Nginx¶
If you do not want to expose pokemongo-map to the web directly or you want to place it under a prefix, follow this guide:
Assuming the following:
- You are running pokemongo-map on the default port 5000
- You’ve already made your machine available externally (for example, port forwarding)
Install nginx (I’m not walking you through that, google will assist) - http://nginx.org/en/linux_packages.html
In /etc/nginx/nginx.conf add the following before the last
}
include conf.d/pokemongo-map.conf;
Create a file /etc/nginx/conf.d/pokemongo-map.conf and place the following in it:
server { location /go/ { proxy_pass http://127.0.0.1:5000/; } }
You can now access it by http://yourip/go
Add a free SSL Certificate to your site:¶
https://certbot.eff.org/#debianjessie-nginx
For webroot configuration, simplest for this use, do the following:
- Edit your
/etc/nginx/conf.d/pokemongo-map.conf
- Add the following location block:
location /.well-known/acme-challenge { default_type "text/plain"; root /var/www/certbot; }
- Edit your
Create the root folder above
mkdir /var/www/certbot
Set your permissions for the folder
Run
certbot certonly -w /var/www/certbot -d yourdomain.something.com
Certificates last for 3 Months and can be renewed by running
certbot renew
Example Config¶
server {
listen 80;
server_name PokeMaps.yourdomain.com;
location /.well-known/acme-challenge {
default_type "text/plain";
root /var/www/certbot;
}
# Forces all other requests to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
server_name PokeMaps.yourdomain.com;
location /go/ {
proxy_pass http://127.0.0.1:5000/;
proxy_redirect off;
}
}
Adding simple httpd Authentication.¶
This will guide you through setting up simple HTTP Authentication using nginx and reverse proxy protocols. These instructions are written for someone using a Debian/Ubuntu VPS. Your enviroment may have slightly different requirements, however the concepts as a whole should still stand. This guide assumes you have nginx installed and running, and a conf.d/*.conf
file created, such as /etc/nginx/conf.d/pokemongo-map.conf
, as the example above provides, and that you’re running your service on port 5000, and want it to be accessable at http://your_ip/go/, although it supports other ports and locations.
*
denotes a wildcard, and will be used to stand for your site’s *.conf
file, please do not literally type sudo nano /etc/nginx/conf.d/*.conf
.
Create a .htpasswd file inside
/etc/nginx/
. Some suggested methods to create a .htpasswd file are below.Linux users can use the apache2-tools package to create the files.-First, get the apache2-utils package
sudo apt-get install apache2-utils
-Then run the htpasswd command
sudo htpasswd -c /etc/nginx/.htpasswd exampleuser
This will prompt you for a new password for user exampleuser. Remove the
-c
tag for additional entries to the file. Opening the file with a text exitor such as nano should show one line for each user, with an encrypted password following, in the format of user:pass.Manual generation of the file can be done using tools such as: http://www.htaccesstools.com/htpasswd-generator/. After manually generating the file, please place it in
/etc/nginx/
, or wherever your distro installsnginx.conf
and the rest of your config files.
Open your
*.conf
file with a text editor, with a command such assudo nano /etc/nginx/conf.d/pokemongo-map.conf
. Add the following two lines underneath the domain path.auth_basic "Restricted"; auth_basic_user_file /etc/nginx/.htpasswd;
If your
*.conf
file matches the example provided above, you should have the following.server { location /go/ { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/.htpasswd; proxy_pass http://127.0.0.1:5000/; } }
Now, we’re going to go ahead and fill out the
*.conf
file with the rest of the information to make our service work, and shore up our nginx config, by appending the following between the authentication block and proxy_pass.proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto http; proxy_set_header Host $http_host; proxy_redirect off;
Here is a fully completed example
*.conf
, with working httpd authentication. Notice, this example does not use SSL / 443, although the method can be adapted to it!upstream pokemonmap{ server 127.0.0.1:5000 fail_timeout=0 } server { listen 80; server_name [sub.domain.com] [your_ip]; location /go/ { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/.htpasswd; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto http; proxy_set_header Host $http_host; proxy_redirect off; proxy_pass http://[your_ip]:5000; break; } }
Test your nginx configuration using the command
sudo nginx -t
. If this returns a positive result, restart the nginx service usingsudo service nginx restart
.Verify your configuration is working by loading http://your_ip/go/ or http://sub.your.domain/go/, or however else you have it set in your
*.conf
. Please verify it’s working before proceeding to step 5, or it will be much harder to troubleshoot!Troubleshooting:
I can’t reach my server at http://your_ip/go/!
Check http://your_ip:5000/. If you cannot see it there, your issue lies with your server, not with nginx! If you can see it there, but cannot see it at http://your_ip/go/, your issue lies with nginx. Please check your config files to make sure they are pointing at the right places, and that your
sudo nginx -t
checks out.nginx -t doesn’t check out.
Check the error messages for which line is creating the error, and work your way backwards from there. Many times it’s just a missed
;
or}
.
Finally, we’re going to modify our runserver.py command to operate with the
-H 127.0.0.1
flag, only allowing our webapp to be accessable from Localhost. As nginx is running on the local system, nginx will still be able to fetch the webapp, and serve it, through the proxy and authentication, to remote users, but remote users will not be able to connect directly to the webapp itself. If your runserver command ispython runserver.py -u user -p pass -k key -l "my,coords" -st 10 -P 5000
You are going to want to update it to the following:
python runserver.py -u user -p pass -k key -l "my,coords" -st 10 -P 5000 -H 127.0.0.1
From there, we’re going to want to check and see that you can get to your server, albeit through authentication, at http://your_ip/go/, and that you cannot get to your server at http://your_ip/go:5000/. If that works, you’re all set up!