HTTPS

If you have a webpage served over HTTPS (i.e. using TLS), all resources it uses must be served over HTTPS as well. It is not easy for a plugin to support HTTPS and the data that gets sent is not sensitive, so you should use plain HTTP if you do not need TLS. There are a couple situations we can distinguish:

• Without domain name: It is not possible to set up TLS in this situation, simply because the TLS certificate is tied to a hostname / domain.
• With your own domain, with web hosting and access to the server configuration: Reverse proxy.
• With your own domain and access to its DNS settings (also services like Wix, Squarespace): In-plugin HTTPS.

If you serve everything with the internal web server, there is nothing that requires HTTPS, so you may as well leave it plain HTTP.

Reverse proxy

If you have your own hosting (regardless of if you use it for WebStats), you can set up a reverse proxy. The following is an example Nginx configuration (thanks to @coco0305 for the example in this issue):

location /stats.json {
    proxy_pass http://ip:port/stats.json;
}

location /online.json {
    proxy_pass http://ip:port/online.json;
}

location /tables.json {
    proxy_pass http://ip:port/tables.json;
}

You need to configure the index.html so that it reads from this proxy. Also explicitly specify to use HTTPS in the host field:

const stats = new WebStats({
    // required:
    ...
    host: "https://yourdomain.com/path/to/reverseproxy",
    // optional:
    ...
})

If you are using the internal web server of the plugin, you can place this index.html at plugins/WebStats/web/index.html (create the web/ folder if it does not already exist). Note that this file now does not get updated when you update the plugin, so you need to take care of that manually (index.html does not change every update, don't worry).

In-plugin HTTPS

Since version 1.9, it is possible for WebStats to serve its content over HTTPS. Be warned, though, that this method is still quite a hassle and requires maintenance multiple times a year; you should only use this when you have no other option. Make sure to read all steps before starting!

Upcoming version 1.11 will likely contain a more automated way of achieving this.

1. Setting up a subdomain
   In your domain's DNS settings, add a subdomain with an A record pointing to your Minecraft server's IP.
2. Getting a certificate
   You need to get a TLS certificate for the subdomain. One way to get one is from Let's Encrypt via certbot using DNS validation:

   sudo certbot certonly --manual --preferred-challenges dns
   

3. Combine the keys into a PKCS12 file
   Once you have fullchain.pem and privkey.pem files, you need to combine them into a PKCS12 file with a command like the following: (make sure to change the paths to the files)

   sudo openssl pkcs12 -export -out webstats.p12 -in /etc/letsencrypt/live/your.sub.domain/fullchain.pem -inkey /etc/letsencrypt/live/your.sub.domain/privkey.pem -name webstats
   

4. Upload the p12 file
   Place the p12 file from the previous step in plugins/WebStats/.
5. Update config file
   In config.yml, uncomment the http section and enter the name of the p12 file and its password.

You have now set up HTTPS within the plugin. You yourself are responsible for renewing the certificate! WebStats cannot do that for you. When renewing the certificate, you need to re-do steps 2, 3 and 4 each time and reload WebStats afterwards using /webstats reload.