Self-Hosted CRM: Run Your Own CRM Server

Step 1: Choose Your Hosting Infrastructure

Your hosting choice affects cost, performance, control, and operational complexity. There are three main approaches, each with clear trade-offs.

VPS (Virtual Private Server) is the most popular option for small and mid-sized CRM deployments. Providers like DigitalOcean, Hetzner, Linode, and Vultr offer virtual servers starting at $5 to $20 per month. For a CRM serving 5 to 20 users, a VPS with 2 CPU cores, 4 GB RAM, and 80 GB SSD storage is sufficient. Hetzner's European data centers are popular for GDPR-compliant deployments, offering strong hardware at competitive prices. A VPS gives you root access, dedicated resources, and full control over the software stack, while the provider handles the underlying hardware, network, and power infrastructure.

Cloud instances from AWS (EC2), Google Cloud (Compute Engine), or Azure provide the same virtual server capabilities with added features like auto-scaling, managed databases, and snapshot backups. Cloud instances make sense when you already operate in one of these ecosystems and want your CRM on the same network as your other services. The cost is typically higher than a VPS for equivalent resources, but the management tooling and integration options can justify the premium for larger deployments.

Bare metal or on-premises servers provide maximum control and predictable performance. For organizations with existing server infrastructure, data center space, and IT staff, adding a CRM server to the existing fleet may be the most cost-effective option. This approach is common in regulated industries like healthcare or finance where data must remain on infrastructure the organization physically controls. The trade-off is full responsibility for hardware maintenance, redundancy, and disaster recovery.

For most businesses starting with self-hosted CRM, a VPS from a reputable provider offers the best balance of cost, control, and simplicity. You can always migrate to a larger instance or different provider later. The CRM data is portable because you control the database.

Step 2: Provision and Secure the Server

Start with a fresh installation of Ubuntu 22.04 LTS or Debian 12, the two most widely supported Linux distributions for CRM hosting. Both have long-term support cycles, extensive package repositories, and comprehensive documentation.

Immediately after provisioning, perform the basic security hardening that every internet-facing server requires. Create a non-root user account with sudo privileges and disable root SSH login. Configure SSH key-based authentication and disable password authentication entirely. Install and enable UFW (Uncomplicated Firewall) or iptables, allowing only ports 22 (SSH), 80 (HTTP), and 443 (HTTPS). Enable automatic security updates with unattended-upgrades on Ubuntu or unattended-upgrades on Debian. Install fail2ban to automatically block IP addresses that attempt brute-force SSH access.

If you plan to use Docker for your CRM deployment (recommended), install Docker Engine and Docker Compose. The official Docker installation script handles repository setup and package installation on both Ubuntu and Debian. Add your non-root user to the docker group so you can run Docker commands without sudo.

If you plan a traditional LAMP installation instead of Docker, install Apache or Nginx, PHP 8.1+ with required extensions (mysql, gd, curl, mbstring, xml, zip, imap), and MySQL or MariaDB. Configure the web server with appropriate virtual host settings and PHP-FPM for performance.

Step 3: Install the CRM Application

Docker Compose is the recommended deployment method for all three major open source CRMs. It packages the application, database, and supporting services into isolated containers that are reproducible and easy to upgrade.

For SuiteCRM, the official Bitnami Docker image provides a pre-configured stack. Create a docker-compose.yml that defines the SuiteCRM application container and a MariaDB database container. Map a persistent volume for the database data and the SuiteCRM upload directory. Set environment variables for the database credentials and the initial admin account. Run docker compose up -d and access the web interface to complete the setup wizard.

For EspoCRM, the official Docker image is available on Docker Hub. The docker-compose.yml defines the EspoCRM application, a MySQL database, and optionally a daemon container for scheduled jobs. Mount persistent volumes for the database and the EspoCRM data directory. Configure environment variables for database connection and SMTP settings. Start the containers and access the web installer to complete configuration.

For Twenty, the official docker-compose.yml from the Twenty repository defines the application server, PostgreSQL database, and Redis cache. Configure the environment file with your server URL, database credentials, and email settings. Twenty generates encryption keys during first startup. Pull the images and start the stack with docker compose up -d. The application is immediately accessible on the configured port.

For detailed, command-by-command installation instructions, see our dedicated Docker CRM installation guide.

Step 4: Configure TLS and Domain

Every production CRM must run behind HTTPS. Customer data transmitted over unencrypted connections is vulnerable to interception, and modern browsers display security warnings on HTTP pages that will undermine user confidence.

Point your chosen domain or subdomain (such as crm.yourdomain.com) to your server's IP address by creating an A record in your DNS provider. Install Nginx as a reverse proxy in front of your Docker-based CRM. Configure Nginx to proxy requests to the CRM application's internal port. Use Certbot with the Let's Encrypt integration to obtain and auto-renew a free TLS certificate. Certbot's Nginx plugin can configure the TLS settings and redirect HTTP to HTTPS automatically.

Verify the TLS configuration by accessing your CRM at the HTTPS URL and confirming the browser shows a valid certificate. Use an SSL testing tool like SSL Labs to verify that the configuration meets current security standards. Configure HSTS (HTTP Strict Transport Security) headers to ensure browsers always use HTTPS for your CRM domain.

Step 5: Set Up Backups and Monitoring

Your CRM database contains critical business data that cannot be recreated. A reliable backup strategy is not optional for any production deployment.

For Docker deployments, create a backup script that dumps the database to a SQL file, compresses it, and copies it to a remote location. For MySQL/MariaDB (SuiteCRM and EspoCRM), use mysqldump executed inside the database container. For PostgreSQL (Twenty), use pg_dump. Schedule the backup script with cron to run daily at a time when CRM usage is lowest, typically early morning.

Store backups in at least two separate locations. A local backup on the same server protects against accidental data deletion. A remote backup on a different server, S3 bucket, or Backblaze B2 account protects against server failure. Retain daily backups for 14 days, weekly backups for 8 weeks, and monthly backups for 12 months. This rotation provides multiple recovery points without consuming excessive storage.

Test your backups regularly. A backup you have never restored is a backup you cannot trust. At minimum, perform a full restore test quarterly by spinning up a temporary server, loading the backup, and verifying that the CRM application works correctly with the restored data.

Set up uptime monitoring with a free service like Uptime Kuma (self-hosted), UptimeRobot, or Hetrix Tools. Configure alerts by email or SMS so you know within minutes if the CRM becomes unreachable. Monitor disk space, CPU usage, and memory consumption to catch resource exhaustion before it causes downtime.

Step 6: Harden for Production Use

With the CRM running and accessible, several additional measures prepare it for reliable production use.

Enable two-factor authentication for all CRM user accounts, especially administrator accounts. SuiteCRM supports TOTP (Time-based One-Time Password) through built-in settings. EspoCRM supports two-factor authentication via the admin panel. Twenty supports TOTP through its security settings. This single measure prevents the most common account compromise vector: password reuse and credential stuffing attacks.

Configure role-based access control to limit what each user can see and do. Sales representatives should see their own deals and contacts but not system administration. Managers should see team-wide data but not necessarily modify system configuration. Administrators should be the only users with access to settings, user management, and data exports. The principle of least privilege reduces both the impact of account compromise and the risk of accidental data modifications.

Set up log rotation to prevent application and web server logs from filling the disk. Configure logrotate to compress and rotate CRM application logs, Nginx access and error logs, and Docker container logs. For Docker specifically, configure the json-file logging driver with max-size and max-file options in the daemon.json to prevent uncontrolled log growth.

Establish an update schedule. Monitor the CRM project's release channels for security patches and version updates. Apply security patches promptly, ideally within a week of release. Plan major version upgrades for quarterly maintenance windows, testing the upgrade on a staging copy before applying it to production. Subscribe to the project's security mailing list or GitHub release notifications to stay informed about critical updates.

Configure email integration with SMTP settings for outgoing mail (notifications, password resets, workflow emails) and IMAP settings for incoming email capture. Use a dedicated SMTP service like Amazon SES, Mailgun, or your existing email provider rather than running a local mail server, which adds significant operational complexity and deliverability challenges.