Reverse proxy + TLS

The one-paste installer brings the panel up on plaintext :8080. Before you point users at it, put a reverse proxy in front of it that terminates TLS.

Pick one. Replace <domain> with your real domain throughout.

Caddy (easiest)

Caddy is the simplest option — it obtains Let’s Encrypt certificates automatically the first time it serves a domain. No certbot, no manual renewal.

Install Caddy via your distro’s package manager, then replace /etc/caddy/Caddyfile with:

/etc/caddy/Caddyfile

<domain> {
    encode gzip zstd
    request_body { max_size 100MB }
    reverse_proxy 127.0.0.1:8080 {
        header_up Host {host}
        header_up X-Real-IP {remote}
    }
}

Reload:

sudo systemctl reload caddy

That’s it — Caddy requests and installs the certificate on first request.

nginx

Issue a Let’s Encrypt certificate first:

sudo apt install -y certbot  # or: sudo dnf install -y certbot
sudo systemctl stop nginx
sudo certbot certonly --standalone -d <domain>
sudo systemctl start nginx

Then drop this config into /etc/nginx/sites-available/evodactyl.conf:

/etc/nginx/sites-available/evodactyl.conf

server {
    listen 80;
    server_name <domain>;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name <domain>;

    ssl_certificate     /etc/letsencrypt/live/<domain>/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;

    client_max_body_size 100m;
    client_body_timeout  120s;

    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options DENY;
    add_header Referrer-Policy same-origin;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_http_version 1.1;
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade           $http_upgrade;
        proxy_set_header Connection        "upgrade";
        proxy_read_timeout 300s;
    }
}

Enable and reload:

sudo ln -s /etc/nginx/sites-available/evodactyl.conf /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Certbot installs a systemd timer that auto-renews every 12 hours. Add a deploy hook so nginx picks up the new cert:

/etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh

#!/bin/sh
systemctl reload nginx

sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh

Apache

Issue a Let’s Encrypt certificate with certbot standalone first (same flow as the nginx tab), then enable the required modules and drop this vhost in:

/etc/apache2/sites-available/evodactyl.conf

<VirtualHost *:80>
    ServerName <domain>
    Redirect permanent / https://<domain>/
</VirtualHost>

<VirtualHost *:443>
    ServerName <domain>

    SSLEngine on
    SSLCertificateFile    /etc/letsencrypt/live/<domain>/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/<domain>/privkey.pem

    ProxyPreserveHost On
    ProxyPass        /  http://127.0.0.1:8080/
    ProxyPassReverse /  http://127.0.0.1:8080/
    RequestHeader set X-Forwarded-Proto "https"

    # Websocket upgrade for the server console.
    RewriteEngine on
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteCond %{HTTP:Connection} upgrade [NC]
    RewriteRule ^/?(.*) "ws://127.0.0.1:8080/$1" [P,L]
</VirtualHost>

sudo a2enmod proxy proxy_http proxy_wstunnel rewrite ssl headers
sudo a2ensite evodactyl
sudo systemctl reload apache2

Verify

curl -fsSL https://<domain>/api/health
# {"status":"ok"}

If you get {"status":"ok"} over HTTPS, you are done with the panel install. Next you need a Wings node so the panel has somewhere to run game servers.

Next →

Next: Wings

Install the Wings daemon on a node host.