BungeeGuard

BungeeGuard is a plugin which adds a security token to the BungeeCord handshaking protocol. In the case that the backend servers are not properly firewalled, it prevents players from bypassing the proxy and spoofing their UUID.

It is a more sensible alternative to "ip whitelist" or "only proxy join" type plugins.

Installation

Installation is very straightforward.

On your proxy...

If you are using BungeeCord

  1. Ensure ip_forward is set to true in BungeeCord's config.yml.
  2. Add BungeeGuard.jar to the plugins folder. Then restart the proxy. If you have multiple proxies in your network, do this for each of them.
  3. Navigate to /plugins/BungeeGuard/token.yml and make a note of the value of token.

If you are using Velocity

  1. Ensure you are using Velocity 1.1.0 or newer.
  2. Set player-info-forwarding-mode to "bungeeguard" in velocity.toml, and make note of the value of forwarding-secret. This is the value used for the BungeeGuard token. If you have multiple proxies in your network, do this for each of them.
  3. Restart the proxy.

On each of your backend Minecraft servers...

  1. Ensure you are either using Paper 1.9.4+ or have ProtocolLib installed.
  2. Ensure bungeecord is set to true in spigot.yml.
  3. Add BungeeGuard.jar to the plugins folder. Then restart the server.
  4. Navigate to /plugins/BungeeGuard/config.yml. Add the token(s) generated by the proxy(ies) to the allowed-tokens list.

    e.g.

    # Allowed authentication tokens.  
    allowed-tokens:
      - "AUSXEwebkOGVnbihJM8gBS0QUutDzvIG009xoAfo1Huba9pGvhfjrA21r8dWVsa8"
  5. Run bungeeguard reload from console.