HAProxy Config (Optional)¶
Making Evennia, HTTPS and Secure Websockets play nicely together¶
This we can do by installing a proxy between Evennia and the outgoing ports of your server. Essentially, Evennia will think it’s only running locally (on localhost, IP 127.0.0.1) - the proxy will transparently map that to the “real” outgoing ports and handle HTTPS/WSS for us.
Evennia <-> (inside-visible IP/ports) <-> Proxy <-> (outside-visible IP/ports) <-> Internet
Here we will use HAProxy, an open-source proxy that is easy to set up and use. We will also be using LetsEncrypt, especially the excellent helper-program Certbot which pretty much automates the whole certificate setup process for us.
Before starting you also need the following:
(optional) The host name of your game (like
myawesomegame.com). This is something you must previously have purchased from a domain registrar and set up with DNS to point to the IP of your server.
If you don’t have a domain name or haven’t set it up yet, you must at least know the IP of your server. Find this with
ifconfigor similar from inside the server. If you use a hosting service like DigitalOcean you can also find the droplet’s IP address in the control panel.
You must open port 80 in your firewall. This is used by Certbot below to auto-renew certificates. So you can’t really run another webserver alongside this setup without tweaking.
You must open port 443 (HTTPS) in your firewall.
You must open port 4002 (the default Websocket port) in your firewall.
Certificates guarantee that you are you. Easiest is to get this with Letsencrypt and the Certbot program. Certbot has a lot of install instructions for various operating systems. Here’s for Debian/Ubuntu:
sudo apt install certbot
Make sure to stop Evennia and that no port-80 using service is running, then
sudo certbot certonly --standalone
You will get some questions you need to answer, such as an email to send certificate errors to and
the host name (or IP, supposedly) to use with this certificate. After this, the certificates will
end up in
/etc/letsencrypt/live/<your-host-or-ip>/*pem (example from Ubuntu). The critical files
for our purposes are
Certbot sets up a cron-job/systemd job to regularly renew the certificate. To check this works, try
sudo certbot renew --dry-run
The certificate is only valid for 3 months at a time, so make sure this test works (it requires port 80 to be open). Look up Certbot’s page for more help.
We are not quite done. HAProxy expects these two files to be one file.
sudo cp /etc/letsencrypt/live/<your-host-or-ip>/privkey.pem /etc/letsencrypt/live/<your-host-or- ip>/<yourhostname>.pem sudo bash -c "cat /etc/letsencrypt/live/<your-host-or-ip>/fullchain.pem >> /etc/letsencrypt/live/<your-host-or-ip>/<yourhostname>.pem"
This will create a new
.pem file by concatenating the two files together. The
file (or whatever you named it) is what we will use when the the HAProxy config file (below) asks
Installing and configuring HAProxy¶
Installing HaProxy is usually as simple as:
# Debian derivatives (Ubuntu, Mint etc) sudo apt install haproxy # Redhat derivatives (dnf instead of yum for very recent Fedora distros) sudo yum install haproxy
Configuration of HAProxy is done in a single file. Put this wherever you like, for example in your game dir; name it something like haproxy.conf.
Here is an example tested on Centos7 and Ubuntu. Make sure to change the file to put in your own values.
# base stuff to set up haproxy global log /dev/log local0 chroot /var/lib/haproxy maxconn 4000 user haproxy tune.ssl.default-dh-param 2048 ## uncomment this when everything works # daemon defaults mode http option forwardfor # Evennia Specifics listen evennia-https-website bind <ip-address-or-hostname>:<public-SSL-port--probably-443> ssl no-sslv3 no-tlsv10 crt /etc/letsencrypt/live/<your-host-or-ip>/<yourhostname>.pem server localhost 127.0.0.1:<evennia-web-port-probably-4001> timeout client 10m timeout server 10m timeout connect 5m listen evennia-secure-websocket bind <ip-address-or-hostname>:<wss-port--probably-4002> ssl no-sslv3 no-tlsv10 crt /etc/letsencrypt/live/<your-host-or-ip>/<yourhostname>.pem server localhost 127.0.0.1:<WEBSOCKET_CLIENT_PORT-probably-4002> timeout client 10m timeout server 10m timeout connect 5m
Putting it all together¶
Get back to the Evennia game dir and edit mygame/server/conf/settings.py. Add:
WEBSERVER_INTERFACES = ['127.0.0.1'] WEBSOCKET_CLIENT_INTERFACE = '127.0.0.1'
Make sure to reboot (stop + start) evennia completely:
Finally you start the proxy:
sudo haproxy -f /path/to/the/above/config_file.cfg
Make sure you can connect to your game from your browser and that you end up with an
and can use the websocket webclient.
Once everything works you may want to start the proxy automatically and in the background. Stop the
Ctrl-C and uncomment the line
# daemon in the config file, then start the proxy again
it will now start in the bacground.
You may also want to have the proxy start automatically; this you can do with
cron, the inbuilt
Linux mechanism for running things at specific times.
sudo crontab -e
Choose your editor and add a new line at the end of the crontab file that opens:
@reboot haproxy -f /path/to/the/above/config_file.cfg
Save the file and haproxy should start up automatically when you reboot the server.