In this article, we'll explain how to install and use bungeeguard! This plugin is a super simple plugin that aims to prevent users from connecting to your backend servers on your proxy.

Why use BungeeGuard?

In a proxy setup, your servers that the proxy communicate with are in offline mode ( this is required for working with the proxy ). However, due to the nature of offline mode, anyone can logon to your server with any username. This becomes an issue, as a potential attacker may log on to your backend server under your username ( which would most likely be a server operator ) and cause damage.

Bungeeguard aims to stop this. Server admins install BungeeGuard (just an ordinary plugin!) on their proxies and backend servers.
On the proxy, BungeeGuard adds a secret "authentication token" to the login handshake.
On the backend (Spigot etc. server), BungeeGuard checks login handshakes to ensure they contain an allowed authentication token.
It's really that simple.


Download BungeeGuard from here

Installing the plugin on the Proxy

Simply upload the plugin file to your plugins folder, and restart the server so that BungeeGuard loads in. Once it's loaded, go to plugins --> BungeeGuard --> token.yml and note the token shown in the file. It would be something like this

token: nHIJfLNWJXNfY6RSNKvVJbJMGX8GCovSvUb4eLqDIOu8peTbA93aRk1OQ7TpHhHx


The token being nHIJfLNWJXNfY6RSNKvVJbJMGX8GCovSvUb4eLqDIOu8peTbA93aRk1OQ7TpHhHx

Please note you will not have the same token as shown here

Never share this token to anyone! With this, they can login to your server using it.


Installing the plugin on the Backend

Now, we will add this token to bungeeguard on the backend, so that the backend can use it to verify that clients are connecting through the proxy. Upload the plugin to your plugins folder, and restart the server so that BungeeGuard loads in. Once it's loaded, go to plugins --> BungeeGuard --> config.yml . In this config, you can specify your token you have on the proxy. Find

allowed-tokens:
  - "the token generated by the proxy goes here"
  - "you can add as many as you like."


And replace it with

allowed-tokens:
  - "nHIJfLNWJXNfY6RSNKvVJbJMGX8GCovSvUb4eLqDIOu8peTbA93aRk1OQ7TpHhHx"


This then allows users to authenticate to your server using BungeeGuard, and prevents people from joining at the backend server! You can configure the message you want to send to players if they try to join on the backend server with the invalid-token-kick-message and/or no-data-kick-message settings in the config.


That's it! It's a very simple plugin, yet it helps protect your minecrraft server very well. Almost every proxy server/network utilises BungeeGuard. Velocity, the server software, also has a BungeeGuard system built in, so you don't need to install it if you're on velocity!
Was this article helpful?
Cancel
Thank you!