BungeeGuard is a pair of plugins which intercept the BungeeCord handshake protocol, and allow backend servers to verify whether players connected from a trusted proxy.
- On the proxy, BungeeGuard inserts a special authentication token into the profile data sent to the backend server when a player tries to connect.
- On the backend server, BungeeGuard listens to incoming connections and denies connections which do not contain an allowed token.
This means that even if your backend server is not firewalled, malicious users will not be able to spoof logins without knowing one of your allowed tokens.
On your proxies...
- Add the
bungeeguard-proxy.jarfile to your BungeeCord plugins folder. Then restart the proxy. If you have multiple proxies in your network, do this for each of them.
- Navigate to
/plugins/BungeeGuard/token.ymland make a note of the value of
On each of your backend servers...
Consider using the Paper server software. (BungeeGuard is able cancel malicious collections "sooner" on Paper servers.)
bungeeguard-backend.jarfile to your plugins folder. Then restart the server.
/plugins/BungeeGuard/config.yml. Add the token(s) generated by the proxy(ies) to the
# Allowed authentication tokens. allowed-tokens: - "AUSXEwebkOGVnbihJM8gBS0QUutDzvIG009xoAfo1Huba9pGvhfjrA21r8dWVsa8"
Restart the server again.
BungeeGuard is known to have compatibility issues with SkinsRestorer on the proxy side. This has been fixed in a SkinsRestorer update, please ensure you are using the latest version.
BungeeGuard is known to have compatibility issues with ProtocolSupport on the backend side. This has been fixed in a ProtocolSupport update, please ensure you are using the latest version.