Self-hosted error tracking with GlitchTip
What you get: a lightweight, Sentry-compatible error tracker (GlitchTip) in a Proxmox container — your apps’ existing Sentry SDKs point at it unchanged — with the dashboard locked behind SSO (Authentik) while error ingestion and the REST API still work. GlitchTip is the sweet spot: far lighter than self-hosted Sentry (~16 GB of services) and fully Sentry-SDK-compatible.
The one gotcha that matters: if you naïvely put “the whole thing” behind your auth proxy, error ingestion silently breaks — SDKs authenticate by DSN and can’t follow a login redirect. The fix is split routing. That’s the meat of this guide.
1. The container + stack
Unprivileged Docker LXC (Debian, nesting=1,keyctl=1), ~2 cores / 4 GB / 24 GB is plenty. Stack is three small
services:
# /opt/glitchtip/docker-compose.yml (from github.com/GlitchTip/glitchtip — web + worker + postgres + redis)
# key env in /opt/glitchtip/.env (gitignored):
SECRET_KEY=<random>
POSTGRES_PASSWORD=<random>
GLITCHTIP_DOMAIN=https://glitchtip.example.com
ENABLE_OPEN_USER_REGISTRATION=false # you're gating with SSO; don't allow self-signup
docker compose up -d
docker compose run --rm web ./manage.py createsuperuser # your admin account
Add a local DNS record for glitchtip.example.com → your reverse proxy.
2. Split routing — the important part
GlitchTip serves three things on one host, and they need different access rules. Put these routers in your proxy (Traefik example; the same logic applies to nginx/Caddy). Order by priority — most specific first.
| Router | Match | Middleware | Why |
|---|---|---|---|
| Ingest (prio 200) | PathRegexp(^/api/[0-9]+/(envelope|store|security|minidump|unreal)/) | lan-only only | SDKs POST events here with a DSN; they cannot follow a 302 to a login page. Must bypass auth. |
| REST API (prio 150) | PathPrefix(/api/0/) | lan-only only | Headless/CI clients (source-map upload) + scripts auth with a Bearer token, not a browser session. |
| Dashboard (prio 100) | / (everything else) | lan-only + Authentik forward-auth | The human UI — gate it behind SSO, admin-only. |
Why it works: the browser UI is protected by SSO, but the two API surfaces authenticate themselves (DSN / Bearer token), so they skip the auth proxy. Verify:
curl -I https://glitchtip.example.com/ # -> 302 to Authentik (gated) ✓
curl -X POST https://glitchtip.example.com/api/1/envelope/ # -> 4xx FROM GlitchTip, not a 302 (reached the app) ✓
curl https://glitchtip.example.com/api/0/ # -> 401 (needs a token), not a redirect ✓
curl -H "Authorization: Bearer <token>" https://glitchtip.example.com/api/0/ # -> 200 ✓
If your /api/1/envelope/ test returns a 302, your ingest route is still behind the auth gate — fix the priority/
match so ingest is lan-only only.
3. Wire up an app + upload source maps
- In GlitchTip, create an org/project, grab the DSN, and point your app’s Sentry SDK at it (self-hosted URL). That alone gives you errors.
- For readable stack traces on a JS/Next.js app, upload source maps with a GlitchTip auth token (least-
privilege scopes:
project:read, project:releases, event:read, org:read). For@sentry/nextjsself-hosted:
Because uploads hitSENTRY_URL=https://glitchtip.example.com/ SENTRY_ORG=<your-org> SENTRY_PROJECT=<your-project> SENTRY_AUTH_TOKEN=<the token>/api/0/(the token-bypass route), a LAN build can push directly — no browser login.
Gotchas recap
- Split routing is mandatory — ingest (
/api/N/envelope|store|...) and the REST API (/api/0/) must bypass your SSO proxy; only the dashboard (/) is gated. Miss this and errors silently stop arriving. - Disable open registration when you gate with SSO (
ENABLE_OPEN_USER_REGISTRATION=false) so nobody self-signs-up past the gate. - LAN-only for a homelab — GlitchTip holds your app internals; don’t expose it publicly unless you add a public ingest route deliberately.
- Least-privilege API tokens — a source-map/CI token only needs read + releases, not admin.
Written from a working deployment: GlitchTip in an unprivileged Docker LXC on Proxmox, dashboard behind Authentik
forward-auth (admin-only), with dedicated lan-only bypass routers for the ingest firehose and the /api/0/ REST
API. Adjust IPs/domain to your setup.
Written by James Brooks — I run ThatNerdKnows (IT support + websites for small businesses). This is the deep end; if you’d rather just have it handled, that’s the day job.