BungeeGuard is a pair of plugins which intercept the BungeeCord handshake protocol, and allow backend servers to verify whether players connected from a trusted proxy.
- On the proxy, BungeeGuard inserts a special authentication token into the profile data sent to the backend server when a player tries to connect.
- On the backend server, BungeeGuard re-implements the BungeeCord handshake protocol, and denies connections which do not contain an allowed token.
This means that even if your backend server is not firewalled, malicious users will not be able to spoof logins without knowing one of your allowed tokens.
- Add the
bungeeguard-proxy.jarfile to your BungeeCord plugins folder. Then restart the proxy. If you have multiple proxies in your network, do this for each of them. - Navigate to
/plugins/BungeeGuard/token.ymland make a note of the value oftoken.
-
Ensure that you are using the Paper server software. (or one of it's forks, e.g. TacoSpigot)
BungeeGuard does not work with plain Spigot.
-
Add the
bungeeguard-backend.jarfile to your Paper plugins folder. Then restart the server. -
Navigate to
/plugins/BungeeGuard/config.yml. Add the token(s) generated by the proxy(ies) to theallowed-tokenslist.e.g.
# Allowed authentication tokens. allowed-tokens: - "AUSXEwebkOGVnbihJM8gBS0QUutDzvIG009xoAfo1Huba9pGvhfjrA21r8dWVsa8"
-
Restart the server again.
BungeeGuard is known to have compatibility issues with SkinsRestorer on the proxy side. This has been fixed in a SkinsRestorer update, please ensure you are using the latest version.
BungeeGuard is known to have compatibility issues with ProtocolSupport on the backend side. This has been fixed in a ProtocolSupport update, please ensure you are using the latest version.