search

andylizi / haproxy-detector

A Minecraft plugin that enables proxied and direct connections both at the same time.
GNU Lesser General Public License v3.0
81 stars 11 forks source link
bukkit-plugin bungeecord-plugin haproxy minecraft spigot-plugin velocity-plugin

readme

HAProxyDetector

This BungeeCord (and now Spigot and Velocity) plugin enables proxied and direct connections both at the same time. More infomation about HAProxy and its uses can be found here.

Security Warning

Allowing both direct and proxied connections has significant security implications — a malicious player can access the server through their own HAProxy instance, thus tricking the server into believing the connection is coming from a fake IP.

To counter this, this plugin implements IP whitelisting. By default, only proxied connections from localhost will be allowed (direct connections aren't affected). You can add the IP/domain of your trusted HAProxy instance by editing whitelist.conf, which can be found under the plugin data folder.

Details of the whitelist format ``` # List of allowed proxy IPs # # An empty whitelist will disallow all proxies. # Each entry must be an valid IP address, domain name or CIDR. # Domain names will be resolved only once at startup. # Each domain can have multiple A/AAAA records, all of them will be allowed. # CIDR prefixes are not allowed in domain names. 127.0.0.0/8 ::1/128 ``` If you want to disable the whitelist (which you should never do), you can do so by putting this line verbatim, before any other entries: ``` YesIReallyWantToDisableWhitelistItsExtremelyDangerousButIKnowWhatIAmDoing!!! ```

Platform-specific Notes

BungeeCord

proxy_protocol needs to be enabled in BC config.yml for this plugin to work. (Not to be confused with the similar option in paper.yml)

Older versions of BC can in theory use BungeeProxy in parallel with this plugin, but it hasn't been tested yet. Feedback is welcomed.

Spigot and its derivatives

ProtocolLib is a required dependency. This plugin was developed using ProtocolLib v4.8.0; please try that version first if there are any errors. Check out issue #3 for experimental support for ProtocolLib 5.0.

Paper

New versions of Paper have built-in HAProxy support (proxied connection only). It's not compatible with this plugin, so please disable the proxy-protocol option in paper.yml.

Velocity

haproxy-protocol needs to be enabled in Velocity config for this plugin to work.

Versions older than 3.0 are not supported.

Java >= 9

If errors like NoClassDefFoundError: sun.misc.Unsafe, InaccessibleObjectException and such are encountered, please add --add-opens java.base/java.lang.invoke=ALL-UNNAMED to JVM arguments.

Java >= 18

If errors like IllegalAccessException: static final field has no write access are encountered, please upgrade the plugin to at least v3.0.2.

If you cannot upgrade for whatever reason, a temporary workaround would be to add -Djdk.reflect.useDirectMethodHandle=false to JVM arguments.

Note that this argument will be removed in future Java releases.

Metrics

This plugin uses bStats for metrics. It collects some basic information, like how many people use this plugin and the total player count. You can opt out at any time by editing the config file under plugins/bStats/.