feat: Add subdomain matching for forced hosts#1730
Open
alchemyyy wants to merge 1 commit intoPaperMC:dev/3.0.0from
Open
feat: Add subdomain matching for forced hosts#1730alchemyyy wants to merge 1 commit intoPaperMC:dev/3.0.0from
alchemyyy wants to merge 1 commit intoPaperMC:dev/3.0.0from
Conversation
Adds an option for `subdomain-matching` to `[forced-hosts]` that falls back to suffix matching on domain boundaries when no exact match is found. This allows forced hosts to work when DNS services (e.g., Cloudflare proxied SRV records) prepend prefixes to the virtual hostname.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds an option for
subdomain-matchingto[forced-hosts]that falls back to suffix matching on domain boundaries when no exact match is found. This allows forced hosts to work when DNS services (e.g., Cloudflare proxied SRV records) prepend prefixes to the virtual hostname.The problem is that Velocity does exact string matching on the virtual host for
forced-hosts, so_dc-srv.xxxxx.play.example.comdoesn't matchplay.example.comand forced host routing breaks.This is a "rework" of this rejected PR: #1497
I'd like to clear up that the use-case for this feature isn't "hiding a misconfiguration". When you proxy an SRV target's A record through Cloudflare, Cloudflare auto-unproxies it by rewriting the hostname to something like
_dc-srv.xxxxx.play.example.com. This was intentional on my part since it causes casual DNS lookups onplay.example.comreturn Cloudflare IPs, and the origin is only exposed if someone specifically queries the Minecraft SRV record and follows the chain. This gives you two things; A free bit of hardening against pretty much any normal scraper, and the ability to run a server with the DNS as a Cloudflare proxied site (or other HTTP/s endpoint).This implementation addresses the following shortcomings with the old PR:
getVirtualHost()returnsplay.example.com, not the mangled hostname. Plugins, MOTD, analytics — everything sees the right value.subdomain-matching = trueis set under[forced-hosts], Velocity checks if the incoming hostname ends with any configured forced host on a dot boundary. Works for any DNS service that prepends to hostnames.notplay.example.comdoes not matchplay.example.com. Only actual subdomains match.