security? yes, please!
The Problem
Since last year, I´m hosting a FoundryVTT instance for our regular DnD sessions. In FoundryVTT you have the option to setup usernames and passwords for each member individual.
As I know my way around the IT world relatively well, I knew the passwords would be realtiv easy to guess, if the player have to choose them. So I set a website wide password with nginx and a .htpasswd file.
The Setup
Locate your nginx configuration file under /etc/nginx/sites-available/domain.com and add a new block for location /join
location /join {
proxy_pass http://127.0.0.1:30000;
#Defines the HTTP protocol version for proxying
#by default it it set to 1.0.
#For Websockets and keepalive connections you need to use the version 1.1
proxy_http_version 1.1;
#Sets conditions under which the response will not be taken from a cache.
proxy_cache_bypass $http_upgrade;
#These header fields are required if your application is using Websockets
proxy_set_header Upgrade $http_upgrade;
#These header fields are required if your application is using Websockets
proxy_set_header Connection "upgrade";
#The $host variable in the following order of precedence contains:
#hostname from the request line, or hostname from the Host request header field
#or the server name matching a request.
proxy_set_header Host $host;
#Forwards the real visitor remote IP address to the proxied server
proxy_set_header X-Real-IP $remote_addr;
#A list containing the IP addresses of every server the client has been proxied through
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#When used inside an HTTPS server block, each HTTP response from the proxied server is rewritten to HTTPS.
proxy_set_header X-Forwarded-Proto $scheme;
#Defines the original host requested by the client.
proxy_set_header X-Forwarded-Host $host;
#Defines the original port requested by the client.
proxy_set_header X-Forwarded-Port $server_port;
### CHANGE ME ###
auth_basic "Member Area";
auth_basic_user_file /home/YOUR_USERNAME/foundryvtt_server/htpasswd/.htpasswd;set the path under auth_basic_user_file /home/YOUR_USERNAME/foundryvtt_server/htpasswd/.htpasswd; to your own path. And generate a .htpasswd file with sudo htpasswd -c $HOME/foundryvtt_server/htpasswd/.htpasswd USERNAME where USERNAME can be anything you want. Make sure you generate the file in the exact location which is set in the nginx config file.
Restart nginx $ sudo systemctl restart nginx and open your website.
The Result
The website prompts you to authenticate
The Troubleshooting
If you are getting an Error 500, or Error 403 you should check your nginx error.log
$ sudo tail -f /var/log/nginx/error.log
The most common errors are either permission denied, or nginx is unable to find the .htpasswd file. There are sereval option in fixing your errors:
$ sudo chmod 644 /home/USERNAME/foundryvtt_server/htpasswd/.htpasswd
$ sudo chmod 755 /home/USERNAME
$ sudo chmod 755 /home/USERNAME/foundryvtt_server
$ sudo chmod 755 /home/USERNAME/foundryvtt_server/htpasswd
$ sudo chown -R www-data:www-data /home/USERNAME/foundryvtt_server/htpasswd/.htpasswd
As a server admin you should know what those commands do, how to use them and which danger could come with type those into you CLI.
Enjoy your newly protected FoundyVTT instance.