Minecraft Servers Help Needed

[thomanbaley]

Hello Community,

I'm looking for guidance on a secure method to allow external players, such as my kids' cousins and school friends, to access our private Minecraft server without exposing our network or the server to public access. I'm specifically avoiding direct port forwarding and VPN access for security reasons.

Currently, I'm considering a solution where users can access the Minecraft server only after completing an HTTPS user/password authentication. I've been trying to implement this using HAProxy but haven't been successful yet.

The ideal scenario would be: Users navigate to a web address (like https://minecraft.domain.xyz:12345) and authenticate using credentials I provide. Post-authentication, they should be able to connect to our Minecraft server by entering 'minecraft.domain.xyz' in Minecraft. If they haven't authenticated via the URL, they shouldn't be able to connect to the server. I understand that Minecraft typically uses port 25565.

I would greatly appreciate any suggestions or guidance on setting up such a system. Thank you in advance for your help!

Here is my set up so far:

1)  I installed the Let's Encrypt plugin.  I purchased my own domain (domain.xyz) and have successfully issued a wildcard certificate for domain.xyz and *.domain.xyz.  In the Let's Encrypt plugin, I do NOT check "HAProxy Integration" because I understand that is only needed if I use HTTP-01 validation and I don't use that method.

2)  I use Dynamic DNS to set domain.xyz and minecraft.domain.xyz to equal my WAN IP address.

3)  Here are my HAProxy settings:

Real Server
Enabled:  Checked
Name:  Minecraft
IP:  192.168.1.90
Port:  25565
Mode:  active [default]
SSL:  Unchecked

Backend Pool
Enabled:  Checked
Name:  Minecraft
Mode:  TCP (Layer 4)  --> my understanding is that this should be set to TCP because Minecraft is not a webserver
Balancing Algorithm:  Source-IP Hash [default]
Servers:  Minecraft
Enable Health Checking:  Checked
Health Monitor:  None
Persistence Type:  Stick-table persistence [default]
Stick-table persistence table type:  Source-IP [default]

Users / Group
I created a single test user / password.
I added this single user to a test group.

Conditions
Name:  Host_Minecraft
Condition type:  Host matches
Host string:  minecraft.domain.xyz

Name:  Auth_User
Condition type:  HTTP Basic Auth:  username/password from client matches selected user/group
Parameters:  matches to my test group.

Rules
Name:  Minecraft
Test type:  IF [default]
Selected conditions:  Auth_User AND Host_Minecraft
Execute function:  Use specified Backend Pool
Use backend pool:  Minecraft

Public Service
Name:  Frontend
Listen Addresses:  0.0.0.0:12345  I don't know if 0.0.0.0 is the right address to use here
Type:  HTTP / HTTPS (SSL offloading) [default]
Default Backend Pool:  none
Enable SSL offloading:  Checked
Minecraft Server Website: https://minecraft-servers.io

SSL Offloading:
Certificates:  wildcard certificate from Let's Encrypt
Default certificate:  wildcard certificate from Let's Encrypt
Enable Advanced Settings:  Unchecked

HTTP(S) settings:
Enable HTTP/2:  Checked
HTTP/2 Without TLS:  Unchecked

Basic Authentication:
Enabled:  Checked
Allowed Groups:  my test group

Firewall rules
On the WAN, I allow IPv4 TCP/UDP protocol to pass at port 12345.

Here is what happens:

1)  Using my browser, I am able to go to https://minecraft.domain.xyz:12345, it gets a user/password prompt, and I able to "login" using my test user credentials.  The connection is properly secured using the Let's Encrypt certificate.  After login, the browser shows an error message because there is no webserver at that location.  But I don't care.  I just want to satisfy the Auth_User condition.

2)  I open Minecraft and add the server minecraft.domain.xyz, and I try to connect, but it does not work.  I thought this would work because I thought this would satisfy the Host_Minecraft condition.

So what am I doing wrong?  I am able to get the user authentication working, but HAProxy is not correctly passing traffic to my Minecraft server.  I am guessing something is wrong with my "Public Server" settings, but am not sure what.

[Patrick M. Hausen]

HTTP basic auth takes place for every single request. Since as you correctly remarked Minecraft does not use HTTP that simply will not work this way.

I opened 25565 unconditionally and we enabled the whitelist feature in Minecraft and only allow a few friends in.

[petrus]

Hi we just had a discussion  on the german speaking forum https://forum.opnsense.org/index.php?topic=38260.0. I wanted to use the captive portal to authenticate users source IPs. Then use those sources to fill in some object and use that object in the firewall rules.

There seems to be no way to do that on Opnsense and as Patrick wrote: HAProxy simple authentication works only for HTTP.


 

[ClareGriffith]

Navigating Minecraft servers can be tricky, but it's awesome that you're taking steps to keep things secure. Your approach with HTTPS user/password authentication sounds smart. If you're still exploring options, maybe check out minecraftforfreex.com for some helpful tips or resources. It could be a handy addition to your toolkit. Best of luck with your server setup, and here's to many fun Minecraft adventures for your kids and their friends!