Document SSH console and RCON password secrets file (#3843)

2026-02-17 07:03:57 +00:00 · 2025-12-30 18:53:29 +01:00
parent 82aafd5f5e
commit 128bbff3d7
3 changed files with 120 additions and 10 deletions
--- a/docs/configuration/server-properties.md
+++ b/docs/configuration/server-properties.md
@@ -238,15 +238,46 @@ By default an existing `server-icon.png` file will not be replaced, that can be

 ### RCON

-RCON is **enabled by default** to allow for graceful shut down the server and coordination of save state during backups. RCON can be disabled by setting `ENABLE_RCON` to "false".
+RCON is **enabled by default** to allow for graceful shut down of the server and coordination of save state during backups. RCON can be disabled by setting `ENABLE_RCON` to "false".

 !!! warning

    Disabling RCON will remove and limit some features, such as interactive and color console support.

-The default password is randomly generated on each startup; however, a specific one can be set with `RCON_PASSWORD`.
+#### RCON Password

-**DO NOT MAP THE RCON PORT EXTERNALLY** unless you are aware of all the consequences and have set a **secure password** with `RCON_PASSWORD`. 
+The default password is randomly generated on each startup. However, you can specify a password using one of the following environment variables:
+
+* Set `RCON_PASSWORD` to your desired password.
+* Set `RCON_PASSWORD_FILE` to the path of a file containing the password.
+
+Using `RCON_PASSWORD_FILE` is the recommended method for managing sensitive data, as it allows full support for [Docker Secrets](https://docs.docker.com/compose/how-tos/use-secrets/).
+
+??? example
+    ```yaml title="compose.yaml"
+    services:
+      mc:
+        image: itzg/minecraft-server:latest
+        pull_policy: daily
+        tty: true
+        stdin_open: true
+        ports:
+          - "25565:25565"
+        environment:
+          EULA: "TRUE"
+          RCON_PASSWORD_FILE: /run/secrets/rcon_pass # Points to the path where the secret is mounted
+        volumes:
+          # attach the relative directory 'data' to the container's /data path
+          - ./data:/data
+        secrets:
+          - rcon_pass
+    
+    secrets:
+      rcon_pass:
+        file: ./rcon_password # local file containing the password
+    ```
+!!! warning
+    **BE CAUTIOUS OF MAPPING THE RCON PORT EXTERNALLY** unless you are aware of all the consequences and have set a **secure password**.

 !!! info 

@@ -444,4 +475,4 @@ When using `docker run` from a bash shell, the entries must be quoted with the `
 | STATUS_HEARTBEAT_INTERVAL               | [status-heartbeat-interval](https://minecraft.wiki/w/Server.properties#status-heartbeat-interval)                             |
 | SYNC_CHUNK_WRITES                       | [sync-chunk-writes](https://minecraft.wiki/w/Server.properties#sync-chunk-writes)                                             |
 | USE_NATIVE_TRANSPORT                    | [use-native-transport](https://minecraft.wiki/w/Server.properties#use-native-transport)                                       |
-| VIEW_DISTANCE                           | [view-distance](https://minecraft.wiki/w/Server.properties#view-distance)                                                     |
+| VIEW_DISTANCE                           | [view-distance](https://minecraft.wiki/w/Server.properties#view-distance)                                                     |
--- a/docs/sending-commands/ssh.md
+++ b/docs/sending-commands/ssh.md
@@ -0,0 +1,70 @@
+---
+title: Over SSH
+---
+
+The container can host an SSH console. It is enabled by setting `ENABLE_SSH` to `true`.
+The SSH server only supports password based authentication. The password is the same as the RCON password.
+
+!!! question
+    See [the RCON password](../configuration/server-properties.md/#rcon-password) section under configuration/server-properties for more information on how to set an RCON password.
+
+The SSH server runs on port `2222` inside the container.
+
+??? tip "Tip: Exposing the SSH port"
+
+    !!! warning "Security Implications"
+        By default, publishing ports in Docker binds them to all network interfaces (`0.0.0.0`), making the SSH console accessible to any device that can reach your host machine.
+        
+        Since the SSH console grants **full administrative access** to your server, it is critical to use a strong [RCON password](../configuration/server-properties.md/#rcon-password). 
+        
+        If you wish to restrict access to the local machine only, refer to the [Docker documentation](https://docs.docker.com/engine/network/port-publishing/#publishing-ports) on binding to specific IP addresses (e.g., `127.0.0.1:2222:2222`).
+      
+        If SSH access is only intended for inter-container connections, consider **NOT** forwarding the port to the host machine, and putting the containers in a shared [Docker network](https://docs.docker.com/engine/network/#user-defined-networks).
+
+    ```yaml title="compose.yaml"
+    services:
+      mc:
+        ports:
+          - '25565:25565'
+          - '2222:2222'
+    ```
+
+## Connecting
+
+Connecting should be as simple as running
+```bash
+ssh anyuser@127.0.0.1 -p 2222
+```
+and typing in the RCON password.
+
+## Environment variables
+
+| Environment Variable | Usage                     | Default |
+| -------------------- | ------------------------- | ------- |
+| `ENABLE_SSH`   | Enable remote SSH console | `false` |
+
+
+## Example
+
+```yaml title="compose.yaml"
+services:
+  mc:
+    image: itzg/minecraft-server:latest
+    pull_policy: daily
+    tty: true
+    stdin_open: true
+    ports:
+      - "25565:25565"
+      - "2222:2222"
+    environment:
+      EULA: "TRUE"
+      ENABLE_SSH: true
+      RCON_PASSWORD_FILE: /run/secrets/rcon_pass
+    volumes:
+      # attach the relative directory 'data' to the container's /data path
+      - ./data:/data
+    
+secrets:
+  rcon_pass:
+    file: ./rcon_password
+```
--- a/docs/sending-commands/websocket.md
+++ b/docs/sending-commands/websocket.md
@@ -1,8 +1,8 @@
 ---
-title: With websocket
+title: With WebSocket
 ---

-With `WEBSOCKET_CONSOLE` set to `true`, logs can be streamed, and commands sent, over a websocket connection.
+With `WEBSOCKET_CONSOLE` set to `true`, logs can be streamed, and commands sent, over a WebSocket connection.
 The API is available on `/console`.

 ## Password
@@ -21,7 +21,16 @@ The listen address and port can be set with `WEBSOCKET_ADDRESS` (defaults to `0.
 ## Log history
 When a connection is established, the last 50 (by default, configurable with `WEBSOCKET_LOG_BUFFER_SIZE`) log lines are sent with a `logHistory` type message.

-??? tip "Tip: Remember to forward the websocket port on the host"
+??? tip "Tip: Remember to forward the WebSocket port on the host"
+
+    !!! warning "Security Implications"
+        By default, publishing ports in Docker binds them to all network interfaces (`0.0.0.0`), making the WebSocket console accessible to any device that can reach your host machine.
+        
+        Since the WebSocket console grants **full administrative access** to your server, it is critical to use a strong [WebSocket password](#password) or [RCON password](../configuration/server-properties.md/#rcon-password).
+      
+        If you wish to restrict access to the local machine only, refer to the [Docker documentation](https://docs.docker.com/engine/network/port-publishing/#publishing-ports) on binding to specific IP addresses (e.g., `127.0.0.1:80:80`).
+        
+        If WebSocket access is only intended for inter-container connections, consider **NOT** forwarding the port to the host machine, and putting the containers in a shared [Docker network](https://docs.docker.com/engine/network/#user-defined-networks).

    ```yaml title="compose.yaml"
    services:
@@ -34,12 +43,12 @@ When a connection is established, the last 50 (by default, configurable with `WE
 ## Environment variables
 | Environment Variable               | Usage                                                      | Default      |
 | ---------------------------------- | ---------------------------------------------------------- | ------------ |
-| `WEBSOCKET_CONSOLE`                | Allow remote shell over websocket                          | `false`      |
-| `WEBSOCKET_ADDRESS`                | Bind address for websocket server                          | `0.0.0.0:80` |
+| `WEBSOCKET_CONSOLE`                | Allow remote shell over WebSocket                          | `false`      |
+| `WEBSOCKET_ADDRESS`                | Bind address for WebSocket server                          | `0.0.0.0:80` |
 | `WEBSOCKET_DISABLE_ORIGIN_CHECK`   | Disable checking if origin is trusted                      | `false`      |
 | `WEBSOCKET_ALLOWED_ORIGINS`        | Comma-separated list of trusted origins                    | ` `          |
 | `WEBSOCKET_PASSWORD`               | Password will be the same as RCON_PASSWORD if unset        | ` `          |
-| `WEBSOCKET_DISABLE_AUTHENTICATION` | Disable websocket authentication                           | `false`      |
+| `WEBSOCKET_DISABLE_AUTHENTICATION` | Disable WebSocket authentication                           | `false`      |
 | `WEBSOCKET_LOG_BUFFER_SIZE`        | Number of log lines to save and send to connecting clients | `50`         |

 ## API Schema