<pclass="last">You are reading an old version of the Evennia documentation. <ahref="https://www.evennia.com/docs/latest/index.html">The latest version is here</a></p>.
<h1>Configuring NGINX for Evennia with SSL<aclass="headerlink"href="#configuring-nginx-for-evennia-with-ssl"title="Permalink to this headline">¶</a></h1>
<p><aclass="reference external"href="https://nginx.org/en/">Nginx</a> is a proxy server; you can put it between Evennia and the outside world to serve your game over encrypted connections. Another alternative is <aclass="reference internal"href="Config-HAProxy.html"><spanclass="doc std std-doc">HAProxy</span></a>.</p>
<blockquote>
<div><p>This is NOT a full set-up guide! It assumes you know how to get your own <codeclass="docutils literal notranslate"><spanclass="pre">Letsencrypt</span></code> certificates, that you already have nginx installed, and that you are familiar with Nginx configuration files. <strong>If you don’t already use nginx,</strong> you are probably better off using the <aclass="reference internal"href="Config-HAProxy.html"><spanclass="doc std std-doc">guide for using HAProxy</span></a> instead.</p>
</div></blockquote>
<sectionid="ssl-on-the-website-and-websocket">
<h2>SSL on the website and websocket<aclass="headerlink"href="#ssl-on-the-website-and-websocket"title="Permalink to this headline">¶</a></h2>
<p>Both the website and the websocket should be accessed through your normal HTTPS port, so they should be defined together.</p>
<p>For nginx, here is an example configuration, using Evennia’s default ports:</p>
<p>This proxies the websocket connection through the <codeclass="docutils literal notranslate"><spanclass="pre">/ws</span></code> location, and the root location to the website.</p>
<p>For Evennia, here is an example settings configuration that would go with the above nginx configuration, to go in your production server’s <codeclass="docutils literal notranslate"><spanclass="pre">server/conf/secret_settings.py</span></code></p>
<blockquote>
<div><p>The <codeclass="docutils literal notranslate"><spanclass="pre">secret_settings.py</span></code> file is not included in <codeclass="docutils literal notranslate"><spanclass="pre">git</span></code> commits and is to be used for secret stuff. Putting your production-only settings in this file allows you to continue using default access points for local development, making your life easier.</p>
<p>This makes sure that evennia uses the correct URI for websocket connections. Setting <codeclass="docutils literal notranslate"><spanclass="pre">LOCKDOWN_MODE</span></code> on will also prevents any external connections directly to Evennia’s ports, limiting it to connections through the nginx proxies.</p>
</section>
<sectionid="telnet-ssl">
<h2>Telnet SSL<aclass="headerlink"href="#telnet-ssl"title="Permalink to this headline">¶</a></h2>
<blockquote>
<div><p>This will proxy ALL telnet access through nginx! If you want players to connect directly to Evennia’s telnet ports instead of going through nginx, leave <codeclass="docutils literal notranslate"><spanclass="pre">LOCKDOWN_MODE</span></code> off and use a different SSL implementation, such as activating Evennia’s internal telnet SSL port (see <codeclass="docutils literal notranslate"><spanclass="pre">settings.SSL_ENABLED</span></code> and <codeclass="docutils literal notranslate"><spanclass="pre">settings.SSL_PORTS</span></code> in <aclass="reference internal"href="Settings-Default.html"><spanclass="doc std std-doc">default settings file</span></a>).</p>
</div></blockquote>
<p>If you’ve only used nginx for websites, telnet is slightly more complicated. You need to set up stream parameters in your primary configuration file - e.g. <codeclass="docutils literal notranslate"><spanclass="pre">/etc/nginx/nginx.conf</span></code> - which default installations typically will not include.</p>
<p>We chose to parallel the <codeclass="docutils literal notranslate"><spanclass="pre">http</span></code> structure for <codeclass="docutils literal notranslate"><spanclass="pre">stream</span></code>, adding conf files to <codeclass="docutils literal notranslate"><spanclass="pre">streams-available</span></code> and having them symlinked in <codeclass="docutils literal notranslate"><spanclass="pre">streams-enabled</span></code>, the same as other sites.</p>
<p>An example configuration file for the telnet connection - using an arbitrary external port of <codeclass="docutils literal notranslate"><spanclass="pre">4040</span></code> - would then be:</p>
<p>Players can now connect with telnet+SSL to your server at <codeclass="docutils literal notranslate"><spanclass="pre">example.com:4040</span></code> - but <em>not</em> to the internal connection of <codeclass="docutils literal notranslate"><spanclass="pre">4000</span></code>.</p>
<blockquote>
<div><p><em><strong>IMPORTANT: With this configuration, the default front page will be WRONG.</strong></em> You will need to change the <codeclass="docutils literal notranslate"><spanclass="pre">index.html</span></code> template and update the telnet section (NOT the telnet ssl section!) to display the correct information.</p>
</div></blockquote>
</section>
<sectionid="dont-forget">
<h2>Don’t Forget!<aclass="headerlink"href="#dont-forget"title="Permalink to this headline">¶</a></h2>
<p><codeclass="docutils literal notranslate"><spanclass="pre">certbot</span></code> will automatically renew your certificates for you, but nginx won’t see them without reloading. Make sure to set up a monthly cron job to reload your nginx service to avoid service interruptions due to expired certificates.</p>
<pclass="last">You are reading an old version of the Evennia documentation. <ahref="https://www.evennia.com/docs/latest/index.html">The latest version is here</a></p>.
