Point a domain name at your FD Commander server and secure it with HTTPS.
This guide is only necessary if you want to make FD Commander accessible over the internet. If you're running it on a LAN at your Field Day site with no outside access, you can skip this entirely. FD Commander works perfectly on a local network over plain HTTP.
But if you want club members to register equipment and sign up for shifts before the event, or let people follow the live score from home during the event, you need a domain name and TLS. There is no good reason to put FD Commander on the public internet without HTTPS.
Running over plain HTTP on a LAN is fine. Running over plain HTTP on the open internet means passwords and session tokens travel in cleartext, and anyone on the path can read them. If you're exposing FD Commander to the internet, use TLS. Let's Encrypt is free.
yourcallsign.com works well.When someone types fd.yourcallsign.com in their browser, three things happen in sequence:
This guide walks through each piece.
From any computer on the network where FD Commander will run, find your public IP address:
This is the IP address the rest of the internet uses to reach your network. Write it down. You'll enter it in your DNS settings.
Most residential internet connections have a dynamic IP that can change periodically. For a weekend event this usually isn't a problem. If you want something more permanent, look into a dynamic DNS service like Duck DNS (free) that automatically updates your DNS record when your IP changes.
Log into your domain registrar or DNS provider and create an A record pointing your chosen subdomain to your public IP.
1 Go to the DNS management page for your domain.
2 Add a new A record:
Name / Host: the subdomain you want (e.g., fd for fd.yourcallsign.com)
Value / Points to: your public IP address (e.g., 203.0.113.42)
TTL: leave the default, or set to 300 (5 minutes) if available.
3 Save the record. DNS changes can take a few minutes to propagate, though most providers are nearly instant.
After a few minutes, confirm the record is working:
If it returns your public IP, DNS is set up correctly.
Your router needs to know that incoming web traffic should go to the Pi. Log into your router's admin page (usually 192.168.1.1 or 192.168.0.1) and set up port forwarding rules:
Port 80 is needed temporarily so Let's Encrypt can verify you own the domain. After TLS is set up, all real traffic goes through port 443.
SSH into the Pi and run hostname -I. It'll return something like 192.168.1.42. That's the address you forward to.
The exact steps depend on your router's make and model. Look for "Port Forwarding," "Virtual Server," or "NAT" in your router's settings. If you're not sure, search for your router model followed by "port forwarding" and you'll find step-by-step instructions.
FD Commander uses Caddy as its built-in web server. Caddy automatically obtains and renews TLS certificates from Let's Encrypt. You don't need to install anything extra or manage certificates manually.
When you run the deploy script, include the --ssl and --email flags:
If you've already deployed without TLS, you'll need to redeploy with these flags to enable it.
The script sets APP_URL to https://fd.yourcallsign.com, configures the Caddyfile with your domain, and starts the service on port 443. Caddy contacts Let's Encrypt, proves you own the domain (using the port 80 you forwarded earlier), obtains a TLS certificate, and starts serving HTTPS. It also renews the certificate before it expires, so you never have to think about it again.
Caddy uses port 80 to prove domain ownership to Let's Encrypt. If it can't bind to port 80 or the port isn't forwarded, certificate issuance will fail. Check your port forwarding if you see errors in sudo journalctl -u fd-commander.
If you have your own certificate files (from your organization or another CA), you can provide them directly instead of using Let's Encrypt: sudo ./deploy.sh --domain fd.yourcallsign.com --ssl --ssl-cert /path/to/cert.pem --ssl-key /path/to/key.pem
Open a browser and go to https://fd.yourcallsign.com. You should see FD Commander load with a padlock icon in the address bar. If you get a certificate warning, check the logs: sudo journalctl -u fd-commander --no-pager.
Caddy automatically redirects HTTP to HTTPS, so if someone types http://fd.yourcallsign.com they'll be sent to the secure version automatically.
Once all the pieces are in place, the setup looks like this:
fd.yourcallsign.com to your public IP.--ssl --email tells Caddy to obtain a Let's Encrypt certificate automatically.Club members can now visit https://fd.yourcallsign.com to register equipment, sign up for shifts, follow the live score, and sign the guestbook, all over an encrypted connection.
If your Field Day site won't have internet, that's fine. Set everything up ahead of time over the internet, then run the event on a LAN. FD Commander doesn't need internet to operate. It works fully air-gapped. The DNS and TLS setup is just for the pre-event and remote-access use cases.