Pterodactyl Panel Install

Documentation designed for Ubuntu 20.04

Getting Started

Installing Dependencies

To ensure a smooth and proper software installation t­he following needs to be installed on your Ubuntu 20.04 Byteania system. When installing, ensure you’re currently logged in as the root user, or a user with sudo (superuser) permission. Otherwise, you will not be able to install software onto the system. Copy each command below and paste it into your Linux Shell (SSH).

apt -y install software-properties-common curl apt-transport-https ca-certificates gnupg
LC_ALL=C.UTF-8 add-apt-repository -y ppa:ondrej/php
add-apt-repository -y ppa:chris-lea/redis-server
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash
apt update
apt-add-repository universe
apt -y install php8.0 php8.0-{cli,gd,mysql,pdo,mbstring,tokenizer,bcmath,xml,fpm,curl,zip} mariadb-server nginx tar unzip git redis-server certbot
curl -sS https://getcomposer.org/installer | sudo php -- --install-dir=/usr/local/bin --filename=composer
apt update && apt upgrade -y

Pterodactyl also requires a series of DNS records to be created, should you want your panel on a domain of yours. Login to your DNS manager (i.e., Cloudflare, GoDaddy, Namecheap, etc). and move to the DNS management page. From here, you'll need to create an "A" record:

Photo: Cloudflare DNS Manager Screen

• The name can be anything, we recommend using "panel" or "pterodactyl".
• The IPv4 address needs to be the IPv4 address of your Byteania server.
• If you're not using Cloudflare as a DNS manager, you will not see the Proxy option. Simply ignore this. 

Now that all required dependencies have been installed, we can continue to the panel installation.

Installing Pterodactyl Panel

The Pterodactyl Panel is the web server where servers and users can easily be managed. Pterodactyl is a two-part system, the first being the panel, and the second being “wings”. Wings are the bit of software that creates the servers/containers and will be installed once the panel-sided installation is complete.

Filesystem Preparation

      The following commands need to be executed:

	mkdir -p /var/www/pterodactyl
	cd /var/www/pterodactyl
	curl -Lo panel.tar.gz 	 
        https://github.com/pterodactyl/panel/releases/latest/download/panel.tar.gz
	tar -xzvf panel.tar.gz 
	chmod -R 755 storage/* bootstrap/cache/

Database Configuration

We need to create the database and database user for the panel. To do so we’ll enter the local MySQL server as the root user. Type "mysql -u root -p" to enter MariaDB. Since we had just installed MySQL, there is no password required (simply hit enter when prompted for a password).

	CREATE USER 'pterodactyl'@'127.0.0.1' IDENTIFIED BY 'yourPassword'; 
	CREATE DATABASE panel; 
	GRANT ALL PRIVILEGES ON panel.* TO 'pterodactyl'@'127.0.0.1' WITH GRANT OPTION; 
	FLUSH PRIVILEGES;
	exit

Be sure to replace “yourPassword” with a strong secure password.

Filesystem Preparation Continued

Now that the database side of the setup is complete, we can now move on to the final few steps in the setup process.

	cp .env.example .env
	composer install --no-dev --optimize-autoloader

If you’re asked if you want to continue the Composer run as root/superuser, type “y”.

	php artisan key:generate --force

Now we need to do the environment setup for the panel. Each command below will prompt you for several data entries, such as the database configuration details and mailing setup.

	php artisan p:environment:setup 

• Enter your email address when prompted for “Egg Author Email”.
• Enter your desired panel URL such as https://panel.example.com (include https://)
• Enter your server (or local) time zone such as “America/Chicago”.
• Enter “redis” for Cache Driver.
• Enter “redis” for Session Driver.
• Enter “redis” for Queue Driver.
• Enter “yes” to Enable UI based Settings Editor.
• Press ENTER on all Redis Entries (Host, Password, and Port).

	php artisan p:environment:database

Enter the database credentials created in setup above.

	php artisan p:environment:mail

Select panel mail driver and enter SMTP credentials. If you do not want/need mailing features right away, you can select “mail” and press ENTER for all options. Mailing is not required for panel functionality, however, the setup step must be completed!

	php artisan migrate --seed --force
	php artisan p:user:make
	chown -R www-data:www-data /var/www/pterodactyl/*

Crontab & Worker Configuration

The Pterodactyl panel required a cronjob (a task that automatically executes on a set schedule) to keep the queue process running in the background. To create a cronjob type “sudo crontab -e” and select option 1 (nano). Picking the nano option is the easiest.

Once the crontab editor is open, paste the following:

	* * * * * php /var/www/pterodactyl/artisan schedule:run >> /dev/null 2>&1

To exit the crontab editor, type CTRL + X, then Y and ENTER to save the file.

Next create a file named “pteroq.service” in the “/etc/systemd/system” directory by typing the following:

	nano /etc/system/system/pteroq.service

And paste the following:

# Pterodactyl Queue Worker File
# ----------------------------------

[Unit]
Description=Pterodactyl Queue Worker
After=redis-server.service

[Service]
# On some systems the user and group might be different.
# Some systems use `apache` or `nginx` as the user and group.
User=www-data
Group=www-data
Restart=always
ExecStart=/usr/bin/php /var/www/pterodactyl/artisan queue:work --queue=high,standard,low --sleep=3 --tries=3
StartLimitInterval=180
StartLimitBurst=30
RestartSec=5s

[Install]
WantedBy=multi-user.target

Save and exit the file by typing CTRL + X and Y and ENTER.

Finally, we need to enable the new services we’ve created by typing the following:

	sudo systemctl enable --now redis-server
	sudo systemctl enable --now pteroq.service

Webserver Configuration

It is best practice to enable SSL on the Pterodactyl panel domain. SSL adds a layer of security ensuring communications to and from your panel are encrypted. If you’re using a service like Cloudflare to protect your domain, be sure to read the Cloudflare-sided instructions in the SSL configuration guide.

Firstly, we need to remove the default Nginx configuration:

	rm /etc/nginx/sites-enabled/default

Now we’ll create a new Nginx configuration for Pterodactyl. Create a file named “pterodactyl.conf” in “/etc/nginx/sites-available” by executing:

	nano /etc/nginx/sites-available/pterodactyl.conf

Then paste the following:

server_tokens off;

server {
    listen 80;
    server_name <domain>;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name <domain>;

    root /var/www/pterodactyl/public;
    index index.php;

    access_log /var/log/nginx/pterodactyl.app-access.log;
    error_log  /var/log/nginx/pterodactyl.app-error.log error;

    # allow larger file uploads and longer script runtimes
    client_max_body_size 100m;
    client_body_timeout 120s;

    sendfile off;

    # SSL Configuration
    ssl_certificate /etc/letsencrypt/live/<domain>/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;
    ssl_session_cache shared:SSL:10m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
    ssl_prefer_server_ciphers on;

    # See https://hstspreload.org/ before uncommenting the line below.
    # add_header Strict-Transport-Security "max-age=15768000; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header Content-Security-Policy "frame-ancestors 'self'";
    add_header X-Frame-Options DENY;
    add_header Referrer-Policy same-origin;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php8.0-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M";
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param HTTP_PROXY "";
        fastcgi_intercept_errors off;
        fastcgi_buffer_size 16k;
        fastcgi_buffers 4 16k;
        fastcgi_connect_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_read_timeout 300;
        include /etc/nginx/fastcgi_params;
    }

    location ~ /\.ht {
        deny all;
    }
}

We'll need to adjust a few things, where you see "<domain>" you need to enter your full domain. For example "panel.example.com" or "example.com". Both the server_name line and SSL configuration lines need adjusting. 

SSL Configuration

The Nginx configuration above requires that we create a valid SSL certificate for the domain the panel will reside on. First we will stop the Nginx service to free port 80, and then generate the SSL certificate. Be sure to replace "<domain>" with your actual domain:

	service nginx stop
	certbot certonly -d <domain>

Select the first option provided by Certbot “standalone”.

Enter an email address SSL expiration and renewal emails should be sent to. This should be a valid and actively checked email address. Be sure to agree to the Terms of Service when prompted, and select “No” for sharing your email address with Electronic Frontier.

Optional Cloudflare Configuration

If you desire to protect your Pterodactyl panel behind the Cloudflare Proxy, you’ll now need to adjust the SSL configuration on Cloudflare’s end to match “Full”.

On the DNS page, enable the orange cloud next to the panel DNS “A” record, pointing to your Byteania server.

Webserver Configuration Continued

The SSL certificate is now created, and the Nginx configuration has been created. We now can create the needed symbolic link to sites-enabled by typing the following command:

	sudo ln -s /etc/nginx/sites-available/pterodactyl.conf /etc/nginx/sites-enabled/pterodactyl.conf

        Finally, we’ll need to restart the Nginx service:

	systemctl restart nginx

Congratulations! The Pterodactyl panel has successfully been installed. You can now visit the panel at the domain you defined in the Nginx configuration.

Installing Wings

As mentioned prior, Pterodactyl is a two-part system comprised of the panel and wings instances. Wings is the software that allows you to create servers within the panel. It is the driver responsible for containerization and separation of resources. This section of this guide will cover how to install wings on your Ubuntu system.

Installing Dependencies

Much like the panel installation, wings require software to be installed for it to run properly. Some of the prerequires were installed prior but not all.  The commands below need to be executed to install Docker:

	curl -sSL https://get.docker.com/ | CHANNEL=stable bash

Installing Wings

Now that all of the needed software has been installed, we can begin installing wings. Type the following commands:

	mkdir -p /etc/pterodactyl 
	curl -L -o /usr/local/bin/wings "https://github.com/pterodactyl/wings/releases/latest/download/wings_linux_$([[ "$(uname -m)" == "x86_64" ]] && echo "amd64" || echo "arm64")" 
	chmod u+x /usr/local/bin/wings

Configuring Wings

The pterodactyl panel and wings have now been installed successfully. At this point in time you’ll need to login to your panel and go to the admin section. From here, we need to do two things:

Add Location

From the admin panel you will see on the left hand side (in the navigation pane) the option for Locations. We need to create a new location, you can give it any Short Code (an easy way to identify and refer to the wings instance), and a description of the server. We recommend that you include information like country/location here.

Add Node

In order to create a new node, a location has to exist. Ensure you've already created a location before moving on to adding the node. 

Enter a friendly (easy to remember) name for the node name, and provide any description. We recommend that you enter information such as the server location and specifications in the description box. 

The location we created prior should automatically be selected for location.

If you've installed pterodactyl and wings on the same system, for the FQDN you can enter the panel domain you selected (i.e, panel.example.com). 

Since we created a valid SSL certificate we can select "Communicate Over SSL". 

Enter the systems total memory and the total disk space (that can be used by servers) in MB. 

To disable resource overallocation, enter 0 in Memory Over-Allocation and Disk Over-Allocation. 

If your domain is behind the Cloudflare Proxy, you will need to select "Behind Proxy", otherwise, leave as "Not Behind Proxy". 

If you're behind a proxy service like Cloudflare, you need to adjust the Daemon Port from 8080 to 8443.

Finally click Create Node to create the new node.

Your new node should now be automatically open, and showing you the Configuration page. Copy the contents of the configuration file on-site, and paste it in the file we create by executing:

 	  nano /etc/pterodactyl/config.yml

Paste the contents found on panel.

Save and exit the file by typing CTRL + X and Y and ENTER.

Testing Wings (Debug)

To determine of the wings configuration and installation was successful, we can run wings in debug mode. To do so, enter the "/etc/pterodactyl" directory by typing:

	cd /etc/pterodactyl

And run wings in debug mode:

	sudo wings --debug

You should see various output, but most critically that "configuring internal webserver" and "sftp server listening for connections" show with no errors. The debug application will stay open until you CTRL + C. Close the application once you see there are no errors with starting wings.

 Daemonizing Wings

Since wings was able to run in debug mode with no issues, we're now able to create a service for wings that will ensure it starts on reboot and crash. 

Execute the following command:

	nano /etc/systemd/system/wings.service

And paste the following configuration:

[Unit]
Description=Pterodactyl Wings Daemon
After=docker.service
Requires=docker.service
PartOf=docker.service

[Service]
User=root
WorkingDirectory=/etc/pterodactyl
LimitNOFILE=4096
PIDFile=/var/run/wings/daemon.pid
ExecStart=/usr/local/bin/wings
Restart=on-failure
StartLimitInterval=180
StartLimitBurst=30
RestartSec=5s

[Install]
WantedBy=multi-user.target

Save and exit the file by typing CTRL + X and Y and ENTER.

Now we can enable the wings service:

	systemctl enable --now wings

Ensure the wings service is running:

	service wings status

Photo: Output of "service wings status". Showing "loaded" and "active".

Your node from within the panel should now show a green heart indicating healthy status or "online".

Photo: Node online (indicated by green heart) on Pterodactyl panel.

Congratulations! The Pterodactyl panel and wings have successfully been installed. You can now visit the panel at the domain you defined in the Nginx configuration and create servers on the new node.

Path DDoS Protection

Creating Minecraft Rules

For each Minecraft server or game container you create with the Pterodactyl panel that requires an open port, you should create an allow rule as shown below. This will help protect your destination IP address and ports from unwanted access, and prevents game ports from being blocked by the future "port punch" rule. 

Photo: Path filter rule made allowing ALL to access our Minecraft server on port 25565.

In order for the Pterodactyl panel to function properly, with Path DDoS protection, we must create a few more additional rulesets. These rules will allow you to access the panel (and ensure it functions properly) while improving uptime and network security.

Photo: Path rules allowing Pterodactyl panel ports along with SSH and dropping all else.

If during the panel installation you put put the domain behind the Cloudflare Proxy, you adjusted the wings port from 8080 to 8443 (a port that the Cloudflare proxy is able to proxy properly). We will need to create a rule to match that change, otherwise (if your domain is not behind a proxy) you may keep the port as 8080. 

Since we want to be able to remotely manage this Linux server, we created a SSH rule that allows traffic to port 22. If you change your SSH port, or would like to allow it from a specific source IP address, you may do so. 

Finally, we need to create a "port punch" rule. This rule drops all traffic that does not meet the whitelist (allow) rulesets. In order to ensure proper firewalling, a port punch rule is needed; it's position in the firewall rule manager does not matter. 

The port punch rule can be named anything, but needs no entry for the port and protocol. 

Creating Minecraft Filters

Photo: Path filter rules protecting Minecraft server from DDoS.

For each Minecraft (Java Edition) server you create, you can create a Path filter rule that protects your servers from Denial of Service attacks. This filter is quite easy to deploy, search for the Minecraft Java Edition Server (symmetric) filter. Enter the destination IP address (your Linux server) including the subnet prefix, and the port of your server. 

Bungeecord Specific Note

For filters to work properly in a Bungeecord environment you need to adjust the Bungeecord configuration to enable the proxy_protocol setting. 

That's a wrap! You've successfully installed the Pterodactyl panel & wings, as well as protected the installation with a series of Path firewall rules and filters. Be sure to check out our article about Adding IP Allocations to Pterodactyl Nodes.