Apache Superset on Single VPS: Reference Deployment Pattern
Table of Contents
- Introduction
- Prerequisites and Environment
- Step-by-Step Installation
- Configuring Gunicorn and Nginx
- Networking, Firewall, and Domain Setup
- Storage, Configuration, and Secrets Management
- Autoscaling Considerations for a Single VPS
- Operational Habits That Keep Superset Healthy
- Security Hardening and Compliance Readiness
- Next Steps: Production-Readiness and How PADISO Helps
Introduction
Apache Superset has become the go-to open-source business intelligence layer for data-savvy teams that refuse to pay per-seat license fees. It plugs into virtually any modern data warehouse, offers a rich drag-and-drop interface, and exposes a REST API that engineering teams can embed directly into their products. Yet most production deployment guides assume you are orchestrating Kubernetes, running a multi-node cluster, or inheriting someone else’s Docker Compose file. For many mid-market brands and scaling startups, a single well-tuned VPS is the right starting point—it keeps costs predictable, simplifies the compliance footprint, and still handles hundreds of dashboards with tens of millions of rows when configured properly.
This reference deployment pattern is the outcome of dozens of real-world engagements where PADISO’s platform engineering teams in San Francisco, New York, and Toronto stood up Superset as the analytics backbone for private-equity roll-ups, mid-market SaaS operators, and growth-stage startups. It is built for operators who need to ship a production-grade BI layer fast—typically within a single sprint—while keeping the door open to horizontal scaling later. We will walk through networking, storage, secrets, autoscaling considerations, and the operational habits that prevent Saturday-morning outage calls. By the end, you will have a repeatable pattern that can pass a SOC 2 or ISO 27001 audit-readiness review when combined with PADISO’s security audit and Vanta‑powered preparation.
Prerequisites and Environment
You need a Linux VPS with at least 4 vCPUs and 8 GB of RAM for a starter deployment that serves 20–50 internal users. Ubuntu 22.04 LTS is our default because of its long support window and broad community documentation, though the same pattern works on Debian or RHEL 9 with minor adjustments. A domain name pointed at your VPS and ports 80/443 open are required for SSL via Let’s Encrypt. You will also need a separate PostgreSQL instance—Superset uses it for its metadata database—and a Redis instance for caching and Celery task queues. All three services can initially run on the same VPS, which is the pattern we describe here.
When your team spans regulated industries—platform development in Boston for biotech, platform development in Houston for healthcare, or platform development in Atlanta for fintech—the single-VPS footprint simplifies the boundary for HIPAA, PCI, or GxP assessment. We still recommend a dedicated VPS for the database layer at scale, but starting collocated helps you learn the service without committing to a multi-node topology too early.
Step-by-Step Installation
Base OS and System Dependencies
SSH into your VPS and update the package index. Install the essential system packages: Python 3.10 or later, pip, build-essential, libssl-dev, and the development headers for PostgreSQL and Cyrus SASL so that the database drivers compile cleanly. On Ubuntu:
sudo apt update && sudo apt upgrade -y
sudo apt install -y python3-pip python3-dev python3-venv build-essential libssl-dev libffi-dev libpq-dev libsasl2-dev libldap2-dev
If you prefer a more opinionated stack, the official Apache Superset one-click VPS installation guide on Ubuntu covers a similar dependency baseline and includes PostgreSQL setup, Redis caching, and Gunicorn configuration. We recommend reviewing it alongside this pattern for alternative configuration choices.
Python Virtual Environment Setup
Run Superset inside a dedicated Python virtual environment to avoid conflicts with system packages. Create a directory for Superset, then build and activate the venv:
mkdir -p /opt/superset && cd /opt/superset
python3 -m venv venv
source venv/bin/activate
Keep the virtual environment path consistent; it will be referenced in your systemd service file later.
Installing Superset and Database Drivers
With the venv active, upgrade pip and install Apache Superset along with the PostgreSQL driver (psycopg2-binary or the source-distributed psycopg2), Redis, and the database connectors you plan to connect to (clickhouse-connect, pymysql, sqlalchemy-bigquery, etc.). We recommend pinning superset to the latest stable release.
pip install --upgrade pip setuptools wheel
pip install 'apache-superset[postgres,celery,redis]' psycopg2-binary
# add extras as needed, e.g., 'apache-superset[clickhouse,mysql]'
If you are on RHEL 9, the OneUptime deployment guide walks through a very similar sequence—PostgreSQL, Python venv, and Superset bootstrapping—and confirms that the dependency resolution behaves identically across Red Hat and Debian-based distributions.
Initializing Superset and Creating the Admin User
Before starting any service, set a few mandatory environment variables that control the cryptographic secret and database connection. We expose these via a dedicated configuration file; see the Secrets section below. For now, in the terminal:
export SUPERSET_SECRET_KEY='your-strong-random-key-here'
export SUPERSET_CONFIG_PATH='/opt/superset/superset_config.py'
Create a minimal superset_config.py:
# /opt/superset/superset_config.py
SECRET_KEY = 'your-strong-random-key-here'
SQLALCHEMY_DATABASE_URI = 'postgresql://superset:password@localhost:5432/superset'
DATA_CACHE_CONFIG = {
'CACHE_TYPE': 'RedisCache',
'CACHE_DEFAULT_TIMEOUT': 300,
'CACHE_KEY_PREFIX': 'superset_results_',
'CACHE_REDIS_URL': 'redis://localhost:6379/0'
}
Now initialize the database and create an admin account:
superset db upgrade
superset fab create-admin
superset init
For a detailed walkthrough of this exact step—including directory structure, venv creation, and dependency installation—the Complete Guide to Deploying Apache Superset with Gunicorn and Nginx on Ubuntu from the community provides a complementary perspective with screenshots and troubleshooting tips.
Configuring Gunicorn and Nginx
Gunicorn and Systemd Service
Superset’s built-in Flask development server is not suitable for production. We use Gunicorn with asynchronous workers. Create a systemd unit file so the process starts on boot and restarts after failures:
# /etc/systemd/system/superset.service
[Unit]
Description=Apache Superset Gunicorn daemon
After=network.target postgresql.service redis-server.service
[Service]
User=superset
Group=superset
WorkingDirectory=/opt/superset
Environment="PATH=/opt/superset/venv/bin"
Environment="SUPERSET_CONFIG_PATH=/opt/superset/superset_config.py"
ExecStart=/opt/superset/venv/bin/gunicorn \
--workers 4 --worker-class sync \
--timeout 120 --bind 0.0.0.0:8088 \
--log-level info \
superset.app:create_app()
Restart=always
[Install]
WantedBy=multi-user.target
Start and enable the service:
sudo systemctl daemon-reload
sudo systemctl enable --now superset
Nginx Reverse Proxy and SSL
Install Nginx, obtain a certificate from Let’s Encrypt, and configure it to proxy traffic to Gunicorn. The Nginx configuration should enforce HTTPS and set proper headers:
server {
listen 80;
server_name superset.yourdomain.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name superset.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/superset.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/superset.yourdomain.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1:8088;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Restart Nginx and test.
Networking, Firewall, and Domain Setup
Use ufw (Uncomplicated Firewall) to restrict access. Allow only SSH (port 22, ideally from a bastion IP), HTTP, and HTTPS:
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
When PADISO deploys this pattern for private-equity portfolios that require strict network segmentation—common in Canberra’s defence and public-sector projects or Washington D.C.’s FedRAMP-aware environments—we add a VPC and a VPN-only management plane so that the VPS never exposes the Superset UI to the public internet. For a mid-market brand starting with a single internal-analytics use case, the firewall rules above are sufficient.
Storage, Configuration, and Secrets Management
A single VPS means your configuration files, database, and cache all live on one disk. Plan for at least 200 GB of SSD storage if you expect Superset to cache query results; the metadata database itself stays small (under 10 GB for most teams) but Redis and the file system cache can grow quickly.
Secrets—such as SECRET_KEY, database passwords, and third‑party API tokens—must never be hardcoded in superset_config.py. Instead, source them from environment variables or a small HashiCorp Vault deployment. In our pattern, superset_config.py reads from the environment:
import os
SECRET_KEY = os.environ.get('SUPERSET_SECRET_KEY')
SQLALCHEMY_DATABASE_URI = os.environ.get('SQLALCHEMY_DATABASE_URI')
Then provide those environment variables via the systemd unit file Environment= lines, or use a small env file that is readable only by the superset user. When PADISO’s platform development team in Los Angeles sets up analytics backends for DTC e-commerce brands, we integrate with AWS Secrets Manager or HashiCorp Vault to rotate secrets automatically and provide an audit trail—an approach that directly supports SOC 2 compliance when combined with PADISO’s Security Audit readiness service.
Autoscaling Considerations for a Single VPS
A single VPS can handle surprising load. With 4 vCPUs and 8 GB RAM, Superset comfortably serves 50 concurrent dashboard viewers, provided heavy queries are run through Celery workers rather than the Gunicorn web workers. The reference deployment configures Redis as both the Celery message broker and the result backend, so you can add additional VPS instances as Celery workers later without altering the web server layer.
For now, add a Celery worker to your systemd suite:
# /etc/systemd/system/superset-worker.service
[Unit]
Description=Apache Superset Celery worker
After=network.target redis-server.service
[Service]
User=superset
Group=superset
WorkingDirectory=/opt/superset
Environment="PATH=/opt/superset/venv/bin"
Environment="SUPERSET_CONFIG_PATH=/opt/superset/superset_config.py"
ExecStart=/opt/superset/venv/bin/celery --app=superset.tasks.celery_app:app worker --loglevel=INFO --concurrency=4
Restart=always
[Install]
WantedBy=multi-user.target
When a mid-market company in Seattle sees dashboard load times creeping above two seconds during Monday-morning sprints, we look at the Celery queue length before adding more VPS resources. Often, the bottleneck is slow queries against the underlying data lake, not Superset itself. In those cases, PADISO’s AI & Agents Automation practice helps teams implement query caching layers and pre-aggregate materialized views that reduce warehouse cost by 40–60% without a scale-out event.
Operational Habits That Keep Superset Healthy
Production Superset needs monitoring, backups, and a clear upgrade runbook.
- Monitoring: Export Gunicorn and Celery metrics to Prometheus using the
prometheus_flask_exporterandcelery-exporter. Dashboard the request rate, errors, and p99 latency. A simplehealthcheckendpoint can be called by your load balancer or uptime monitor. - Backups: The metadata database (PostgreSQL) is the critical asset; without it, you lose every dashboard definition. Automate nightly
pg_dumpbackups to an S3 bucket or another VPS region. Also back up thesuperset_config.pyand the Redis dump file if you rely on cached query results. - Upgrades: Pin your Superset version in a
requirements.txtand test upgrades in a staging environment. Use thesuperset db upgradecommand to apply schema migrations. Never run migration commands while Gunicorn workers are live. - Logs: Ship logs to a centralized location (Loki, CloudWatch, or Graylog) and alert on repeated 500 errors.
When PADISO’s platform development team in Brisbane deploys Superset for logistics companies that run 24/7 fleet dashboards, we add a second VPS in a warm-standby configuration with streaming replication of the PostgreSQL database. For most mid-market brands, a single VPS with solid backups and a tested restore process is the right balance of cost and reliability.
Security Hardening and Compliance Readiness
Deploying Superset on a single VPS does not mean you skip security fundamentals. The following measures get you to a posture that can pass a SOC 2 or ISO 27001 review when documented properly:
- Disable self-registration and enforce OAuth2/OIDC authentication against your identity provider (Google Workspace, Azure AD, Okta). This removes shared credentials.
- Enable row-level security via Superset’s dataset-level permission filters so that finance dashboards never leak to the sales team.
- Restrict the Superset metadata database to listen on localhost only and enforce strong password authentication in PostgreSQL.
- Turn on HTTPS with strong cipher suites and add HTTP security headers via Nginx (
HSTS,X-Content-Type-Options, etc.). - Integrate vulnerability scanning into your CI/CD pipeline; Superset releases security patches periodically, and you must be ready to apply them within your SLA.
PADISO’s Security Audit service uses Vanta to automate evidence collection and transform a 12-week audit process into a continuous readiness state. Our platform development team in Sydney has walked several financial-services clients through exactly this journey, moving from a single‑VPS Superset deployment to a fully SOC 2 Type II–audited environment in under two quarters.
Next Steps: Production-Readiness and How PADISO Helps
You now have a reference pattern for running Apache Superset on a single VPS that respects networking, secrets, autoscaling, and operational discipline. The immediate next step is to fork this pattern and run it against your own data sources. Load a few dashboards, observe memory usage under concurrency, and then harden the configuration based on your organization’s risk appetite.
When you outgrow the single VPS—or when your board asks for an AI‑powered data strategy—PADISO steps in at the fractional CTO level. Our Venture Architecture & Transformation practice has helped private‑equity firms consolidate tech stacks across 15‑company roll‑ups, lift portfolio EBITDA by integrating Superset as a shared analytics layer, and re‑platform legacy BI on hyperscaler clouds (AWS, Azure, Google Cloud) in under 90 days. The team behind this reference pattern designed it while shipping production analytics for brands across Perth’s mining sector, Los Angeles media, and Gold Coast tourism operators—all of whom needed embedded BI without a per-seat tax.
To get started, book a platform development call or explore our case studies to see real EBITDA lifts, time-to-ship reductions, and audit-pass results. If you are a private‑equity operating partner evaluating a roll‑up, ask us about our portfolio value-creation playbook—we routinely compress tech due diligence and post‑close integration into 100‑day plans that make the numbers work.