Configuring self-hosting using a SSL encrypted domain with no ports?

Foxy

Hello, I am looking to setup self-hosting. However, a player connected to the server and accepting the resource pack can bypass our reuse proxy which essentially masks our IP is able to resolve the servers IP via. Wireshark

Is there any way we can configure a domain with no ports that's SSL encrypted to prevent them from resolving the domain? 😀

thefourCraft

I use cloudfalred tunnel & Cloudflare workers to serve the zip file as soon as a player connects to our server
but it's complicated and requires you to have spectrum, witch is available on the pro plan but limited to 5GB…

What Is Cloudflare Tunnel?

Cloudflare Tunnel is a service offered by Cloudflare that provides a secure connection between a client device and a server by establishing a direct, encrypted connection between them. This allows the server to be accessible over the internet while keeping its IP address hidden and helps protect the server from malicious attacks.

Cloudflare Tunnel creates a unique URL for each client, which the client uses to connect to the server. This URL is encrypted, and only the client and the server can decode it. When the client connects to the server, Cloudflare Tunnel acts as a proxy, forwarding the client's requests to the server and vice versa, all while maintaining the end-to-end encryption of the connection.

This makes it possible for businesses to securely host applications and services on their servers while keeping their infrastructure protected from external threats. Additionally, since the connection is encrypted, it can also help protect against eavesdropping and tampering.

I can also recommend you to look at play.gg… it's the same thing but for 100% free
while it also requires some workarounds, your IP won't get exposed

What is playit.gg?

playit.gg is a networking service that allows hosting game servers at home that anyone across the world can join. We do this through our custom tunneling software. You can find our open-source client here. When you launch the playit program, the program will connect to our Anycast Network and assign you a static IP and port. You can then share your static IP and port with friends. When they connect, their connection information will go to the nearest tunnel server and be tunneled to the playit program on your computer. By tunneling the connection, your friend can connect to the server running within your network.

What is an Anycast Network?

An Anycast Network is a network where all our IP addresses are available at all our datacenters. When you or a player tries to communicate with a playit tunnel server, your ISP will route your connection to what they consider is the closest datacenter we operate in. ISPs don't always get this right so we're actively working of new ways to improve this.

Anycast offers us a large number of advantages. Here are a few:

We can dynamically add more servers to handle the load
We can use our limited IP space across many datacenters
Tunnel servers can be upgraded without downtime
An entire data center can go down, and your connections will not be disrupted

my final recommendation would be to use nginx or apache webservers

Apache or Nginx

You can use web server software such as Apache or Nginx.
To ensure the IP is masked, you can use a reverse proxy in front of the web server.
A reverse proxy hides the IP of the web server and acts as an intermediary between the client and the server.
This way, the client will only see the IP of the reverse proxy, not the web server.

However, it's important to note that if a player is determined to find the server's IP, they may still be able to do so using tools such as Wireshark. The best way to protect the server's IP is to not rely solely on hiding the IP and implement robust security measures to prevent unauthorized access.

LoneDev

People will always know your survival server IP as soon as your Bungeecord proxy server is on the same machine with the same IP.
I doubt you're using a service similar to Cloudflare Spectrum (the one used by Hypixel to proxy connections).

If your players can bypass the Bungeecord proxy to directly join the survival server you have a serious configuration issue since this doesn't happen if the proxy architecture is configured correctly.
You can use a Bungeecord plugin like this one: https://www.spigotmc.org/resources/safenet-1-8-1-19-protect-your-network-from-ip-forward-bypass-exploit.65075/
I took that from the official Bungeecord proxy guide: https://www.spigotmc.org/wiki/firewall-guide/

Foxy

Hi, we are using a Cloudflare Spectrum system. my colleague who deals with the backend stuff has asked how we would use a domain instead of an IP and Port, because if we put a reverse proxy over it, it'll just have a domain, not an IP and Port.

LoneDev

Foxy I think this could be something that would help your project: PluginBugs/Issues-ItemsAdder#2607 (comment)

In your case something like

    self-host:
      enabled: true
      server-ip: 'resourcepack.example.com'
      pack-port: 8163
      append-port: false

So your players will download it from resourcepack.example.com (it's your responsibility to make resourcepack subdomain to point to the correct port internally using Cloudflare or other solutions).