From 61b86fba526ff71ec6745a468398514541493701 Mon Sep 17 00:00:00 2001 From: Enginecrafter77 Date: Thu, 9 Jun 2022 18:41:03 +0200 Subject: [PATCH 1/7] fix: Initial addressing of #810 This commit contains a crude but functional fix for problem described by issue #810. It works by reimplementing the MojangResolver#hasJoined method using reflection to access the inaccessible fields. The significant difference is that unlike in the CraftAPI implementation, which sends the "ip" parameter when the hostIp parameter is an IPv4 address, but skips it for IPv6, this implementation ommits the "ip" parameter also for IPv4, effectively enabling transparent proxies to work. WARNING: This commit contains only a proof-of-concept code with crude hacks to make it work with the least amount of code edits. Improvements upon the code will be included in following commits. The code is at the moment really ineffective, and therefore SHOULD NOT BE USED IN PRODUCTION! You have been warned. --- .../protocollib/VerifyResponseTask.java | 93 ++++++++++++++++++- 1 file changed, 88 insertions(+), 5 deletions(-) diff --git a/bukkit/src/main/java/com/github/games647/fastlogin/bukkit/listener/protocollib/VerifyResponseTask.java b/bukkit/src/main/java/com/github/games647/fastlogin/bukkit/listener/protocollib/VerifyResponseTask.java index d8596910..f9696218 100644 --- a/bukkit/src/main/java/com/github/games647/fastlogin/bukkit/listener/protocollib/VerifyResponseTask.java +++ b/bukkit/src/main/java/com/github/games647/fastlogin/bukkit/listener/protocollib/VerifyResponseTask.java @@ -36,15 +36,18 @@ import com.comphenix.protocol.wrappers.WrappedChatComponent; import com.comphenix.protocol.wrappers.WrappedGameProfile; import com.github.games647.craftapi.model.auth.Verification; import com.github.games647.craftapi.model.skin.SkinProperty; +import com.github.games647.craftapi.resolver.AbstractResolver; import com.github.games647.craftapi.resolver.MojangResolver; import com.github.games647.fastlogin.bukkit.BukkitLoginSession; import com.github.games647.fastlogin.bukkit.FastLoginBukkit; import java.io.IOException; +import java.io.InputStream; +import java.io.Reader; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; -import java.net.InetAddress; -import java.net.InetSocketAddress; +import java.net.*; +import java.nio.charset.StandardCharsets; import java.security.GeneralSecurityException; import java.security.Key; import java.security.KeyPair; @@ -138,7 +141,10 @@ public class VerifyResponseTask implements Runnable { try { MojangResolver resolver = plugin.getCore().getResolver(); InetAddress address = socketAddress.getAddress(); - Optional response = resolver.hasJoined(requestedUsername, serverId, address); + + // TODO edit marker + Optional response = VerifyResponseTask.hasJoined(resolver, requestedUsername, serverId, address); + if (response.isPresent()) { Verification verification = response.get(); plugin.getLog().info("Profile {} has a verified premium account", requestedUsername); @@ -162,14 +168,91 @@ public class VerifyResponseTask implements Runnable { } else { //user tried to fake an authentication disconnect("invalid-session", - "GameProfile {0} ({1}) tried to log in with an invalid session ServerId: {2}", - session.getRequestUsername(), socketAddress, serverId); + String.format("GameProfile %s (%s) tried to log in with an invalid session. ServerId: %s", + session.getRequestUsername(), socketAddress, serverId)); } } catch (IOException ioEx) { disconnect("error-kick", "Failed to connect to session server", ioEx); } } + /** + * A reimplementation of {@link MojangResolver#hasJoined(String, String, InetAddress)} using various crude reflection-based hacks + * to access the protected code. The significant difference is that unlike in the CraftAPI implementation, which sends the "ip" parameter + * when the hostIp parameter is an IPv4 address, but skips it for IPv6, this implementation ommits the "ip" parameter also for IPv4, effectively + * enabling transparent proxies to work. + * + * TODO Reimplement as MojangResolver subclass overriding hasJoined method -> "ProxyAgnosticMojangResolver" perhaps? + * + * @param resolver The mojang resolver object the method will operate on + * @param username The literal username of the player + * @param serverHash The computed server hash sent to mojang session servers + * @param hostIp The host IP address - not used, kept to maintain similar signature + * @return An optional object containing the verification information, if any. If there is no verification information, the session servers consider the join invalid. + * @throws IOException When an error occurs during the HTTP communication + * @author games647, Enginecrafter77 + */ + public static Optional hasJoined(MojangResolver resolver, String username, String serverHash, InetAddress hostIp) throws IOException { + /*String url; + if (hostIp instanceof Inet6Address) { + url = String.format("https://sessionserver.mojang.com/session/minecraft/hasJoined?username=%s&serverId=%s", username, serverHash); + } else { + String encodedIP = URLEncoder.encode(hostIp.getHostAddress(), StandardCharsets.UTF_8.name()); + url = String.format("https://sessionserver.mojang.com/session/minecraft/hasJoined?username=%s&serverId=%s&ip=%s", username, serverHash, encodedIP); + }*/ + String url = String.format("https://sessionserver.mojang.com/session/minecraft/hasJoined?username=%s&serverId=%s", username, serverHash); + + try + { + Class inputStreamActionClass = Class.forName("com.github.games647.craftapi.resolver.AbstractResolver$InputStreamAction"); + Method getConnectionMethod = AbstractResolver.class.getDeclaredMethod("getConnection", String.class); + Method parseRequestMethod = AbstractResolver.class.getDeclaredMethod("parseRequest", HttpURLConnection.class, inputStreamActionClass); + Method readJsonMethod = AbstractResolver.class.getDeclaredMethod("readJson", InputStream.class, Class.class); + + getConnectionMethod.setAccessible(true); + parseRequestMethod.setAccessible(true); + readJsonMethod.setAccessible(true); + + HttpURLConnection conn = (HttpURLConnection)getConnectionMethod.invoke(resolver, url); + int responseCode = conn.getResponseCode(); + + Verification result = null; + if(responseCode != 204) + { + AbstractResolverAdapter.InputStreamActionAdapter action = new AbstractResolverAdapter.InputStreamActionAdapter() { + @Override + public Verification useStream(InputStream inp) throws IOException + { + try + { + return (Verification)readJsonMethod.invoke(resolver, new Object[] {inp, Verification.class}); + } + catch(ReflectiveOperationException exc) + { + throw new IOException("Reflective method access failed", exc); + } + } + }; + result = (Verification)parseRequestMethod.invoke(resolver, new Object[] {conn, action}); + } + return Optional.ofNullable(result); + } + catch(ReflectiveOperationException exc) + { + throw new RuntimeException("Error occured in reflective hacks to MojangResolver", exc); + } + } + + /** + * An adapter class used to make the InputStreamAction interface accessible to us. + * I know, it's a crude and disgusting solution, but bear with me, it's just temporary. + */ + public static class AbstractResolverAdapter extends AbstractResolver + { + @FunctionalInterface + protected static interface InputStreamActionAdapter extends AbstractResolver.InputStreamAction {} + } + private void setPremiumUUID(UUID premiumUUID) { if (plugin.getConfig().getBoolean("premiumUuid") && premiumUUID != null) { try { From 5d4483224d949d57188b89e3e1f55b2b3252c296 Mon Sep 17 00:00:00 2001 From: Enginecrafter77 Date: Thu, 9 Jun 2022 19:04:49 +0200 Subject: [PATCH 2/7] refactor: ProxyAgnosticMojangResolver ProxyAgnosticMojangResolver serves as a cleaner implementation of the hasJoined static method from previous commit. All the reflection involved was removed due to no longer being necessary. This way, a lot cleaner code could be made. All the inner workings remained the same. For more information on how it works, check out ProxyAgnosticMojangResolver.java. --- .../protocollib/VerifyResponseTask.java | 82 +------------------ .../mojang/ProxyAgnosticMojangResolver.java | 64 +++++++++++++++ .../fastlogin/core/shared/FastLoginCore.java | 4 +- 3 files changed, 68 insertions(+), 82 deletions(-) create mode 100644 core/src/main/java/com/github/games647/fastlogin/core/mojang/ProxyAgnosticMojangResolver.java diff --git a/bukkit/src/main/java/com/github/games647/fastlogin/bukkit/listener/protocollib/VerifyResponseTask.java b/bukkit/src/main/java/com/github/games647/fastlogin/bukkit/listener/protocollib/VerifyResponseTask.java index f9696218..c333eed7 100644 --- a/bukkit/src/main/java/com/github/games647/fastlogin/bukkit/listener/protocollib/VerifyResponseTask.java +++ b/bukkit/src/main/java/com/github/games647/fastlogin/bukkit/listener/protocollib/VerifyResponseTask.java @@ -141,10 +141,7 @@ public class VerifyResponseTask implements Runnable { try { MojangResolver resolver = plugin.getCore().getResolver(); InetAddress address = socketAddress.getAddress(); - - // TODO edit marker - Optional response = VerifyResponseTask.hasJoined(resolver, requestedUsername, serverId, address); - + Optional response = resolver.hasJoined(requestedUsername, serverId, address); if (response.isPresent()) { Verification verification = response.get(); plugin.getLog().info("Profile {} has a verified premium account", requestedUsername); @@ -176,83 +173,6 @@ public class VerifyResponseTask implements Runnable { } } - /** - * A reimplementation of {@link MojangResolver#hasJoined(String, String, InetAddress)} using various crude reflection-based hacks - * to access the protected code. The significant difference is that unlike in the CraftAPI implementation, which sends the "ip" parameter - * when the hostIp parameter is an IPv4 address, but skips it for IPv6, this implementation ommits the "ip" parameter also for IPv4, effectively - * enabling transparent proxies to work. - * - * TODO Reimplement as MojangResolver subclass overriding hasJoined method -> "ProxyAgnosticMojangResolver" perhaps? - * - * @param resolver The mojang resolver object the method will operate on - * @param username The literal username of the player - * @param serverHash The computed server hash sent to mojang session servers - * @param hostIp The host IP address - not used, kept to maintain similar signature - * @return An optional object containing the verification information, if any. If there is no verification information, the session servers consider the join invalid. - * @throws IOException When an error occurs during the HTTP communication - * @author games647, Enginecrafter77 - */ - public static Optional hasJoined(MojangResolver resolver, String username, String serverHash, InetAddress hostIp) throws IOException { - /*String url; - if (hostIp instanceof Inet6Address) { - url = String.format("https://sessionserver.mojang.com/session/minecraft/hasJoined?username=%s&serverId=%s", username, serverHash); - } else { - String encodedIP = URLEncoder.encode(hostIp.getHostAddress(), StandardCharsets.UTF_8.name()); - url = String.format("https://sessionserver.mojang.com/session/minecraft/hasJoined?username=%s&serverId=%s&ip=%s", username, serverHash, encodedIP); - }*/ - String url = String.format("https://sessionserver.mojang.com/session/minecraft/hasJoined?username=%s&serverId=%s", username, serverHash); - - try - { - Class inputStreamActionClass = Class.forName("com.github.games647.craftapi.resolver.AbstractResolver$InputStreamAction"); - Method getConnectionMethod = AbstractResolver.class.getDeclaredMethod("getConnection", String.class); - Method parseRequestMethod = AbstractResolver.class.getDeclaredMethod("parseRequest", HttpURLConnection.class, inputStreamActionClass); - Method readJsonMethod = AbstractResolver.class.getDeclaredMethod("readJson", InputStream.class, Class.class); - - getConnectionMethod.setAccessible(true); - parseRequestMethod.setAccessible(true); - readJsonMethod.setAccessible(true); - - HttpURLConnection conn = (HttpURLConnection)getConnectionMethod.invoke(resolver, url); - int responseCode = conn.getResponseCode(); - - Verification result = null; - if(responseCode != 204) - { - AbstractResolverAdapter.InputStreamActionAdapter action = new AbstractResolverAdapter.InputStreamActionAdapter() { - @Override - public Verification useStream(InputStream inp) throws IOException - { - try - { - return (Verification)readJsonMethod.invoke(resolver, new Object[] {inp, Verification.class}); - } - catch(ReflectiveOperationException exc) - { - throw new IOException("Reflective method access failed", exc); - } - } - }; - result = (Verification)parseRequestMethod.invoke(resolver, new Object[] {conn, action}); - } - return Optional.ofNullable(result); - } - catch(ReflectiveOperationException exc) - { - throw new RuntimeException("Error occured in reflective hacks to MojangResolver", exc); - } - } - - /** - * An adapter class used to make the InputStreamAction interface accessible to us. - * I know, it's a crude and disgusting solution, but bear with me, it's just temporary. - */ - public static class AbstractResolverAdapter extends AbstractResolver - { - @FunctionalInterface - protected static interface InputStreamActionAdapter extends AbstractResolver.InputStreamAction {} - } - private void setPremiumUUID(UUID premiumUUID) { if (plugin.getConfig().getBoolean("premiumUuid") && premiumUUID != null) { try { diff --git a/core/src/main/java/com/github/games647/fastlogin/core/mojang/ProxyAgnosticMojangResolver.java b/core/src/main/java/com/github/games647/fastlogin/core/mojang/ProxyAgnosticMojangResolver.java new file mode 100644 index 00000000..18c75b8c --- /dev/null +++ b/core/src/main/java/com/github/games647/fastlogin/core/mojang/ProxyAgnosticMojangResolver.java @@ -0,0 +1,64 @@ +/* + * SPDX-License-Identifier: MIT + * + * The MIT License (MIT) + * + * Copyright (c) 2015-2022 games647 and contributors + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ +package com.github.games647.fastlogin.core.mojang; + +import com.github.games647.craftapi.model.auth.Verification; +import com.github.games647.craftapi.resolver.MojangResolver; + +import java.io.IOException; +import java.io.InputStream; +import java.net.HttpURLConnection; +import java.net.InetAddress; +import java.util.Optional; + +/** + * An extension to {@link MojangResolver} which allows connection using transparent reverse proxies. + * The significant difference is that unlike MojangResolver from the CraftAPI implementation, which sends the "ip" parameter + * when the hostIp parameter is an IPv4 address, but skips it for IPv6, this implementation leaves out the "ip" parameter + * also for IPv4, effectively enabling transparent proxies to work. + * @author games647, Enginecrafter77 + */ +public class ProxyAgnosticMojangResolver extends MojangResolver { + @Override + public Optional hasJoined(String username, String serverHash, InetAddress hostIp) throws IOException + { + String url = String.format("https://sessionserver.mojang.com/session/minecraft/hasJoined?username=%s&serverId=%s", username, serverHash); + + HttpURLConnection conn = this.getConnection(url); + int responseCode = conn.getResponseCode(); + + Verification verification = null; + if(responseCode != 204) + verification = this.parseRequest(conn, this::parseVerification); + return Optional.ofNullable(verification); + } + + // Functional implementation of InputStreamAction + protected Verification parseVerification(InputStream input) throws IOException + { + return this.readJson(input, Verification.class); + } +} diff --git a/core/src/main/java/com/github/games647/fastlogin/core/shared/FastLoginCore.java b/core/src/main/java/com/github/games647/fastlogin/core/shared/FastLoginCore.java index c016087b..99fd5b99 100644 --- a/core/src/main/java/com/github/games647/fastlogin/core/shared/FastLoginCore.java +++ b/core/src/main/java/com/github/games647/fastlogin/core/shared/FastLoginCore.java @@ -33,6 +33,7 @@ import com.github.games647.fastlogin.core.TickingRateLimiter; import com.github.games647.fastlogin.core.hooks.AuthPlugin; import com.github.games647.fastlogin.core.hooks.DefaultPasswordGenerator; import com.github.games647.fastlogin.core.hooks.PasswordGenerator; +import com.github.games647.fastlogin.core.mojang.ProxyAgnosticMojangResolver; import com.github.games647.fastlogin.core.storage.MySQLStorage; import com.github.games647.fastlogin.core.storage.SQLStorage; import com.github.games647.fastlogin.core.storage.SQLiteStorage; @@ -83,7 +84,8 @@ public class FastLoginCore

> { private final Collection pendingConfirms = new HashSet<>(); private final T plugin; - private final MojangResolver resolver = new MojangResolver(); + //private final MojangResolver resolver = new MojangResolver(); + private final MojangResolver resolver = new ProxyAgnosticMojangResolver(); private Configuration config; private SQLStorage storage; From 5f494e5a04834d69b784b64a178be363d4f23b55 Mon Sep 17 00:00:00 2001 From: Enginecrafter77 Date: Thu, 9 Jun 2022 19:24:53 +0200 Subject: [PATCH 3/7] feat: Config option to enable ProxyAgnosticMojangResolver A config option was added to allow users to use the ProxyAgnosticMojangResolver if they feel the need to do so. This setting won't affect existing users since it's disabled by default. --- .../games647/fastlogin/core/shared/FastLoginCore.java | 6 ++++-- core/src/main/resources/config.yml | 11 +++++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/core/src/main/java/com/github/games647/fastlogin/core/shared/FastLoginCore.java b/core/src/main/java/com/github/games647/fastlogin/core/shared/FastLoginCore.java index 99fd5b99..a5723bf4 100644 --- a/core/src/main/java/com/github/games647/fastlogin/core/shared/FastLoginCore.java +++ b/core/src/main/java/com/github/games647/fastlogin/core/shared/FastLoginCore.java @@ -84,8 +84,7 @@ public class FastLoginCore

> { private final Collection pendingConfirms = new HashSet<>(); private final T plugin; - //private final MojangResolver resolver = new MojangResolver(); - private final MojangResolver resolver = new ProxyAgnosticMojangResolver(); + private MojangResolver resolver; private Configuration config; private SQLStorage storage; @@ -120,6 +119,9 @@ public class FastLoginCore

> { return; } + // Initialize the resolver based on the config parameter + this.resolver = this.config.getBoolean("useProxyAgnosticResolver", false) ? new ProxyAgnosticMojangResolver() : new MojangResolver(); + rateLimiter = createRateLimiter(config.getSection("anti-bot")); Set proxies = config.getStringList("proxies") .stream() diff --git a/core/src/main/resources/config.yml b/core/src/main/resources/config.yml index e3a01799..984f0618 100644 --- a/core/src/main/resources/config.yml +++ b/core/src/main/resources/config.yml @@ -152,6 +152,17 @@ forwardSkin: true # If they still want to invoke the command, they have to invoke /premium again premium-warning: true +# When set to true, enables the use of alternative session resolver which does not send the server IP +# to mojang session servers. This setting might be useful when you are trying to run the server via a +# transparent reverse proxy or some other form of DNAT. As far as security goes, this setting has +# negligible to no security impact. +# +# !!! [WARNING] !!! +# This option is considered highly experimental. While it is highly unlikely this will break your server, +# more tests need to be conducted in order to verify it's effectiveness. Brief tests seemed promising, but +# every environment is different, and so it might not work for you as it did for me. +useProxyAgnosticResolver: false + # If you have autoRegister or nameChangeCheck enabled, you could be rate-limited by Mojang. # The requests of the both options will be only made by FastLogin if the username is unknown to the server # You are allowed to make 600 requests per 10-minutes (60 per minute) From 6413ca4d109d942d2c461916263413218b0551b4 Mon Sep 17 00:00:00 2001 From: Enginecrafter77 Date: Fri, 10 Jun 2022 11:14:10 +0200 Subject: [PATCH 4/7] fix: Reverted the invalid session log entry modification The initial debug-entry modification regarding the invalid session message was reverted. Now the logging and parameter expansion is done solely by the SLF4J library. --- .../bukkit/listener/protocollib/VerifyResponseTask.java | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/bukkit/src/main/java/com/github/games647/fastlogin/bukkit/listener/protocollib/VerifyResponseTask.java b/bukkit/src/main/java/com/github/games647/fastlogin/bukkit/listener/protocollib/VerifyResponseTask.java index c333eed7..84409262 100644 --- a/bukkit/src/main/java/com/github/games647/fastlogin/bukkit/listener/protocollib/VerifyResponseTask.java +++ b/bukkit/src/main/java/com/github/games647/fastlogin/bukkit/listener/protocollib/VerifyResponseTask.java @@ -164,9 +164,7 @@ public class VerifyResponseTask implements Runnable { receiveFakeStartPacket(realUsername); } else { //user tried to fake an authentication - disconnect("invalid-session", - String.format("GameProfile %s (%s) tried to log in with an invalid session. ServerId: %s", - session.getRequestUsername(), socketAddress, serverId)); + disconnect("invalid-session", "GameProfile {} ({}) tried to log in with an invalid session. ServerId: {}", session.getRequestUsername(), socketAddress, serverId); } } catch (IOException ioEx) { disconnect("error-kick", "Failed to connect to session server", ioEx); From edd82f7978fdb9097beaa1424ee19df5342816e9 Mon Sep 17 00:00:00 2001 From: Enginecrafter77 Date: Fri, 10 Jun 2022 11:28:59 +0200 Subject: [PATCH 5/7] style: ProxyAgnosticMojangResolver: Extracted the URL into a constant The URL of the mojang session server call in ProxyAgnosticMojangResolver was extracted into a constant in order to mitigate the "magic constants" problem. Additionally, the 204 in the response code check was replaced by a constant from HttpURLConnection, again, in order to not use any magic numbers. --- .../mojang/ProxyAgnosticMojangResolver.java | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/core/src/main/java/com/github/games647/fastlogin/core/mojang/ProxyAgnosticMojangResolver.java b/core/src/main/java/com/github/games647/fastlogin/core/mojang/ProxyAgnosticMojangResolver.java index 18c75b8c..aabba993 100644 --- a/core/src/main/java/com/github/games647/fastlogin/core/mojang/ProxyAgnosticMojangResolver.java +++ b/core/src/main/java/com/github/games647/fastlogin/core/mojang/ProxyAgnosticMojangResolver.java @@ -42,21 +42,34 @@ import java.util.Optional; * @author games647, Enginecrafter77 */ public class ProxyAgnosticMojangResolver extends MojangResolver { + /** + * A formatting string containing an URL used to call the {@code hasJoined} method on mojang session servers. + * + * Formatting parameters: + * 1. The username of the player in question + * 2. The serverId of this server + */ + public static final String MOJANG_SESSIONSERVER_HASJOINED_CALL_URLFMT = "https://sessionserver.mojang.com/session/minecraft/hasJoined?username=%s&serverId=%s"; + @Override public Optional hasJoined(String username, String serverHash, InetAddress hostIp) throws IOException { - String url = String.format("https://sessionserver.mojang.com/session/minecraft/hasJoined?username=%s&serverId=%s", username, serverHash); + String url = String.format(MOJANG_SESSIONSERVER_HASJOINED_CALL_URLFMT, username, serverHash); HttpURLConnection conn = this.getConnection(url); int responseCode = conn.getResponseCode(); Verification verification = null; - if(responseCode != 204) + + // Mojang session servers send HTTP 204 (NO CONTENT) when the authentication seems invalid + // If that's not our case, the authentication is valid, and so we can parse the response. + if(responseCode != HttpURLConnection.HTTP_NO_CONTENT) verification = this.parseRequest(conn, this::parseVerification); + return Optional.ofNullable(verification); } - // Functional implementation of InputStreamAction + // Functional implementation of InputStreamAction, used in hasJoined method in parseRequest call protected Verification parseVerification(InputStream input) throws IOException { return this.readJson(input, Verification.class); From d7d0caf6e7499060277b677f46e6225c0ae7b9c4 Mon Sep 17 00:00:00 2001 From: Enginecrafter77 Date: Fri, 10 Jun 2022 11:40:21 +0200 Subject: [PATCH 6/7] style: Re-phrasing of config.yml comment for useProxyAgnosticResolver The comment for useProxyAgnosticResolver in config.yml was re-phrased and supplied with additional information regarding its effective context and its relation to the prevent-proxy setting in server.properties. --- core/src/main/resources/config.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/core/src/main/resources/config.yml b/core/src/main/resources/config.yml index 984f0618..76ba617c 100644 --- a/core/src/main/resources/config.yml +++ b/core/src/main/resources/config.yml @@ -152,14 +152,21 @@ forwardSkin: true # If they still want to invoke the command, they have to invoke /premium again premium-warning: true +# ======[[ Spigot+ProtocolLib users only ]]====== # When set to true, enables the use of alternative session resolver which does not send the server IP # to mojang session servers. This setting might be useful when you are trying to run the server via a # transparent reverse proxy or some other form of DNAT. As far as security goes, this setting has # negligible to no security impact. # +# This setting works on a similar principle as 'prevent-proxy' setting in server.properties. +# When set to false, the server behaves like prevent-proxy was set to false and vice-versa. +# Normally, when you use the prevent-proxy=true, you would want this disabled. +# +# Please note that this setting has no effect when used outside of Spigot+ProtocolLib context. +# # !!! [WARNING] !!! # This option is considered highly experimental. While it is highly unlikely this will break your server, -# more tests need to be conducted in order to verify it's effectiveness. Brief tests seemed promising, but +# more tests need to be conducted in order to verify its effectiveness. Brief tests seemed promising, but # every environment is different, and so it might not work for you as it did for me. useProxyAgnosticResolver: false From 5abd864fa5ecfe63d65ebd9f29597bfeb1a09f70 Mon Sep 17 00:00:00 2001 From: Enginecrafter77 Date: Fri, 10 Jun 2022 11:55:31 +0200 Subject: [PATCH 7/7] fix: Typo in config.yml comment about useProxyAgnosticResolver --- core/src/main/resources/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/src/main/resources/config.yml b/core/src/main/resources/config.yml index 76ba617c..5bec5b88 100644 --- a/core/src/main/resources/config.yml +++ b/core/src/main/resources/config.yml @@ -159,7 +159,7 @@ premium-warning: true # negligible to no security impact. # # This setting works on a similar principle as 'prevent-proxy' setting in server.properties. -# When set to false, the server behaves like prevent-proxy was set to false and vice-versa. +# When set to false, the server behaves like prevent-proxy was set to true and vice-versa. # Normally, when you use the prevent-proxy=true, you would want this disabled. # # Please note that this setting has no effect when used outside of Spigot+ProtocolLib context.