudo systemctl reload apache2

Your ThreatGet instance will subsequently be available under https and http requests are automatically redirected to https.