doable-server — Features Overview
A privacy-first analytics and SEO gateway for self-hosted sites.
doable-server is one binary that does three things well: it serves your sites as a reverse proxy, it measures the traffic respectfully, and it tells you what the numbers mean. Cookie consent, IP minimization, nightly AI analysis, and Google Search Console all live in the same dashboard.
Last updated for v2.9.2.
Three pillars
1. Analytics — respectful by default
Server-side analytics from the proxy plus an optional 5 KB JS tracker.
Built-in GDPR consent banner, proxy IPs pseudonymized to /24 by default
and zero-fetched when consent is declined. DNT: 1 is honored as a
fallback.
- Browser-side: doable-tracker (JS) —
~3.4 KB gzipped, consent-aware,doable('revoke')to opt out. - Server-side: doable-sdk (Python) — batched, backend-friendly.
- Retention you control: access logs 90 d, daily analytics 2 y, consent logs 7 y (all config vars).
2. AI Insights — on your own hardware
Daily Ollama-powered analysis, cache-first dashboard reads, deterministic significant-finding alerts to route/project owners.
- Runs nightly at 04:00 (
doable-ai-insightsPM2 process). - History preserved per
(source, timeframe)for 365 d. - Owner emails (English + Swedish) fire when traffic drops <70 %, spikes
200 %, error rate crosses 1 %→5 %, P95 doubles past 500 ms, or a new 100-hit AI bot / scraper appears.
- Per-user opt-out at
/dashboard/settings. - Data never leaves the server — no cloud LLM calls.
3. Search — native GSC integration
Google Search Console data daily, right next to your traffic. No OAuth dance — users add one service-account email to their GSC property.
- Clicks / impressions / CTR / avg. position KPIs, top queries, top pages, device + country breakdowns.
- Sync runs at 04:00 (
doable-gsc-syncPM2 process, isolated from AI Insights so one failure doesn't starve the other). - After 3 consecutive failures, the integration flips to
error, the dashboard flags it, and adoable_gsc_sync_failedemail goes to owners.
What makes it different
| Capability | doable-server | GA4 | Matomo | Plausible | Ahrefs |
|---|---|---|---|---|---|
| Self-hosted | ✅ | ❌ | ✅ | ◑ (hosted default) | ❌ |
| Built-in consent banner | ✅ | ❌ (needs CMP) | ◑ (plugin) | ◑ (cookie-less) | — |
| Privacy-minimized proxy logs | ✅ IP truncation, DNT honored |
❌ | ◑ (configurable) | ✅ | — |
| AI-powered insights | ✅ local Ollama | ❌ | ❌ | ❌ | ◑ cloud-only |
| Google Search Console integration | ✅ service-account | ✅ (via Looker) | ◑ (plugin) | ◑ (hosted) | ✅ (SEO tool) |
| Reverse proxy / site hosting | ✅ | ❌ | ❌ | ❌ | ❌ |
| Tracker size | 5 KB | ~50 KB | ~25 KB | 1 KB | — |
| Raw event data stays on your box | ✅ | ❌ | ✅ | depends | — |
Ahrefs and SEMrush are SEO tools (not analytics); they are complementary rather than alternatives. The comparison above is accurate as of v2.9.2 and will drift — treat it as a point-in-time snapshot, not a commitment.
Deployment modes
Tracker-only — for any existing site
Create a tracking project, copy the embed snippet, drop it into your site. Ideal when doable-server doesn't proxy your traffic but you still want the dashboard, consent banner, AI analysis, and GSC in one place.
See Quickstart — Add analytics to an existing site.
Full proxy mode — for managed sites
Add a route, configure Apache, point DNS. Visitor traffic is proxied through doable-server and logged server-side; the JS tracker is optional. Gives you server-side IP pseudonymization, per-route auth, JWT injection, path blocking, and health monitoring.
See Quickstart — Host a site through doable-server.
GSC attach
Works on either mode. One email-paste per property, no OAuth.
See Quickstart — Connect Google Search Console.
Getting started
Three paths, each five steps or fewer:
- Add analytics to an existing external site → Quickstart § 1
- Host a site through doable-server → Quickstart § 2
- Connect Google Search Console → Quickstart § 3
Once you're in, the admin Integrations overview is the single place to see which resources have which capabilities enabled and spot anything that needs attention.
Privacy posture
| Concern | Default | Opt-out / override |
|---|---|---|
| Proxy IP logging | Truncated to /24 |
PROXY_IP_TRUNCATE=false |
| Visitor consent (browser) | Banner shown if the tracking project requires it | doable('revoke') from JS |
| Visitor consent (proxy log) | Declined / DNT → no detailed logging | Route.require_consent_proxy column |
| AI analysis | Runs locally, data stays on the server | AI_INSIGHTS_ENABLED=false or per-user opt-out |
| GSC data | Aggregate only (no per-visitor info) | Disconnect removes data after 30 d retention |
| Retention — access logs | 90 days | ACCESS_LOG_RETENTION_DAYS |
| Retention — daily analytics | 730 days | ANALYTICS_RETENTION_DAYS |
| Retention — consent logs | 2555 days (7 y, audit trail) | CONSENT_LOG_RETENTION_DAYS |
| Retention — AI insight runs | 365 days | AI_INSIGHTS_RETENTION_DAYS |
| Retention — GSC daily tables | 730 days | GSC_RETENTION_DAYS |
See the GDPR compliance notes for the full privacy story, including the subject-access-request flow.
Roadmap (directional, not committed)
- User-facing self-service for GSC and AI Insights — today the GSC connect wizard is admin-only; bringing it to the user dashboard closes the "one-email setup, no OAuth" promise for non-admin site owners.
- Per-resource AI Insights toggle — enable/disable nightly analysis on specific routes or tracking projects, not just globally.
- Interactive onboarding tour — a guided tour on top of the existing first-run checklist.
- Branded email design — unified branding across all owner-alert emails (insights, GSC failures, consent confirmations).
- A11y audit — dedicated review with testing.
Where to go next
- Quickstart — three onboarding paths, each ≤ 5 steps.
- GDPR compliance notes — what we store, how long, and what your visitors can request.
- About — the product thesis, in one page.