diff --git a/docs/configuration/server-properties.md b/docs/configuration/server-properties.md index 58355e26..06a62179 100644 --- a/docs/configuration/server-properties.md +++ b/docs/configuration/server-properties.md @@ -238,15 +238,46 @@ By default an existing `server-icon.png` file will not be replaced, that can be ### RCON -RCON is **enabled by default** to allow for graceful shut down the server and coordination of save state during backups. RCON can be disabled by setting `ENABLE_RCON` to "false". +RCON is **enabled by default** to allow for graceful shut down of the server and coordination of save state during backups. RCON can be disabled by setting `ENABLE_RCON` to "false". !!! warning Disabling RCON will remove and limit some features, such as interactive and color console support. -The default password is randomly generated on each startup; however, a specific one can be set with `RCON_PASSWORD`. +#### RCON Password -**DO NOT MAP THE RCON PORT EXTERNALLY** unless you are aware of all the consequences and have set a **secure password** with `RCON_PASSWORD`. +The default password is randomly generated on each startup. However, you can specify a password using one of the following environment variables: + +* Set `RCON_PASSWORD` to your desired password. +* Set `RCON_PASSWORD_FILE` to the path of a file containing the password. + +Using `RCON_PASSWORD_FILE` is the recommended method for managing sensitive data, as it allows full support for [Docker Secrets](https://docs.docker.com/compose/how-tos/use-secrets/). + +??? example + ```yaml title="compose.yaml" + services: + mc: + image: itzg/minecraft-server:latest + pull_policy: daily + tty: true + stdin_open: true + ports: + - "25565:25565" + environment: + EULA: "TRUE" + RCON_PASSWORD_FILE: /run/secrets/rcon_pass # Points to the path where the secret is mounted + volumes: + # attach the relative directory 'data' to the container's /data path + - ./data:/data + secrets: + - rcon_pass + + secrets: + rcon_pass: + file: ./rcon_password # local file containing the password + ``` +!!! warning + **BE CAUTIOUS OF MAPPING THE RCON PORT EXTERNALLY** unless you are aware of all the consequences and have set a **secure password**. !!! info @@ -444,4 +475,4 @@ When using `docker run` from a bash shell, the entries must be quoted with the ` | STATUS_HEARTBEAT_INTERVAL | [status-heartbeat-interval](https://minecraft.wiki/w/Server.properties#status-heartbeat-interval) | | SYNC_CHUNK_WRITES | [sync-chunk-writes](https://minecraft.wiki/w/Server.properties#sync-chunk-writes) | | USE_NATIVE_TRANSPORT | [use-native-transport](https://minecraft.wiki/w/Server.properties#use-native-transport) | -| VIEW_DISTANCE | [view-distance](https://minecraft.wiki/w/Server.properties#view-distance) | \ No newline at end of file +| VIEW_DISTANCE | [view-distance](https://minecraft.wiki/w/Server.properties#view-distance) | diff --git a/docs/sending-commands/ssh.md b/docs/sending-commands/ssh.md new file mode 100644 index 00000000..da249ecf --- /dev/null +++ b/docs/sending-commands/ssh.md @@ -0,0 +1,70 @@ +--- +title: Over SSH +--- + +The container can host an SSH console. It is enabled by setting `ENABLE_SSH` to `true`. +The SSH server only supports password based authentication. The password is the same as the RCON password. + +!!! question + See [the RCON password](../configuration/server-properties.md/#rcon-password) section under configuration/server-properties for more information on how to set an RCON password. + +The SSH server runs on port `2222` inside the container. + +??? tip "Tip: Exposing the SSH port" + + !!! warning "Security Implications" + By default, publishing ports in Docker binds them to all network interfaces (`0.0.0.0`), making the SSH console accessible to any device that can reach your host machine. + + Since the SSH console grants **full administrative access** to your server, it is critical to use a strong [RCON password](../configuration/server-properties.md/#rcon-password). + + If you wish to restrict access to the local machine only, refer to the [Docker documentation](https://docs.docker.com/engine/network/port-publishing/#publishing-ports) on binding to specific IP addresses (e.g., `127.0.0.1:2222:2222`). + + If SSH access is only intended for inter-container connections, consider **NOT** forwarding the port to the host machine, and putting the containers in a shared [Docker network](https://docs.docker.com/engine/network/#user-defined-networks). + + ```yaml title="compose.yaml" + services: + mc: + ports: + - '25565:25565' + - '2222:2222' + ``` + +## Connecting + +Connecting should be as simple as running +```bash +ssh anyuser@127.0.0.1 -p 2222 +``` +and typing in the RCON password. + +## Environment variables + +| Environment Variable | Usage | Default | +| -------------------- | ------------------------- | ------- | +| `ENABLE_SSH` | Enable remote SSH console | `false` | + + +## Example + +```yaml title="compose.yaml" +services: + mc: + image: itzg/minecraft-server:latest + pull_policy: daily + tty: true + stdin_open: true + ports: + - "25565:25565" + - "2222:2222" + environment: + EULA: "TRUE" + ENABLE_SSH: true + RCON_PASSWORD_FILE: /run/secrets/rcon_pass + volumes: + # attach the relative directory 'data' to the container's /data path + - ./data:/data + +secrets: + rcon_pass: + file: ./rcon_password +``` diff --git a/docs/sending-commands/websocket.md b/docs/sending-commands/websocket.md index f0812673..011a0f16 100644 --- a/docs/sending-commands/websocket.md +++ b/docs/sending-commands/websocket.md @@ -1,8 +1,8 @@ --- -title: With websocket +title: With WebSocket --- -With `WEBSOCKET_CONSOLE` set to `true`, logs can be streamed, and commands sent, over a websocket connection. +With `WEBSOCKET_CONSOLE` set to `true`, logs can be streamed, and commands sent, over a WebSocket connection. The API is available on `/console`. ## Password @@ -21,7 +21,16 @@ The listen address and port can be set with `WEBSOCKET_ADDRESS` (defaults to `0. ## Log history When a connection is established, the last 50 (by default, configurable with `WEBSOCKET_LOG_BUFFER_SIZE`) log lines are sent with a `logHistory` type message. -??? tip "Tip: Remember to forward the websocket port on the host" +??? tip "Tip: Remember to forward the WebSocket port on the host" + + !!! warning "Security Implications" + By default, publishing ports in Docker binds them to all network interfaces (`0.0.0.0`), making the WebSocket console accessible to any device that can reach your host machine. + + Since the WebSocket console grants **full administrative access** to your server, it is critical to use a strong [WebSocket password](#password) or [RCON password](../configuration/server-properties.md/#rcon-password). + + If you wish to restrict access to the local machine only, refer to the [Docker documentation](https://docs.docker.com/engine/network/port-publishing/#publishing-ports) on binding to specific IP addresses (e.g., `127.0.0.1:80:80`). + + If WebSocket access is only intended for inter-container connections, consider **NOT** forwarding the port to the host machine, and putting the containers in a shared [Docker network](https://docs.docker.com/engine/network/#user-defined-networks). ```yaml title="compose.yaml" services: @@ -34,12 +43,12 @@ When a connection is established, the last 50 (by default, configurable with `WE ## Environment variables | Environment Variable | Usage | Default | | ---------------------------------- | ---------------------------------------------------------- | ------------ | -| `WEBSOCKET_CONSOLE` | Allow remote shell over websocket | `false` | -| `WEBSOCKET_ADDRESS` | Bind address for websocket server | `0.0.0.0:80` | +| `WEBSOCKET_CONSOLE` | Allow remote shell over WebSocket | `false` | +| `WEBSOCKET_ADDRESS` | Bind address for WebSocket server | `0.0.0.0:80` | | `WEBSOCKET_DISABLE_ORIGIN_CHECK` | Disable checking if origin is trusted | `false` | | `WEBSOCKET_ALLOWED_ORIGINS` | Comma-separated list of trusted origins | ` ` | | `WEBSOCKET_PASSWORD` | Password will be the same as RCON_PASSWORD if unset | ` ` | -| `WEBSOCKET_DISABLE_AUTHENTICATION` | Disable websocket authentication | `false` | +| `WEBSOCKET_DISABLE_AUTHENTICATION` | Disable WebSocket authentication | `false` | | `WEBSOCKET_LOG_BUFFER_SIZE` | Number of log lines to save and send to connecting clients | `50` | ## API Schema