Standalone - Virtual Machine Windows Backend server installation

Support DQE
Support DQE

1. Architecture

Once your dedicated DQE One Standalone server instance is up and running, you can launch and expose the backend application from your virtual machine.

This document describes an example configuration to set up the Standalone backend server instance on a Windows Server 2022 virtual machine. Docker Compose runs inside WSL2 (Windows Subsystem for Linux 2) because Docker CE on Windows Server cannot run Linux containers natively. This document does not cover the full security layer of your own environment.

The backend application is deployed with Docker Compose. NGINX runs as a container and is exposed over HTTPS.

Internet
   |
HTTPS:443
   |
NGINX (container)
   |
http://dqeone:8000
   |
DQE One Standalone backend

Security measures

  • Protocols and ports: expose the application publicly through HTTPS on port 443. The Docker application itself listens on port 8000 and remains behind NGINX on the internal Docker network.
  • IP filtering: depending on your architecture, restrict inbound access to trusted IP addresses only.
  • SSL certificate: if the VM is directly exposed to the internet, it must have a DNS entry and an associated SSL certificate.

Recommendation

In this section, we describe the list of components required to install the DQE One Standalone instance on a Windows Server VM.

  • Server type: Windows Server 2022 (64-bit).
  • Container runtime: Docker CE running inside WSL2 (Ubuntu) — required because Docker CE on Windows Server cannot run Linux containers natively.

Hardware requirements:

ComponentMinimumRecommended
CPU1 vCPU2 vCPUs
RAM3 GB5 GB
Disk10 GB SSD30 GB SSD
Network100 Mbit/s1 Gbit/s

Composition and services

The stack is composed of Docker images orchestrated via Docker Compose. Each service runs as a container. Services communicate with each other via their service name on the internal Docker network.

2. Installation

All installation steps are performed on the Windows Server VM. Steps marked [PowerShell] must be run in PowerShell as Administrator. Steps marked [WSL2] must be run in the Ubuntu WSL2 terminal.

2.1. Prerequisites

Connect to the Windows Server VM using one of the available connection options (RDP, Azure Bastion, etc.) and open PowerShell as Administrator.

Create the application directory structure from PowerShell:

New-Item -ItemType Directory -Path "C:\dqe-standalone"
New-Item -ItemType Directory -Path "C:\dqe-standalone\nginxconf"
New-Item -ItemType Directory -Path "C:\dqe-standalone\ssl"

WSL2 installation [PowerShell]

Enable the required Windows features:

dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart
dism.exe /online /enable-feature /featurename:VirtualMachinePlatform /all /norestart
Enable-WindowsOptionalFeature -Online -FeatureName Containers -All -NoRestart

/!\ Reboot required — Restart the VM after enabling these features before continuing.

After reboot, open PowerShell as Administrator and install Ubuntu:

wsl --set-default-version 2
wsl --install -d Ubuntu

A terminal opens asking you to create a Unix username and password. Complete the setup before continuing.

Docker & Docker Compose installation [WSL2]

Open the Ubuntu WSL2 terminal and run:

curl -fsSL https://get.docker.com | sudo sh

Note: The script detects WSL and recommends Docker Desktop — ignore the message and wait 20 seconds for the installation to continue automatically. Docker Compose is included in this installation.

Add your user to the docker group and start the service:

sudo usermod -aG docker $USER
sudo service docker start

Close and reopen the WSL2 terminal, then verify:

docker --version
docker compose version

Note: The Docker service must be started manually each time the WSL2 session opens: sudo service docker start

NGINX configuration [PowerShell]

NGINX runs as a container — there is no host-level installation. You only need to create the configuration file. Open it in Notepad from PowerShell:

notepad C:\dqe-standalone\nginxconf\default.conf

Paste the following content and save:

server {
    listen 443 ssl;
    server_name myserver.example.com;

    ssl_certificate /etc/nginx/ssl/[MY_CERTIFICATE].pem;
    ssl_certificate_key /etc/nginx/ssl/[MY_PRIVATE_KEY].key;

    ssl_protocols TLSv1.2 TLSv1.3;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header Cookie $http_cookie;
        proxy_set_header Referer $http_referer;

        proxy_pass http://dqeone:8000;
    }

    access_log /var/log/nginx/dqeone-standalone.log;
    error_log /var/log/nginx/dqeone-standalone-error.log error;
}

Note: Unlike the Linux installation where NGINX runs on the host and proxies to http://127.0.0.1:8000, in Docker Compose services communicate via their service name — the proxy target is http://dqeone:8000.

Place the SSL certificate and private key files in C:\dqe-standalone\ssl\ before starting the containers.

2.2. Docker Compose file

Create the file C:\dqe-standalone\docker-compose.yml with the following content using Notepad:

notepad C:\dqe-standalone\docker-compose.yml
services:

  redis:
    container_name: redis
    image: dqeone.azurecr.io/dqe-one-redis:v1.0
    hostname: redis
    logging:
      driver: none
    ports:
      - "6379:6379"
    volumes:
      - redis_data:/data
    networks:
      - standalone-net

  rabbitmq:
    image: dqeone.azurecr.io/dqe-one-rabbitmq:v1.0
    container_name: rabbitmq
    hostname: rabbitmq
    logging:
      driver: none
    depends_on:
      - redis
    environment:
      RABBITMQ_DEFAULT_PASS: guest
      RABBITMQ_DEFAULT_USER: guest
      RABBITMQ_DEFAULT_VHOST: admin
    volumes:
      - rabbitmq_data:/var/lib/rabbitmq/
      - rabbitmq_log:/var/log/rabbitmq/
    ports:
      - "15672:15672"
    networks:
      - standalone-net

  nginx:
    image: nginx:latest
    platform: linux/amd64
    container_name: nginx
    restart: always
    ports:
      - "443:443"
    volumes:
      - /mnt/c/dqe-standalone/nginxconf:/etc/nginx/conf.d:ro
      - /mnt/c/dqe-standalone/ssl:/etc/nginx/ssl:ro
    depends_on:
      - dqeone
    networks:
      - standalone-net

  dqeone:
    container_name: dqeone
    image: dqeone.azurecr.io/standalone:v1.4.0
    hostname: dqeone
    expose:
      - "8000"
    ports:
      - "8000:8000"
    depends_on:
      - redis
      - rabbitmq
      - postgres
    environment:
      - SFAPIVERSION=v65.0
      - CREATE_SUPERUSER=true
      - RUN_COLLECTSTATIC=false
      - DQE_ONE_SERVER_ADMIN_USER=<admin_user>
      - DQE_ONE_SERVER_ADMIN_PASSWORD=<admin_password>
      - DQE_CLIENT_LICENCE=<client_licence>
      - WEBSITE_HOSTNAME=https://<your-domain>
      - SECRET_ENCRYPTION_KEY=<secret_encryption_key>
      - WAIT_HOSTS=redis:6379
      - WAIT_HOSTS_TIMEOUT=300
      - WAIT_SLEEP_INTERVAL=5
      - WAIT_HOST_CONNECT_TIMEOUT=30
      - REDIS_URL=redis://redis:6379
      - PORT=8000
      - DEBUG=false
      - DB_USER=dqeone
      - DB_PASSWORD=<database_password>
      - DB_NAME=dqeone
      - DB_HOST=postgres
      - DB_VOLUME_PATH=./db/
      - DB_MAX_CAPACITY=8000000000
      - AUTHORIZED_SFTP_HOSTS=<authorized_sftp_hosts>
    command:
      - "bash"
      - "./entrypoint.sh"
    networks:
      - standalone-net

  postgres:
    container_name: postgres
    image: dqeone.azurecr.io/dqe-one-postgres:v1.0
    logging:
      driver: none
    environment:
      POSTGRES_USER: dqeone
      POSTGRES_PASSWORD: <database_password>
      POSTGRES_DB: dqeone
    expose:
      - "5432"
    ports:
      - "5432:5432"
    volumes:
      - postgres_data:/var/lib/postgresql/data
    networks:
      - standalone-net

volumes:
  rabbitmq_data:
  rabbitmq_log:
  redis_data:
  postgres_data:

networks:
  standalone-net:
    driver: bridge

Important: replace all placeholder values between <...> with the values provided or generated for the customer installation.

Important: use the image versions provided by DQE. Do not replace them with the latest tag, as some images may not be published with this tag.

Key points:

  • All data volumes (redis_data, rabbitmq_data, rabbitmq_log, postgres_data) are Docker named volumes stored in the WSL2 Linux filesystem. Bind mounts to the Windows NTFS filesystem are not used because NTFS does not support the chown operations required by these containers.
  • The NGINX config and SSL certificates are mounted from /mnt/c/dqe-standalone/nginxconf and /mnt/c/dqe-standalone/ssl — the Windows folders accessible via WSL2.
  • platform: linux/amd64 is specified on the NGINX image to force Docker (running in WSL2 on a Windows host) to pull the Linux version.
  • Security note: do not publish real customer credentials, licence keys, encryption keys, registry passwords, or database passwords in the documentation.

Environment variables

The dqeone service requires several environment variables to configure the Standalone backend.

Variable Example value Description
SFAPIVERSION v65.0 Salesforce API version used by the application when communicating with Salesforce.
CREATE_SUPERUSER true Creates the initial administrator account during the first startup.
RUN_COLLECTSTATIC false Executes the Django collectstatic command during startup. Set to false unless explicitly required.
DQE_ONE_SERVER_ADMIN_USER <admin_user> Username of the initial administrator account.
DQE_ONE_SERVER_ADMIN_PASSWORD <admin_password> Password of the initial administrator account. Choose a strong password and keep it confidential.
DQE_CLIENT_LICENCE <client_licence> Customer licence key provided by DQE.
WEBSITE_HOSTNAME https://standalone.example.com Public HTTPS URL of the Standalone instance. This value must match the DNS name and NGINX configuration.
SECRET_ENCRYPTION_KEY <secret_encryption_key> Secret key used to encrypt sensitive information stored by the application. Generate a unique key for each installation and never change it after deployment.
WAIT_HOSTS redis:6379 List of dependent services that must be reachable before the application starts.
WAIT_HOSTS_TIMEOUT 300 Maximum waiting time, in seconds, for dependent services to become available.
WAIT_SLEEP_INTERVAL 5 Delay, in seconds, between two availability checks.
WAIT_HOST_CONNECT_TIMEOUT 30 Timeout, in seconds, for each connection attempt to a dependent service.
REDIS_URL redis://redis:6379 Redis connection URL used by the application.
PORT 8000 Internal listening port of the application.
DEBUG false Enables or disables debug mode. This value must be set to false in production.
DB_USER dqeone PostgreSQL database username used by the application.
DB_PASSWORD <database_password> PostgreSQL database password used by the application. It must match POSTGRES_PASSWORD in the postgres service.
DB_NAME dqeone PostgreSQL database name used by the application. It must match POSTGRES_DB in the postgres service.
DB_HOST postgres Hostname of the PostgreSQL service defined in the Docker Compose file.
DB_VOLUME_PATH ./db/ Path used by the application for database-related storage.
DB_MAX_CAPACITY 8000000000 Maximum database capacity, expressed in bytes.
AUTHORIZED_SFTP_HOSTS depot-1.dqe-software.net Comma-separated list of SFTP hosts authorized by the application for secure file exchanges.

Important: the SECRET_ENCRYPTION_KEY must be generated once and kept for the lifetime of the deployment. Changing this value after the application has been initialized may prevent previously encrypted data from being decrypted.

To generate a compatible encryption key, run from the WSL2 terminal:

python3 -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"

If the cryptography module is not installed, install it first: 

sudo apt install python3-cryptography

2.3. Validate the Docker Compose file [WSL2]

Navigate to the application directory and validate the configuration:

cd /mnt/c/dqe-standalone
docker compose config

If Docker Compose returns an error such as:

yaml: found character that cannot start any token

check the indentation of the file. YAML only supports spaces. Tabs or invisible characters may generate this error. The issue may also be located on the line before the one indicated in the error message.

Note: when editing the file in Notepad, ensure that tabs are not inserted. Using a code editor such as Visual Studio Code is recommended to avoid invisible character issues.

3. Launcher

The DQE Docker images are provided through an Azure Container Registry managed by DQE. All commands in this section are run from the Ubuntu WSL2 terminal.

3.1. Connecting to the DQE Azure Container Registry [WSL2]

Start the Docker service and authenticate to the DQE registry:

sudo service docker start
docker login dqeone.azurecr.io
Username: <Login provided by DQE>
Password: <Password provided by DQE>

A successful login displays: Login Succeeded

If Docker returns an unauthorized error while pulling an image, verify that all images use the Azure Container Registry provided by DQE. Customer installations should not reference development registries such as dqeonedev.azurecr.io.

3.2. Download the images [WSL2]

Navigate to the application directory and pull the images:

cd /mnt/c/dqe-standalone
docker compose pull

3.3. Start the services [WSL2]

docker compose up -d

Verify that every container is running:

docker compose ps

Expected services — all should show status running:

  • dqeone
  • redis
  • rabbitmq
  • postgres
  • nginx

/!\ Important: if any container shows status exited or restarting, check its logs: docker compose logs <service-name>

3.4. Verify the installation [WSL2]

curl -I http://localhost:8000

A response similar to the following confirms that the application is running:

HTTP/1.1 301 Moved Permanently

Once NGINX is running, the application should be accessible through the public HTTPS endpoint:

https://<your-domain>

4. Troubleshooting

YAML parsing error

yaml: found character that cannot start any token

Possible causes:

  • Tab character inserted by Notepad
  • Invalid indentation
  • Invisible character

Solution:

  • Replace tabs with spaces.
  • Validate the file using docker compose config from the WSL2 terminal.
  • Check the line before the one indicated by the error message.
  • Use a code editor (Visual Studio Code) instead of Notepad to avoid tab insertion.

Unauthorized while pulling images

unauthorized: authentication required

Verify that:

  • you successfully authenticated using docker login dqeone.azurecr.io;
  • all images reference the DQE production registry dqeone.azurecr.io;
  • the image versions match those provided by DQE.

Cannot access the application remotely

Verify that:

  • the Docker containers are running;
  • the NGINX container is running;
  • port 443 is allowed by the Windows Server firewall;
  • the SSL certificate is correctly placed in C:\dqe-standalone\ssl\;
  • the DNS entry points to the VM or gateway exposing the service.

Docker service not started [WSL2]

Cannot connect to the Docker daemon at unix:///var/run/docker.sock

The Docker service must be started manually each time the WSL2 session opens. Run:

sudo service docker start

Related to

Was this article helpful?

0 out of 0 found this helpful