Coolify vs Dokploy: Which Self-Hosted PaaS for Your VPS?
A security-aware comparison of Coolify and Dokploy with real resource numbers, licensing analysis, and a decision framework based on your VPS size and use case.
Coolify and Dokploy both promise a Heroku-like experience on your own server. Both handle git-push deployments, automatic SSL, and database provisioning. But they differ sharply in resource overhead, security history, licensing terms, and architecture. This guide breaks down where each one fits and when you should skip both entirely.
What does a self-hosted PaaS do that Docker Compose does not?
A self-hosted PaaS adds a web dashboard, automatic SSL certificate management, git-push deployments, database provisioning through a UI, and deployment rollbacks on top of Docker. It replaces the manual work of writing Compose files, configuring a reverse proxy, and setting up Let's Encrypt.
If you already have a working docker-compose.yml and a reverse proxy like Traefik or Caddy, a PaaS may add overhead without adding value. PaaS tools make sense when you deploy multiple apps frequently, want a dashboard for non-terminal users, or need one-click marketplace installs.
The trade-off is always resource overhead. Both Coolify and Dokploy run their own containers (web UI, database, proxy, workers) that consume RAM and CPU before your first app is deployed.
Traefik vs Caddy vs Nginx: Docker Reverse Proxy Compared
How much RAM do Coolify and Dokploy use on a VPS?
Coolify's platform overhead runs 500MB to 1.2GB RAM at idle, depending on whether monitoring is enabled. Dokploy uses approximately 350MB at idle. On a 4GB VPS, this difference determines how many apps you can actually run.
Here is what remains for your applications after each platform takes its share:
| VPS RAM | Coolify overhead | Available for apps | Dokploy overhead | Available for apps | No PaaS (Compose + Traefik) |
|---|---|---|---|---|---|
| 4 GB | ~750MB-1.2GB | 2.8-3.2 GB | ~350MB | 3.6 GB | ~3.8 GB |
| 8 GB | ~750MB-1.2GB | 6.8-7.2 GB | ~350MB | 7.6 GB | ~7.8 GB |
| 16 GB | ~750MB-1.2GB | 14.8-15.2 GB | ~350MB | 15.6 GB | ~15.8 GB |
CPU usage follows a similar pattern. Dokploy idles at 0.8-1.5% CPU. Coolify idles at 5-7%, spiking to 25% when its built-in metrics collection runs. On a 4-core VPS, that Coolify baseline equals half a core doing nothing useful.
These numbers come from multiple independent benchmarks. Your mileage will vary based on the number of deployed services, enabled features, and whether you run Coolify's monitoring stack.
Docker Compose Resource Limits, Healthchecks, and Restart Policies
Coolify: features and trade-offs
Coolify (v4.0.0-beta.468 as of March 2026) is the more mature project with 51,000+ GitHub stars. It provides a full-featured deployment platform with a large one-click application marketplace (280+ services).
What Coolify does well:
- One-click marketplace. Deploy databases, monitoring stacks, CMS platforms, and more from a catalog. Useful for indie hackers who want Plausible, Umami, or Ghost running in minutes.
- Multi-server management. Connect multiple VPS instances to a single Coolify dashboard. Each server is managed independently (no clustering).
- Cloudflare Tunnel integration. Built-in support for exposing services through Cloudflare without opening ports.
- Notification channels. Discord, Telegram, Slack, and email alerts for deployment events.
- Full Apache 2.0 license. No feature restrictions based on licensing. Everything in the repository is open source.
Where Coolify falls short:
- Resource appetite. The 500MB-1.2GB RAM overhead is significant on smaller VPS instances. Enabling metrics makes it worse.
- Complex architecture. Coolify runs multiple containers (Laravel app, PostgreSQL, Redis, Soketi websocket server, workers). More moving parts means more potential failure points.
- Security track record. See the next section.
What security vulnerabilities has Coolify had?
In January 2026, researchers disclosed 11 security vulnerabilities in Coolify. Three carried CVSS 10.0 scores, the maximum possible severity. This is the most significant security event in the self-hosted PaaS space to date.
The vulnerabilities came from two independent research efforts:
First batch (patched in v4.0.0-beta.374):
- CVE-2025-22612 (CVSS 10.0): Any authenticated user could retrieve private keys in plaintext, enabling remote code execution on managed servers.
- CVE-2025-22609 (CVSS 10.0): Any authenticated user could attach existing private keys to their own server configuration, then execute arbitrary commands on victim servers through the Terminal feature.
- CVE-2025-22611 (CVSS 9.9): Privilege escalation to full administrative control.
Second batch (discovered by Aikido Security, 7 CVEs including):
- CVE-2025-64419: Command injection via Docker Compose configuration.
- CVE-2025-64424: Command injection via Git configuration.
- CVE-2025-64420: Root SSH key exposure to low-privileged users.
Censys reported approximately 52,000 exposed Coolify instances at the time of disclosure. Most were in Germany (15,000), the US (9,800), and France (8,000).
All vulnerabilities have been patched. If you run Coolify, update to at least v4.0.0-beta.374 and restrict dashboard access to trusted networks. Do not expose the Coolify UI to the public internet without IP allowlisting or a VPN.
What this means for your decision: Coolify's architecture is more complex, which increases attack surface. The vulnerabilities were in core functionality (database backups, SSH key management, Docker Compose handling), not edge-case features. Dokploy's simpler architecture has not had comparable disclosures, though absence of known CVEs does not prove absence of vulnerabilities.
Dokploy: features and trade-offs
Dokploy (v0.28.8 as of March 2026) is the newer project with 31,000+ GitHub stars and the fastest growth rate in the self-hosted PaaS space.
What Dokploy does well:
- Low resource footprint. ~350MB RAM and <1% CPU at idle. On a 4GB VPS, this leaves meaningfully more headroom for actual workloads.
- Docker-native architecture. Dokploy works with Docker Compose natively. If you already have Compose files, Dokploy deploys them as-is rather than wrapping them in its own abstraction.
- Docker Swarm multi-server. Native Swarm integration for clustering across nodes with automatic load balancing. This is true orchestration, not just managing independent servers from one dashboard.
- Traefik integration. Ships with Traefik for routing and automatic SSL. Supports Traefik v3.5.0 as of v0.25.0.
- REST API and CLI. First-class CI/CD integration for automated deployments.
Where Dokploy falls short:
- Smaller app marketplace. Fewer one-click templates compared to Coolify's 280+ catalog.
- Younger project. Less battle-tested in production. Fewer community resources and tutorials available.
- Licensing complexity. See below.
What are the licensing differences between Coolify and Dokploy?
Coolify uses a straightforward Apache 2.0 license for its entire codebase. You can use, modify, and distribute it commercially without restrictions.
Dokploy's licensing is more complicated. The core codebase uses Apache 2.0, but content under /proprietary directories falls under a separate proprietary license. Commercial distribution of Dokploy is restricted without a separate agreement from Dokploy Technology, Inc.
The community has raised concerns about this mixed model. The Dokploy team has acknowledged the confusion and announced plans to move to a clearer open-core or dual-licensing model with a "Dokploy Source Available License."
What this means for you:
- Personal projects and internal tooling: Both are fine. The licensing distinction rarely matters if you are deploying your own apps on your own server.
- Building a hosting business: Coolify's Apache 2.0 gives you clear legal ground. Dokploy's terms prohibit commercial distribution without a separate agreement.
- Contributing code: Both accept contributions, but code contributed to Dokploy's proprietary directories may be governed by different terms.
If licensing clarity matters to your organization, Coolify is the safer choice today.
Side-by-side comparison
| Feature | Coolify | Dokploy |
|---|---|---|
| Idle RAM | 500MB-1.2GB | ~350MB |
| Idle CPU | 5-7% | 0.8-1.5% |
| Deployment sources | Git (GitHub, GitLab, Bitbucket), Docker images, Compose | Git (GitHub, GitLab, Bitbucket, Gitea, more), Docker images, Compose |
| One-click apps | 280+ marketplace | Smaller catalog |
| SSL automation | Let's Encrypt via built-in proxy | Let's Encrypt via Traefik |
| Database support | PostgreSQL, MySQL, MariaDB, MongoDB, Redis, ClickHouse, KeyDB | PostgreSQL, MySQL, MariaDB, MongoDB, Redis |
| Scheduled backups | Yes, with S3-compatible destinations | Yes, external storage |
| Multi-server | Dashboard manages independent servers | Docker Swarm clustering with load balancing |
| Monitoring | Built-in (high CPU cost) | Built-in with Gotify integration |
| Notifications | Discord, Telegram, Slack, email | Discord, Telegram, Slack, email |
| License | Apache 2.0 (full) | Apache 2.0 + proprietary directories |
| Known CVEs (2025-2026) | 11 (3x CVSS 10.0) | None publicly disclosed |
| GitHub stars | 51,000+ | 31,000+ |
| Current version | v4.0.0-beta.468 | v0.28.8 |
Does Dokploy support multi-server deployments?
Yes. Dokploy uses Docker Swarm natively for multi-server deployments. You add worker nodes to the Swarm, and Dokploy handles service scheduling, load balancing, and networking across nodes automatically.
Coolify also supports multi-server setups, but the architecture is different. Coolify manages each server independently from a central dashboard. There is no clustering or automatic load balancing between servers. You configure routing manually with Nginx or Traefik.
For teams scaling beyond a single VPS, Dokploy's Swarm integration is operationally simpler. You get automatic failover and load distribution without additional configuration. Coolify's approach gives you more control but requires more manual work.
Which self-hosted PaaS is better for a small 4GB VPS?
On a 4GB VPS, Dokploy is the better choice. Its ~350MB overhead leaves 3.6GB for your applications. Coolify's 750MB-1.2GB overhead leaves only 2.8-3.2GB, which gets tight once you run a database and two or three application containers.
Here is a decision framework based on your situation:
Use Dokploy when:
- Your VPS has 4-8GB RAM and every megabyte matters
- You already work with Docker Compose and want to keep that workflow
- You need real multi-server clustering with Docker Swarm
- You want the lowest possible idle resource consumption
- You are deploying your own apps (not running a hosting business)
Use Coolify when:
- Your VPS has 8GB+ RAM and the overhead is negligible
- You want the 280+ one-click application marketplace
- You need Cloudflare Tunnel integration
- You care about full Apache 2.0 licensing with no proprietary components
- You have a team that benefits from the organizational model (Teams > Projects > Environments)
Use neither (Docker Compose + reverse proxy) when:
- You run 1-3 apps that rarely change
- You already have working Compose files
- You are comfortable with the terminal and do not need a web UI
- You want the absolute minimum resource overhead
- Your VPS has 2-4GB RAM and cannot spare anything for a platform layer
Docker in Production on a VPS: What Breaks and How to Fix It
When should you skip a PaaS and use Docker Compose instead?
If your stack is a single docker-compose.yml with a web app, a database, and maybe a cache, you do not need a PaaS. A reverse proxy like Traefik or Caddy handles SSL automatically. Watchtower or a cron job handles image updates. That is three containers instead of the 6-10 that Coolify or Dokploy run internally.
The PaaS value proposition kicks in when:
- You deploy new services weekly or more often
- Multiple people need to trigger deployments without SSH access
- You manage more than one server from a single interface
- You want database provisioning and backup scheduling through a UI
If none of those apply, a PaaS adds complexity and resource overhead for little benefit. Start with Docker Compose and add a PaaS later if you outgrow the manual workflow.
Traefik vs Caddy vs Nginx: Docker Reverse Proxy Compared
What about CapRover, Dokku, and Kamal?
These are worth mentioning but serve different niches:
- CapRover (14,000+ stars) uses Docker Swarm and has been around since 2017. Development has slowed. Resource usage is moderate (~300-400MB RAM). Limited Docker Compose support makes it less flexible for complex stacks.
- Dokku is the closest to a true Heroku clone with buildpack support. Single-server only. Best for developers who want
git pushdeploys and nothing else. - Kamal takes a fundamentally different approach: it runs on your laptop or CI runner, not on the server. Zero server-side overhead. Requires comfort with YAML configuration and handles deployment only (no database provisioning UI, no dashboard). Built by the Rails team at 37signals.
None of these match Coolify or Dokploy for the combination of web UI, database management, and multi-app deployment on a VPS.
The bottom line
Dokploy wins on resource efficiency, Docker-native workflow, and multi-server clustering. Coolify wins on marketplace breadth, licensing clarity, and feature depth. Both carry trade-offs that matter.
If security weighs heavily in your decision, Coolify's 11 CVEs in January 2026 are a data point, not a disqualifier. The vulnerabilities were patched. But the pattern (command injection in core features, private key exposure) reflects architectural complexity that simpler tools avoid. Keep Coolify updated and never expose its dashboard to the public internet.
If you are starting fresh on a small VPS, start with Dokploy. If you need the marketplace or care about license purity, go with Coolify on a larger instance. If your deployment workflow is already working with Compose and a reverse proxy, skip both.
Self-Host Apps on a VPS: Architecture, RAM Usage, and What to Deploy First
Ready to try it yourself?
Deploy your self-hosted apps on a VPS with full control. →