This guide is the final part of miniseries on how to easily set up fully functioning FoundryVTT on your Raspberry Pi.
By now we already have working FoundryVTT in our home environment, and now we’re going to up our game by using Nginx as our reverse-proxy server and we will use Cloudflare and Certbot to secure connection to our FoundryVTT.
Hope this guide helps!
Ok, so we’re freshly logged in in our Raspberry Pi.
I’ve got this habit of checking if everything is up to date:
sudo apt update && sudo apt upgrade
Fine, so what we’ll try to accomplish here is installing Nginx as reverse-proxy and point traffic to our Foundry server.
Then we will do a little bit of configuration of FoundryVTT itself,
and we will use Certbot in cooperation with Nginx and Cloudflare to make connections to our server secured with SSL.
The first thing we need to do is install Nginx on our Raspberry Pi.
sudo apt install nginx
Once it’s installed we’ll create a configuration file for our domain. In my case helping.ninja domain.
By convention create a similar file like this:
sudo vim /etc/nginx/sites-available/helping.ninja.conf #use your domain
And put something like this inside:
# HTTP -> HTTPS
server {
listen 80;
listen [::]:80; # this thing in brackets is there for ipv6 addresses
server_name *.yourdomain.com yourdomain.com;
return 301 https://$host$request_uri;
}
# foundry
server {
# Enter your fully qualified domain name or leave blank
server_name yourfoundry.yourdomain.com;
# Listen on port 443 with SSL certificates
listen 443;
# Sets the Max Upload size to 300 MB
client_max_body_size 300M;
default_type application/octet-stream;
# Proxy Requests to Foundry VTT
location / {
# Set proxy headers
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# These are important to support WebSockets
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
# Make sure to set your Foundry VTT port number
proxy_pass http://localhost:30000;
}
}
And that’s basically enough for now. You don’t need to understand everything in it. Just make sure to look through it and replace yourfoundry and yourdomain with your actual domain or subdomain names.
Save the file and exit the editor.
Once this is done let’s head to FoundryVTT options file
sudo nano ~/share/foundrydata/Config/options.json
and change these lines:
"hostname": "foundry.yourdomain.tld",
"proxySSL": true,
"proxyPort": 443,
One thing to mention here before we proceed, you need to have ports 80 (for HTTP) and 443 (for HTTPS) forwarded to your raspberry in your home network setup. So that the requests from the outer internet can get to your raspberry.
But there are so many possible network configurations I won’t even try to dig into it here – try to figure it out on your own, ask a tech-savvy friend or drop a “call for help” here in the comments section. Maybe I or someone else would be able to point you in the right direction.
So Now let’s get to Cloudflare which I use as a DNS provider. Its DNS service is free and secure. Add your domain there or use your favorite DNS provider,
But for the sake of this tutorial, I’ll assume, that you are using Cloudflare as I am.
Create your domain there or open one you already got there.
Go into our domain configuration, I’ll assume your DNS is already pointing to your home and Raspberry Pi.
What we need to do here, we want to create a token that we will use to edit the DNS zone in Cloudflare.
Scroll a little bit down and click “Get your API token”.
Hit Create Token and use a template named Edit zone DNS.
Check the permissions. It needs to be Zone -> DNS -> Edit and
limit the token to this domain “include > specific zone > yourdomain.com”.
If you want more security you can specify from which IP addresses this token can be used.
Hit “Continue to the summary”.
Don’t forget to copy your token somewhere safe so we can use it later on.
As a next step, we’re going to create .secrets folder in our home directory
mkdir ~/.secrets
cd ~/.secrets
mkdir certbot
cd certbot
and here we’re going to create file cloudflare.ini in which we will save our Cloudflare API token.
nano cloudflare.ini
and paste here your token:
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567 # of course replace this string with your actual api token from cloudflare
The next thing we’re going to do is install certbot. To do that we need to install snapd. It’s a software packaging system developed by canonical.
sudo apt install snapd
Now we’re going to use snap to install core package
sudo snap install core
sudo snap refresh core # is command for updating
Install Certbot itself
sudo snap install --classic certbot
Create a symbolic link to Certbot binary so we can call it directly
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Run this command to acknowledge that the installed plugin will have the same classic containment as the Certbot snap
sudo snap set certbot trust-plugin-with-root=ok
Don’t forget to enable your site in Nginx configuration
sudo ln -s /etc/nginx/sites-available/yourdomain.tld.conf /etc/nginx/sites-enabled/yourdomain.tld.conf
And of course, we want to make our life simpler – so we want to enable Certbot to work directly with Cloudflare DNS service.
We’re going to install one more plugin
sudo snap install certbot-dns-cloudflare
We are ready to make Certbot take care of our Nginx’s HTTPS or SSL configuration.
sudo certbot -i nginx --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d "yourdomain.tld" -d "*.yourdomain.tld"
Great. If you see the Congratulations message you successfully enabled HTTPS on your Foundry server.
You can check what happened automatically:
sudo nano /etc/nginx/sites-enabled/helping.ninja.conf
everything that was touched by Certbot has this “# managed by Certbot” message at the end of the line. You can go through it if you want to.
To be on the safe side let us just check the nginx configuration file – if it’s ok.
sudo nginx -t
If everything is ok reload your Nginx configuration
sudo service nginx reload
One thing to say before we get to our grand finale is that if you’re trying to connect to Foundry from inside your home network – you need to set up your DNS right and point your domain to your Raspberry Pi in your home network.
I’ve done this on my home router. I’ve set my subdomain dnd.helping.ninja to point to the correct IP address of my Raspberry Pi.
I can’t go any deeper into this because there are almost endless ways your home network could be set up and there are a plethora of devices you might be using. It’s simply impossible for me to cover every scenario here.
The simple but dummy way to go around this is to edit your “hosts” file on your current computer.
If you’re clueless about how to do it, I’ll post some links in the description below or you know just Google it.
That’s it, let’s head to our browser and put in the domain name. In my case dnd.helping.ninja.
You see it was redirected to HTTPS and the padlock icon in the address bar of your browser means your webpage is using a new certificate verified by the Let’s encrypt authority.
That’s exactly what we were shooting for in this tutorial.
That’s it for today.
Hope it helped!
If you find these guides at least a little bit helpful please do check out my YouTube channel.