Document SSH console and RCON password secrets file (#3843)

2026-05-21 03:15:23 +00:00 · 2025-12-30 18:53:29 +01:00
parent 82aafd5f5e
commit 128bbff3d7
3 changed files with 120 additions and 10 deletions
@@ -238,15 +238,46 @@ By default an existing `server-icon.png` file will not be replaced, that can be
 ### RCON
-RCON is **enabled by default** to allow for graceful shut down the server and coordination of save state during backups. RCON can be disabled by setting `ENABLE_RCON` to "false".
+RCON is **enabled by default** to allow for graceful shut down of the server and coordination of save state during backups. RCON can be disabled by setting `ENABLE_RCON` to "false".
 !!! warning
    Disabling RCON will remove and limit some features, such as interactive and color console support.
-The default password is randomly generated on each startup; however, a specific one can be set with `RCON_PASSWORD`.
+#### RCON Password
-**DO NOT MAP THE RCON PORT EXTERNALLY** unless you are aware of all the consequences and have set a **secure password** with `RCON_PASSWORD`. 
+The default password is randomly generated on each startup. However, you can specify a password using one of the following environment variables:
 * Set `RCON_PASSWORD` to your desired password.
 * Set `RCON_PASSWORD_FILE` to the path of a file containing the password.
 Using `RCON_PASSWORD_FILE` is the recommended method for managing sensitive data, as it allows full support for [Docker Secrets](https://docs.docker.com/compose/how-tos/use-secrets/).
 ??? example
    ```yaml title="compose.yaml"
    services:
      mc:
        image: itzg/minecraft-server:latest
        pull_policy: daily
        tty: true
        stdin_open: true
        ports:
          - "25565:25565"
        environment:
          EULA: "TRUE"
          RCON_PASSWORD_FILE: /run/secrets/rcon_pass # Points to the path where the secret is mounted
        volumes:
          # attach the relative directory 'data' to the container's /data path
          - ./data:/data
        secrets:
          - rcon_pass
    secrets:
      rcon_pass:
        file: ./rcon_password # local file containing the password
    ```
 !!! warning
    **BE CAUTIOUS OF MAPPING THE RCON PORT EXTERNALLY** unless you are aware of all the consequences and have set a **secure password**.
 !!! info 
@@ -444,4 +475,4 @@ When using `docker run` from a bash shell, the entries must be quoted with the `
 | STATUS_HEARTBEAT_INTERVAL               | [status-heartbeat-interval](https://minecraft.wiki/w/Server.properties#status-heartbeat-interval)                             |
 | SYNC_CHUNK_WRITES                       | [sync-chunk-writes](https://minecraft.wiki/w/Server.properties#sync-chunk-writes)                                             |
 | USE_NATIVE_TRANSPORT                    | [use-native-transport](https://minecraft.wiki/w/Server.properties#use-native-transport)                                       |
-| VIEW_DISTANCE                           | [view-distance](https://minecraft.wiki/w/Server.properties#view-distance)                                                     |
+| VIEW_DISTANCE                           | [view-distance](https://minecraft.wiki/w/Server.properties#view-distance)                                                     |
@@ -0,0 +1,70 @@
 ---
 title: Over SSH
 ---
 The container can host an SSH console. It is enabled by setting `ENABLE_SSH` to `true`.
 The SSH server only supports password based authentication. The password is the same as the RCON password.
 !!! question
    See [the RCON password](../configuration/server-properties.md/#rcon-password) section under configuration/server-properties for more information on how to set an RCON password.
 The SSH server runs on port `2222` inside the container.
 ??? tip "Tip: Exposing the SSH port"
    !!! warning "Security Implications"
        By default, publishing ports in Docker binds them to all network interfaces (`0.0.0.0`), making the SSH console accessible to any device that can reach your host machine.
        Since the SSH console grants **full administrative access** to your server, it is critical to use a strong [RCON password](../configuration/server-properties.md/#rcon-password). 
        If you wish to restrict access to the local machine only, refer to the [Docker documentation](https://docs.docker.com/engine/network/port-publishing/#publishing-ports) on binding to specific IP addresses (e.g., `127.0.0.1:2222:2222`).
        If SSH access is only intended for inter-container connections, consider **NOT** forwarding the port to the host machine, and putting the containers in a shared [Docker network](https://docs.docker.com/engine/network/#user-defined-networks).
    ```yaml title="compose.yaml"
    services:
      mc:
        ports:
          - '25565:25565'
          - '2222:2222'
    ```
 ## Connecting
 Connecting should be as simple as running
 ```bash
 ssh anyuser@127.0.0.1 -p 2222
 ```
 and typing in the RCON password.
 ## Environment variables
 | Environment Variable | Usage                     | Default |
 | -------------------- | ------------------------- | ------- |
 | `ENABLE_SSH`   | Enable remote SSH console | `false` |
 ## Example
 ```yaml title="compose.yaml"
 services:
  mc:
    image: itzg/minecraft-server:latest
    pull_policy: daily
    tty: true
    stdin_open: true
    ports:
      - "25565:25565"
      - "2222:2222"
    environment:
      EULA: "TRUE"
      ENABLE_SSH: true
      RCON_PASSWORD_FILE: /run/secrets/rcon_pass
    volumes:
      # attach the relative directory 'data' to the container's /data path
      - ./data:/data
 secrets:
  rcon_pass:
    file: ./rcon_password
 ```
@@ -1,8 +1,8 @@
 ---
-title: With websocket
+title: With WebSocket
 ---
-With `WEBSOCKET_CONSOLE` set to `true`, logs can be streamed, and commands sent, over a websocket connection.
+With `WEBSOCKET_CONSOLE` set to `true`, logs can be streamed, and commands sent, over a WebSocket connection.
 The API is available on `/console`.
 ## Password
@@ -21,7 +21,16 @@ The listen address and port can be set with `WEBSOCKET_ADDRESS` (defaults to `0.
 ## Log history
 When a connection is established, the last 50 (by default, configurable with `WEBSOCKET_LOG_BUFFER_SIZE`) log lines are sent with a `logHistory` type message.
-??? tip "Tip: Remember to forward the websocket port on the host"
+??? tip "Tip: Remember to forward the WebSocket port on the host"
    !!! warning "Security Implications"
        By default, publishing ports in Docker binds them to all network interfaces (`0.0.0.0`), making the WebSocket console accessible to any device that can reach your host machine.
        Since the WebSocket console grants **full administrative access** to your server, it is critical to use a strong [WebSocket password](#password) or [RCON password](../configuration/server-properties.md/#rcon-password).
        If you wish to restrict access to the local machine only, refer to the [Docker documentation](https://docs.docker.com/engine/network/port-publishing/#publishing-ports) on binding to specific IP addresses (e.g., `127.0.0.1:80:80`).
        If WebSocket access is only intended for inter-container connections, consider **NOT** forwarding the port to the host machine, and putting the containers in a shared [Docker network](https://docs.docker.com/engine/network/#user-defined-networks).
    ```yaml title="compose.yaml"
    services:
@@ -34,12 +43,12 @@ When a connection is established, the last 50 (by default, configurable with `WE
 ## Environment variables
 | Environment Variable               | Usage                                                      | Default      |
 | ---------------------------------- | ---------------------------------------------------------- | ------------ |
-| `WEBSOCKET_CONSOLE`                | Allow remote shell over websocket                          | `false`      |
+| `WEBSOCKET_CONSOLE`                | Allow remote shell over WebSocket                          | `false`      |
-| `WEBSOCKET_ADDRESS`                | Bind address for websocket server                          | `0.0.0.0:80` |
+| `WEBSOCKET_ADDRESS`                | Bind address for WebSocket server                          | `0.0.0.0:80` |
 | `WEBSOCKET_DISABLE_ORIGIN_CHECK`   | Disable checking if origin is trusted                      | `false`      |
 | `WEBSOCKET_ALLOWED_ORIGINS`        | Comma-separated list of trusted origins                    | ` `          |
 | `WEBSOCKET_PASSWORD`               | Password will be the same as RCON_PASSWORD if unset        | ` `          |
-| `WEBSOCKET_DISABLE_AUTHENTICATION` | Disable websocket authentication                           | `false`      |
+| `WEBSOCKET_DISABLE_AUTHENTICATION` | Disable WebSocket authentication                           | `false`      |
 | `WEBSOCKET_LOG_BUFFER_SIZE`        | Number of log lines to save and send to connecting clients | `50`         |
 ## API Schema