Skip to content
James Brooks // thatnerdknows
all writing
// writing

Self-hosted error tracking with GlitchTip

June 12, 2026 · #glitchtip #proxmox #authentik #self-hosting

What you get: a lightweight, Sentry-compatible error tracker (GlitchTip) in a Proxmox container — your apps’ existing Sentry SDKs point at it unchanged — with the dashboard locked behind SSO (Authentik) while error ingestion and the REST API still work. GlitchTip is the sweet spot: far lighter than self-hosted Sentry (~16 GB of services) and fully Sentry-SDK-compatible.

The one gotcha that matters: if you naïvely put “the whole thing” behind your auth proxy, error ingestion silently breaks — SDKs authenticate by DSN and can’t follow a login redirect. The fix is split routing. That’s the meat of this guide.


1. The container + stack

Unprivileged Docker LXC (Debian, nesting=1,keyctl=1), ~2 cores / 4 GB / 24 GB is plenty. Stack is three small services:

# /opt/glitchtip/docker-compose.yml  (from github.com/GlitchTip/glitchtip — web + worker + postgres + redis)
# key env in /opt/glitchtip/.env (gitignored):
SECRET_KEY=<random>
POSTGRES_PASSWORD=<random>
GLITCHTIP_DOMAIN=https://glitchtip.example.com
ENABLE_OPEN_USER_REGISTRATION=false          # you're gating with SSO; don't allow self-signup
docker compose up -d
docker compose run --rm web ./manage.py createsuperuser   # your admin account

Add a local DNS record for glitchtip.example.com → your reverse proxy.

2. Split routing — the important part

GlitchTip serves three things on one host, and they need different access rules. Put these routers in your proxy (Traefik example; the same logic applies to nginx/Caddy). Order by priority — most specific first.

RouterMatchMiddlewareWhy
Ingest (prio 200)PathRegexp(^/api/[0-9]+/(envelope|store|security|minidump|unreal)/)lan-only onlySDKs POST events here with a DSN; they cannot follow a 302 to a login page. Must bypass auth.
REST API (prio 150)PathPrefix(/api/0/)lan-only onlyHeadless/CI clients (source-map upload) + scripts auth with a Bearer token, not a browser session.
Dashboard (prio 100)/ (everything else)lan-only + Authentik forward-authThe human UI — gate it behind SSO, admin-only.

Why it works: the browser UI is protected by SSO, but the two API surfaces authenticate themselves (DSN / Bearer token), so they skip the auth proxy. Verify:

curl -I https://glitchtip.example.com/                       # -> 302 to Authentik (gated) ✓
curl -X POST https://glitchtip.example.com/api/1/envelope/   # -> 4xx FROM GlitchTip, not a 302 (reached the app) ✓
curl https://glitchtip.example.com/api/0/                     # -> 401 (needs a token), not a redirect ✓
curl -H "Authorization: Bearer <token>" https://glitchtip.example.com/api/0/   # -> 200 ✓

If your /api/1/envelope/ test returns a 302, your ingest route is still behind the auth gate — fix the priority/ match so ingest is lan-only only.

3. Wire up an app + upload source maps

  • In GlitchTip, create an org/project, grab the DSN, and point your app’s Sentry SDK at it (self-hosted URL). That alone gives you errors.
  • For readable stack traces on a JS/Next.js app, upload source maps with a GlitchTip auth token (least- privilege scopes: project:read, project:releases, event:read, org:read). For @sentry/nextjs self-hosted:
    SENTRY_URL=https://glitchtip.example.com/
    SENTRY_ORG=<your-org>   SENTRY_PROJECT=<your-project>
    SENTRY_AUTH_TOKEN=<the token>
    Because uploads hit /api/0/ (the token-bypass route), a LAN build can push directly — no browser login.

Gotchas recap

  1. Split routing is mandatory — ingest (/api/N/envelope|store|...) and the REST API (/api/0/) must bypass your SSO proxy; only the dashboard (/) is gated. Miss this and errors silently stop arriving.
  2. Disable open registration when you gate with SSO (ENABLE_OPEN_USER_REGISTRATION=false) so nobody self-signs-up past the gate.
  3. LAN-only for a homelab — GlitchTip holds your app internals; don’t expose it publicly unless you add a public ingest route deliberately.
  4. Least-privilege API tokens — a source-map/CI token only needs read + releases, not admin.

Written from a working deployment: GlitchTip in an unprivileged Docker LXC on Proxmox, dashboard behind Authentik forward-auth (admin-only), with dedicated lan-only bypass routers for the ingest firehose and the /api/0/ REST API. Adjust IPs/domain to your setup.


Written by James Brooks — I run ThatNerdKnows (IT support + websites for small businesses). This is the deep end; if you’d rather just have it handled, that’s the day job.