Latest Quick‐Start Guide for Drawbridge and Emissary ‐ Minecraft Server
Drawbridge reverse proxy and the Emissary client are designed to simplify serving self-hosted applications, securely, across networks.
In practice, Drawbridge sits in front of your self-hosted networked application, and only allows authorized Emissary clients to access your self-hosted services.
For this tutorial, we will have a Minecraft server be our self-hosted server we want to protect.
I download and run the latest version of Drawbridge.
When I run Drawbridge, it opens my default browser (on macOS and Windows) to access the Drawbridge Dashboard. Note that by default the Drawbridge admin panel is only accessible from the machine it is installed on via http://localhost:3000
Since this is my first time using the Drawbridge Dashboard, a setup prompt will appear, asking for the server IP Drawbridge should be accessible from. I will enter my (not real) WAN address. You can find this address by visiting a site like https://ipchicken.com.
Under the Protect new Service section, I'll Name my service "My Minecraft Server", enter 127.0.0.1 for the IP (since it is running on the same machine as Drawbridge), and enter 25565 for the port. If you are running your Minecraft server on a different machine, you should enter that IP here.
I click Submit, and we now can see our service in the Protected Services section of the dashboard!
Now, go into your router admin page and forward the Drawbridge port 3100, and make sure to set the protocol to TCP/UDP. This is so Emissary can talk to Drawbridge from outside your LAN.
Drawbridge should now be successfully configured! Now Drawbridge knows where to send traffic when an Emissary client connects to it!
Before we move on, we need to generate an Emissary Bundle. This contains the Emissary client, which allows other machines to connect to Drawbridge and our Protected Minecraft Service. It also contains a unique mTLS key and certificate used by Emissary.
To generate the Emissary Bundle, click on the "Emissary Clients" tab on the menu bar on the left side of the dashboard. Under the Emissary Bundle section, select the desired OS platform, and click Submit. Drawbridge will then give you a "bundle.zip". We will send this to our friend Matthew so he can connect to our Minecraft Server.
Remember, Matthew can't connect to the Minecraft server directly with our WAN IP, since we have exposed the Minecraft Server only to Drawbridge.
Matthew unzips the Emissary Bundle we sent to him earlier, and launches Emissary.
Once Emissary connects to Drawbridge, Matthew can see our Minecraft Protected Service is available on his machine now at localhost:3200!
Now, Matthew launches Minecraft and enters localhost:3200 as shown in Emissary in the previous step:
Congratulations! If you made it this far, you hopefully are able to access your Drawbridge Protected Service from an authorized Emissary client!