Overview
Foundry Virtual Tabletop supports use of Secure Sockets Layer (SSL) connections in order to provide encrypted connections for users. The primary reason to configure SSL for Foundry VTT is to allow users to enable A/V Integration for Foundry VTT. For security reasons, browsers (such as Chrome or Firefox) will not let a website capture your camera and microphone unless that connection is secure, which means Foundry VTT needs to be accessed using https:// rather than http://.
Requirements
Configuring SSL is an advanced feature of Foundry VTT and requires technical configuration.
While it is not a difficult process to configure SSL for Foundry VTT, it does require an elevated level of technical knowledge in order to understand and troubleshoot some errors that may occur in the process. This article assumes you have familiarity with Port Forwarding, firewall configuration, and the use of the command-line tools for your operating system.
This process requires:
- A domain name or Dynamic DNS service (if using CA Signed Certificates)
- Installation of some software utilities (free)
- Administrator access to your operating system
Preparing a Dynamic DNS (DDNS)
If you are hosting Foundry VTT on a home computer or a server without a domain name, the use of a Dynamic DNS service can provide a domain name for your server that will update to point at your computer whenever your IP address changes. Use of a domain name for SSL certificates, while not required, are highly beneficial as it requires the certificate to change less frequently than one which points at a bare IP address that may commonly change. There are a number of different DDNS providers out there which offer their services for free or for a range of prices. If you have already configured a domain name or Dynamic DNS provider and are confident that it is currently updating your domain name correctly, you can skip this section.
While we won't go into extreme detail on the configuration process for a DDNS provider, for the purposes of this article we will assume usage of Duck DNS". Duck DNS offers a variety of pieces of software to provide them with updates of your IP address and keep your dynamic domain name linked, so this article will focus mostly on the general practice of how these softwares work rather than giving specific steps for setup.
The basic process for configuring Duck DNS is the same regardless of which Operating System you are using:
- Sign up for an account at Duck DNS
- From your account menu, choose and activate a domain name
- Locate your Duck DNS "Token" so you can easily reference it later, this token is used to allow your Dynamic DNS software to notify Duck DNS of any IP address changes
- From the Duck DNS Install page, choose your operating system and follow the steps to configure and install a Duck DNS client, it will likely prompt you for your Token
- Ensure that the Duck DNS client remains running whenever you wish users to be able to access your computer via the new dynamic domain name you chose in step 2
Configuring SSL
The most common reason users want to set up SSL configuration is in order to enable HTTPS support in Foundry VTT, you will need an SSL certificate. Certificates are most often generated as .pem files or as .cert and .keyfiles. There are two options for generating SSL certificates:
- CA Signed Certificates
- SSL certificates signed by a Certificate Authority (CA) provide an extra layer of verification and are considered genuine by all browsers, but often require the user to renew them regularly (most often: 90 days). CA Signed Certificates are legitimate and valid, but require you to have a domain name associated with your IP address that can be verified by a number of testing methods. Use of a CA Certificate saves your users a lot of manual configuration for access, but means you have to do the work instead.
- Self-Signed Certificates
- Self-Signed certificates are generated by you, and are normally only used for testing purposes. Using self-signed certificates require your users to manually accept the certificate, and many browsers will report self-signed certificates as not secure. Use of a Self-Signed Certificate offloads some of the work for configuration to your users, as they may have to configure their browser to allow acceptance of self-signed certificates from unverified hosts.
For a variety of reasons, it is recommended to use an SSL certificate generated by a trusted Certificate Authority wherever possible.
Obtaining a CA Signed Certificate
Most hosting providers offer them for a nominal fee or include them with your hosting package, so if you are hosting Foundry VTT via a remote-hosted server there is a reasonably good chance you can simply acquire the certificate.pem and privkey.pem files from your hosting provider, place them in your FVTT Config directory, and point Foundry VTT's configuration to them per Part 3 of this process as listed below.
Before you begin, be sure you have:
- A Domain name
- A Port Forwarding rule configured to direct traffic on port 80 and 443 to the computer on which you are hosting FVTT
- Any firewall software you are using configured to allow traffic on port 80 and 443
- Administrator permissions for your computer
This guide now primarily recommends the use of Caddy as a reverse-proxy server that also automates the creation of CA Signed Certificates for SSL, as a cross-platform option that works reliably. Those wishing to use Certbot for SSL certificates on Linux or Mac can skip this section.
Caddy is a reverse proxy that can be configured to stand between Foundry VTT and the outside world, maintaining your SSL certificates for your Foundry VTT instance. We have a separate Caddy Proxy Server configuration guide which provides a more detailed walkthrough of the process of configuring Caddy. This guide will take you through the process of installing caddy before directing you to that configuration guide for setup.
Caddy offers an optional plugin that can be used to update your DuckDNS Dynamic Domain Name if you followed that section above. This must be enabled during the download process if it's an option you wish to use.
Note: This guide will not cover setting Caddy to automatically start up when your computer runs, and will expect that you will always launch Caddy before running Foundry VTT.
- Visit the Caddy Download Page and select the platform that most fits your operating system. Optional: If you wish to include the DuckDNS plugin for dynamic domain name configuration, scroll down until you see
caddy-dns/duckdnsand click it to select it. - Click the download button and save Caddy's executable to the folder where you will be running the program.
- Caddy uses a 'caddyfile' which contains its configuration directives, you can download our example caddyfile here, and save it to the location where you stored the Caddy executable.
- Unzip the caddyfile in the same location and edit it using the text editor of your choice, it can be edited by any plain text editor.
- Replace the placeholder text
MYFOUNDRYDOMAINNAME.duckdns.orgwith your actual domain name, if you have changed any other settings in your Foundry VTT installation (such as port number) you will need to change that as well, but if not, the other directives should be sufficient. - A note: Caddy is a command-line tool and must be run from a Terminal or from Windows Command Prompt or Powershell, so you will need to open a terminal to the location where you saved the file in order to execute it.
- Run the command
caddy run examplecaddyfile, note that if you renamed the examplecaddyfile to a different filename, you would need to use that file name instead. - Once Caddy is running, you will see it go through the process to acquire an SSL certificate before settling to a line that says "Serving initial configuration", your Caddy server is now ready.
Once you have configured Caddy, there are some changes to the Foundry Virtual Tabletop configuration you will also want to apply. Set the following options in your Foundry VTT{userData}/Config/options.json file which will instruct Foundry VTT that the server is running with a proxy server in front of it on port 443.
"hostname": "YOURHOSTNAMEHERE.duckdns.org",
"routePrefix": null,
"sslCert": null,
"sslKey": null,
"port": 30000,
"proxyPort": 443,
"proxySSL": true
Once these changes are made, you can start your Foundry VTT server and users should be able to access it by simply typing your domain name (which should now also appear in your invitation links). Whenever you launch Foundry VTT in the future you will need to remember to run caddy first, unless you take some steps to make caddy start automatically.
Using Certbot as an Alternative
If you are self-hosting there is a process for using the Certbot software (provided generously by Let's Encrypt and the Electronic Frontier Foundation Electronic Frontier Foundation) which will allow you to generate legitimate certificates through their verification process. Certbot is 100% free and can be configured for most Linux distributions and for macOS, but there is no viable client for Windows.
Note: CA Signed Certificates will typically last for 90-days before requiring renewal, and if using CertBot the EFF will email you a notification warning you of the pending expiration. If you are renewing your certificate, skip directly to the step 3!
- Using Terminal, install the Homebrew Package Manager using the command:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" - Still using Terminal, use Homebrew to install the latest version of Certbot:
brew install certbot - From Terminal, type:
certbot certonly --standalone -d YOURDOMAINNAMEHERE(if you are renewing your existing certificates, usecertbot renewinstead) - Wait for verification to complete (if it fails, please ensure you have port-forwarded TCP port 80 and TCP port 443 and opened those ports on any firewall you may have enabled)
- Once it has completed it will place a set of .pem files in /etc/letsencrypt/live/YOURDOMAINHERE/
- Copy the "fullchain.pem" and "privkey.pem" into theConfigfolder located inside your Foundry VTT User Data Folder (default location:~/FoundryVTT/Library/Application Support/FoundryVTT/Config/)
- Launch Foundry VTT and from the Setup menu, click the Configuration tab and change the following settings:
Port: 443
SSL Certificate: fullchain.pem
SSL Key: privkey.pem - Press "Save Changes", this will cause Foundry VTT to shut down.
- Relaunch Foundry VTT and it should now be using HTTPS.
- Using any terminal emulator or bash shell, Install Certbot using one of the appropriate command for your distribution:
Arch-based:sudo pacman -S certbot
Debian-based:sudo apt install certbot
Fedora:sudo dnf install certbot - For additional OS instructions, or installing via Snap, please view: https://certbot.eff.org/docs/install.html#operating-system-packages
- FromTerminal, type:
certbot certonly --standalone -d YOURDOMAINNAMEHERE(if you are renewing your existing certificates, usecertbot renewinstead) - Wait for verification to complete (if it fails, please ensure you have port-forwarded TCP port 80 and TCP port 443 and opened those ports on any firewall you may have enabled)
- Once it has completed it will place a set of .pem files in/etc/letsencrypt/live/YOURDOMAINHERE/
- Copy the "fullchain.pem" and "privkey.pem" into theConfigfolder located inside your Foundry VTT User Data Folder (default location:~/.local/share/FoundryVTT/Config/)
- Launch Foundry VTT and from the Setup menu, click the Configuration tab and change the following settings:
Port: 443
SSL Certificate: fullchain.pem
SSL Key: privkey.pem - Press "Save Changes", this will cause Foundry VTT to shut down.
- Relaunch Foundry VTT and it should now be using HTTPS.
Creating a Self-Signed Certificate
While creating your own SSL certificate can be easier to achieve, it does not guarantee security because it does not efficiently protect the data being transferred and potentially malicious third parties could still intercept and access the data. It is however still more secure than not having an SSL certificate and simply using http://
When using a self-signed certificate, your browser will warn your users that they are entering an unsecured site when they visit it for the first time and periodically after that. Users may need to used advanced configuration to allow their browsers to accept self-signed certificates, and will need to click on the "Advanced" button and then "Proceed" after reloading the site to accept the certificate. Here are some links which explain methods of creating a self-signed certificates for different platforms:
-
Online Tool : https://selfsigned.org/
-
Windows: https://medium.com/the-new-control-plane/generating-self-signed-certificates-on-windows-7812a600c2d8
-
Linux: https://linuxize.com/post/creating-a-self-signed-ssl-certificate/
-
macOS: https://support.apple.com/guide/keychain-access/create-self-signed-certificates-kyca8916/mac
When creating a self-signed certificate, you can simply list the server name as localhost.
Using an Existing Certificate
To configure Foundry VTT to use the certificate you have created, you need to copy the certificate and the private key to your FVTT's Config directory, after which you can enter the file names in the SSL Cert and SSL Key fields on the Foundry VTT Setup menu. This can also be configured by directly editing the options.json file located in the Config folder. For example, suppose you have generated a SSL certificate file named localhost.cert and a SSL key file named localhost.key - you would place these files inside your Config folder and reference them within the options.json file as follows:
...
"sslCert": "localhost.cert",
"sslKey": "localhost.key",
...Using a Reverse Proxy
If you configured your Foundry VTT to operate behind a reverse proxy provided by Apache, Caddy, or Nginx then all you need to do to have FVTT support https is to change one key within the options.jsonfile as follows:
...
"ProxySSL": true,
...
Once this configuration change has been made, Foundry VTT will operate using the SSL provided by your reverse proxy rather than requiring its own configuration and nothing further needs to be changed.