Deploy and Host Gophish on Railway

Gophish is an open-source phishing simulation platform for security awareness training. Deploy with persistent storage, automatic CSRF configuration, and secure defaults. Perfect for IT security teams running phishing training campaigns.

Quick Start

1. Click "Deploy on Railway" button
2. Configure two ports (see Detailed Setup Guide below):
   • Generate domain on port 80 for phishing campaigns
   • Add TCP Proxy on port 3333 for admin access
3. Redeploy twice to apply configuration
4. Get admin password from deployment logs
5. Access admin interface at your TCP proxy address

→ See Detailed Setup Guide below for step-by-step instructions

About Hosting Gophish

This template deploys Gophish with persistent SQLite storage on Railway. The deployment automatically configures CSRF protection using your Railway domain, manages volume persistence for campaign data, and generates secure admin credentials on first start. Railway handles HTTPS termination, scaling, and infrastructure management while you focus on creating effective security training campaigns. Data persists across redeployments via Railway volumes.

Common Use Cases

• Security Awareness Training - Run phishing simulations to train employees on identifying malicious emails
• Compliance Testing - Fulfill regulatory requirements for security awareness programs
• Red Team Operations - Test organizational security posture with realistic phishing campaigns
• Educational Demonstrations - Teach cybersecurity concepts in academic or workshop settings
• Penetration Testing - Simulate social engineering attacks as part of security assessments

Dependencies for Gophish Hosting

• Railway Account - Free tier supported
• Custom Domain (optional) - Use Railway-provided domain or bring your own
• SMTP Provider - Gmail, Google Workspace, SendGrid, or any SMTP service for sending emails

Deployment Dependencies

• Official Gophish Docker Image - Latest version automatically pulled
• Gophish Documentation - Official guides and API reference
• Google App Passwords - For Gmail/Workspace SMTP setup
• Full Template Documentation - Detailed setup guide, troubleshooting, and best practices

Implementation Details

Port Configuration: This deployment uses two separate ports:

• Port 80 - Phishing server for campaign landing pages (generate Railway domain here)
• Port 3333 - Admin interface (accessible via TCP proxy)

CSRF Protection: The template dynamically configures trusted_origins from Railway's RAILWAY_PUBLIC_DOMAIN environment variable to prevent "Forbidden - referer invalid" errors.

Persistent Storage: Campaign data, users, and templates are stored in /opt/gophish/data via Railway volume.

Two-Redeploy Requirement: After domain generation, trigger two redeployments to ensure proper configuration applies correctly.

Setup Guide

Step 1: Deploy to Railway

Click the "Deploy on Railway" button and wait for initial deployment to complete. Railway will automatically configure a volume at /opt/gophish/data.

Step 2: Configure Networking (TWO Ports Required)

Port 80 - Public Domain for Campaigns:

1. Go to your service in Railway
2. Click Settings > Networking
3. Click Generate Domain
4. Enter port: 80
5. Click Generate
6. You'll get: https://your-app.up.railway.app
7. ✅ Save this URL - use it in your phishing campaigns

Port 3333 - TCP Proxy for Admin:

1. In the same Networking section, click "Add TCP Proxy"
2. Railway will show a port configuration with :3333
3. Click on the :3333 box to see your unique proxy address
4. You'll get something like: shinkansen.proxy.rlwy.net:17008 (yours will be different!)
5. ✅ Save this address - use it to access admin interface

Step 3: Redeploy Twice

Railway needs two redeployments to apply configuration properly:

First Redeploy:

1. Go to Settings tab
2. Trigger a redeploy (edit any variable or use redeploy option)
3. Wait for deployment to complete

Second Redeploy (Critical!):

1. Go to Deployments tab
2. Right-click on the latest deployment
3. Click Redeploy
4. Wait for deployment to complete

Step 4: Get Your Admin Password

After the second redeploy, check your deployment logs:

1. Go to Deployments tab
2. Click on the latest deployment
3. Look for these lines in the logs:

=================================
FIRST START - NEW DATABASE
Admin credentials will appear in next logs
Username: admin
=================================
Please login with the username admin and the password [RANDOM_PASSWORD]

4. Copy the password immediately - it only appears once!

Note: If you see EXISTING DATABASE DETECTED instead, you need to delete the volume and redeploy (see troubleshooting in full documentation).

Step 5: Access Admin Interface

1. Open your browser
2. Go to the TCP proxy address from Step 2 (e.g., http://shinkansen.proxy.rlwy.net:17008)
3. Login with:
   • Username: admin
   • Password: (from logs in Step 4)

Step 6: Secure Your Account

Immediately after first login:

1. Go to Settings (gear icon) > Account Settings
2. Change your password to something secure
3. Click Update Account

Your setup is now complete! All future redeployments will preserve your data.

Step 7: Start Creating Campaigns

Use your campaign URL from Step 2 (the https://your-app.up.railway.app domain) when creating phishing campaigns in Gophish.

For SMTP configuration and campaign creation, see the full documentation.

Why Deploy Gophish on Railway?

Railway is a singular platform to deploy your infrastructure stack. Railway will host your infrastructure so you don't have to deal with configuration, while allowing you to vertically and horizontally scale it.

By deploying Gophish on Railway, you get:

• Zero-config persistence with automatic volume mounting
• Instant HTTPS with Railway-managed certificates
• Automatic domain generation without DNS configuration
• Simple scaling as your training campaigns grow
• Cost-effective hosting with Railway's free tier for testing

Host your security training infrastructure alongside your servers, databases, and applications on Railway.

Need Help? Check the full documentation for troubleshooting, SMTP setup, and best practices.