Skip to main content
Products
Typesense - Hardened Search Engine
https://catalogartifact.azureedge.net/publicartifacts/lynxroute.typesense-c3186718-adcc-40c5-bb40-d72259902004/image1_Azureready.png

Typesense - Hardened Search Engine

by Lynxroute

Typesense - CIS Level 1 hardened search engine on Ubuntu 24.04 LTS with SBOM and CIS Report.

What is Typesense

Typesense is a fast, typo-tolerant open-source search engine written in C++ - a single-binary alternative to Algolia and a more developer-friendly alternative to Elasticsearch for the search-as-a-feature use case. It serves a REST API on port 8108 over indexed documents with sub-50ms query latency, built-in typo correction, faceting, filtering, sorting, synonym handling, geo search, vector search (HNSW), and federated multi-collection queries. Operators get an instant-search JavaScript client, dashboard UI, and import tooling for JSON/JSONL/CSV. Documents and search indexes are persisted to RocksDB on the local filesystem with snapshotting and follower replication for HA setups. GPL-3.0 license - drop-in for any application that today calls Algolia or Elasticsearch, with no per-query fees and no vendor lock-in.

Why self-host Typesense

Self-hosting keeps your index, document content, and query traffic inside your own tenant - no per-query SaaS fees, no third-party access to what your users search for, no data leaving your region. Ideal for teams with data residency requirements (GDPR, HIPAA, ISO 27001), search over confidential content, and product teams that need predictable latency and full control over ranking.

What this VM image adds

Security hardening:

  • Unique Admin API key generated per instance - 64-character random key written at first boot, never the same on two deployments; stored in /root/typesense-credentials.txt readable only by root
  • API authentication enforced - all REST requests rejected with 401 without the X-TYPESENSE-API-KEY header
  • Typesense runs as non-root - dedicated typesense system user, no shell, locked home directory
  • Storage owned by typesense user - 0750 permissions on /var/lib/typesense, UMask=0027 enforced via systemd
  • Config not world-readable - /etc/typesense/typesense-server.ini at 0640, fixes upstream issue #2703
  • CVE scan - every image is scanned for vulnerabilities with Trivy before release
  • UFW firewall - only ports 8108 (REST) and 22 (SSH) open; everything else blocked
  • fail2ban - SSH brute-force protection
  • AppArmor - mandatory access control

OS hardening (CIS Level 1):

  • CIS Level 1 hardened - CIS Ubuntu 24.04 LTS Level 1 Benchmark via ansible-lockdown
  • auditd - system call auditing for critical paths
  • SSH hardening - PasswordAuthentication disabled, key-only access
  • Kernel hardening - SYN cookies, ASLR, rp_filter, TCP BBR
  • /tmp as tmpfs - nosuid, nodev, noexec
  • Azure IMDS endpoints - egress rules pre-configured (169.254.169.254, 168.63.129.16)

Compliance artifacts (inside the VM):

  • SBOM - CycloneDX 1.6 at /etc/lynxroute/sbom.json with SHA-256 hash of the Typesense binary and NTIA-compliant supplier metadata for every component
  • CIS Conformance Report - OpenSCAP HTML at /etc/lynxroute/cis-report.html
  • Tailored CIS profile - /usr/share/doc/lynxroute/CIS_TAILORED_PROFILE.md
  • Server credentials file - /root/typesense-credentials.txt with public IP, REST URL, health URL, and the per-instance Admin API key

Developer-ready out of the box:

  • typesense Python client pre-installed - import in your scripts without extra setup
  • Quickstart example - /usr/local/share/typesense-examples/quickstart.py runs create/upsert/typo-tolerant search/delete
  • Real public IP in MOTD - SSH banner shows the actual REST endpoint URL each login
  • Official client SDKs - JavaScript, PHP, Ruby, Go, Java, Python from upstream

Quick Start

  1. Deploy VM from Azure Marketplace (Standard_D2s_v3 or larger recommended)
  2. Open NSG: TCP 8108 from your client networks - SSH 22 from your management IPs only
  3. SSH: ssh -i key.pem <username>@<PUBLIC_IP> (default username: azureuser)
  4. Read connection details: sudo cat /root/typesense-credentials.txt
  5. Test the API: curl http://127.0.0.1:8108/health
  6. Run the quickstart: sudo python3 /usr/local/share/typesense-examples/quickstart.py

The Admin API key is unique per VM and is your only authentication credential - keep /root/typesense-credentials.txt readable by root only. For production, restrict port 8108 to trusted client networks in the NSG and create scoped search-only keys via the REST API.

Other apps from Lynxroute

Vaultwarden - Hardened Self-Hosted Password ServerLynxroute
+1
Vaultwarden - CIS Level 1 hardened self-hosted password manager on Ubuntu 24.04 LTS with SBOM.
NaN out of 5
RustDesk Server - Hardened Remote Desktop RelayLynxroute
+1
RustDesk Server - CIS Level 1 hardened remote desktop relay on Ubuntu 24.04 LTS with SBOM.
NaN out of 5
Immich - Hardened Self-Hosted Photo BackupLynxroute
+1
Immich - CIS Level 1 hardened self-hosted photo backup with ML smart search on Ubuntu 24.04 LTS.
NaN out of 5
Ollama with Open WebUI - Hardened Local AI InferenceLynxroute
+1
Ollama with Open WebUI - CIS Level 1 hardened local LLM runtime on Ubuntu 24.04 with SBOM.
NaN out of 5
OpenBao - Hardened Self-Hosted Secrets ManagementLynxroute
+1
OpenBao - CIS Level 1 hardened secrets manager on Ubuntu 24.04 LTS. SBOM and CIS Report.
NaN out of 5