Christian WellsExcalidraw on AlmaLinux 9
(Docker + Nginx + SSL)
Excalidraw is an open-source virtual whiteboard and diagramming application built for fast, intuitive visual collaboration. It allows users to create hand-drawn–style diagrams, flowcharts, wireframes, system designs, and sketches directly in the browser, with a strong emphasis on simplicity, speed, and privacy.
Unlike many commercial whiteboard platforms, Excalidraw can be fully self-hosted, giving you complete control over access, availability, and data. This makes it an excellent choice for engineering teams, educators, designers, and organizations that want collaborative whiteboarding without depending on third-party SaaS services.
Running Excalidraw on AlmaLinux 9, a RHEL-compatible, enterprise-grade Linux distribution, provides long-term stability, predictable updates, and strong security defaults. Combined with Docker, Nginx, and HTTPS (SSL), AlmaLinux 9 offers a production-ready foundation for hosting Excalidraw securely and reliably.
Architecture Overview
| Layer | Component | Role |
|---|---|---|
| OS | AlmaLinux 9 | Enterprise-grade, RHEL-compatible Linux base |
| Container Runtime | Docker / Docker Compose | Runs the Excalidraw application |
| Application | Excalidraw (React) | Whiteboard UI and collaboration logic |
| Reverse Proxy | Nginx | HTTPS termination, routing, compression |
| TLS | Let’s Encrypt / PKI | Encrypted web access |
| Clients | Web browsers | Create and collaborate on diagrams |
Excalidraw is stateless by design, which makes it easy to deploy, update, back up, and scale.
Why Use Excalidraw?
- Extremely simple and intuitive UI – no learning curve
- Hand-drawn style diagrams – ideal for brainstorming and planning
- Fully self-hosted – no external SaaS dependencies
- Privacy-friendly – drawings stay on your own server
- Real-time collaboration – share links and work together instantly
- Multiple export options – PNG, SVG, and Excalidraw JSON
- Open-source & actively maintained
- Very lightweight – minimal CPU and memory usage
Excalidraw is designed to help teams think visually without friction.
Excalidraw vs Other Whiteboard Tools
| Feature / Capability | Excalidraw | Miro | FigJam | Draw.io |
|---|---|---|---|---|
| Hosting | Self-hosted | Cloud only | Cloud only | Cloud / Self |
| Open-source | ✅ Yes | ❌ No | ❌ No | ❌ Partial |
| Real-time collaboration | ✅ Yes | ✅ Yes | ✅ Yes | ❌ Limited |
| Privacy control | Full | Vendor-controlled | Vendor-controlled | Partial |
| Ease of use | Very high | Medium | Medium | Medium |
| Cost | Free | Paid | Paid | Free / Paid |
Excalidraw is ideal when speed, simplicity, and privacy matter more than enterprise-heavy features.
Security & Best Practices on AlmaLinux 9
- Run Excalidraw behind Nginx with HTTPS enabled.
- Bind the Excalidraw container to 127.0.0.1 and expose it only via Nginx.
- Use Let’s Encrypt SSL certificates with automatic renewal.
- Enable SELinux enforcing mode and configure Docker volume labels correctly.
- Configure firewalld to allow only ports 80 and 443.
- Regularly update:
- AlmaLinux system packages
- Docker engine and images
- Excalidraw container
- Add basic rate limiting in Nginx if publicly accessible.
- Protect access with authentication if used internally (optional).
- Monitor container health and logs.
Typical Use Cases
- System architecture diagrams for DevOps and engineering teams
- Flowcharts and technical documentation
- Brainstorming and planning sessions
- UI wireframes and early design sketches
- Education and remote teaching
- Internal collaboration and planning tools
Deploying Excalidraw on AlmaLinux 9 with Docker, Nginx, and SSL gives you a fast, private, and enterprise-ready self-hosted whiteboard solution — perfect for visual thinking, technical planning, and team collaboration without SaaS lock-in.
Step 1: Create a Server Instance on Shape.Host
To self-host Excalidraw, you need a VPS with root access.
Log in to https://shape.host
Click Create → Instance
Choose a data center location close to your users
Select a plan with at least:
1–2 CPU cores
2 GB RAM
20 GB SSD storage
Choose AlmaLinux 9 (64-bit) as the operating system
Create the instance and wait for provisioning
Copy the public IP address of the server
Step 2: Connect to the AlmaLinux 9 Server
From Linux, macOS, or Windows:
ssh root@YOUR_SERVER_IP
This opens a secure shell session and gives you full administrative access.
Step 3: Update the System
dnf update
- Updates all installed packages
- Applies security patches and bug fixes
- Ensures compatibility with Docker and Nginx
Step 4: Install Docker Engine
dnf install dnf-utils device-mapper-persistent-data lvm2 curl
These packages are required to:
- Manage external repositories
- Support Docker storage drivers
- Download installation files securely
dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
- Adds the official Docker repository compatible with AlmaLinux 9
dnf install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
- Installs Docker Engine
- Installs Docker CLI
- Installs container runtime (containerd)
- Installs Docker Compose v2 plugin
systemctl enable docker
- Ensures Docker starts automatically on boot
systemctl start docker
- Starts the Docker service immediately
docker --version
- Verifies Docker installation
docker compose version
- Confirms Docker Compose is available
Step 5: Create the Excalidraw Project Directory
mkdir -p /opt/excalidraw
- Creates a dedicated directory for Excalidraw
- Keeps application data organized under
/opt
cd /opt/excalidraw
- Switches to the Excalidraw working directory
Step 6: Create Docker Compose Configuration
nano docker-compose.yml
Paste the following content:
services:
excalidraw:
image: excalidraw/excalidraw:latest
container_name: excalidraw
restart: unless-stopped
ports:
- "127.0.0.1:5000:80"
What this configuration does
- Uses the official Excalidraw Docker image
- Runs Excalidraw inside a single container
- Exposes port 5000 only on localhost (security best practice)
- Automatically restarts the container if it stops or the server reboots
Step 7: Start Excalidraw
docker compose up -d
- Pulls the Excalidraw image (if not already present)
- Starts the container in detached (background) mode
docker ps
- Lists running containers
- Confirms that Excalidraw is running
curl -I http://127.0.0.1:5000
- Sends a test HTTP request to the container
- A
200 OKor302response confirms Excalidraw is accessible locally
Step 8: Install and Enable Nginx
dnf install nginx
- Installs the Nginx web server
systemctl enable nginx
- Configures Nginx to start automatically on boot
systemctl start nginx
- Starts the Nginx service
Nginx will act as a reverse proxy, exposing Excalidraw to the internet.
Step 9: Configure Nginx Reverse Proxy
nano /etc/nginx/conf.d/excalidraw.conf
Paste:
server {
listen 80;
server_name draw.example.com;
location / {
proxy_pass http://127.0.0.1:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Why this configuration is required
- Listens for incoming HTTP traffic on port 80
- Forwards requests to Excalidraw running inside Docker
- Enables WebSocket support, required by Excalidraw
- Preserves real client IP and protocol headers
Step 10: Test and Reload Nginx
nginx -t
- Tests Nginx configuration for syntax errors
systemctl reload nginx
- Applies the new configuration without downtime
Step 11: Configure SELinux for Nginx (Important)
setsebool -P httpd_can_network_connect 1
- Allows Nginx (httpd) to connect to network services
- Required on AlmaLinux due to SELinux enforcement
- Without this, Nginx cannot proxy requests to Docker containers
Step 12: Enable SSL with Let’s Encrypt
dnf install certbot python3-certbot-nginx
- Installs Certbot and Nginx integration plugin
certbot --nginx -d almalinux-tutorials.shape.host
Replace with your real domain:
yourdomain.com
Certbot will:
- Issue a free SSL certificate
- Automatically configure HTTPS in Nginx
- Enable automatic certificate renewal
Step 13: Access Excalidraw
Open your browser:
https://draw.example.com
You now have:
- A self-hosted Excalidraw instance
- Running in Docker
- Protected by HTTPS
- Fully functional on AlmaLinux 9
You have successfully installed Excalidraw on AlmaLinux 9 using Docker, exposed it through Nginx, configured SELinux correctly, and secured it with Let’s Encrypt SSL. This setup is lightweight, secure, and ideal for personal use, teams, or internal documentation and collaboration.
For reliable hosting of self-hosted tools with full root access, performance, and scalability, Shape.Host Cloud VPS provides a solid foundation for modern server deployments.
