Architecture

Security Hardening

🔒 Security Hardening#

RCON#

  • Rotate rcon.password in server/server.properties and set matching RCON_PASSWORD for moincraft-relay
  • RCON listens on RCON_PORT (default 25575). Do NOT expose to public internet without VPN/firewall allowlist
  • Prefer RCON_HOST=127.0.0.1 to avoid DNS/localhost IPv6 quirks

Dashboard & Relay HTTP#

  • :55667 (relay) and :55666 (Vite dev) carry Socket.IO and API traffic
  • Put behind TLS and authentication if exposed beyond LAN (reverse proxy + OAuth/basic auth)
  • Set DASHBOARD_API_TOKEN on relay for Authorization: Bearer *** or X-Dashboard-API-Token on mutating endpoints
  • Socket.IO dashboard controls remain a trusted-LAN surface
  • curl -4 http://127.0.0.1:55666 is the reliable local check (avoids IPv6 ::1 issues)

Prismarine Viewer (:55669)#

  • HTTP with no built-in auth
  • If port-forwarded: restrict with firewall/VPN, or proxy through nginx/Caddy with basic auth or IP allowlist

PM2 vs Systemd#

  • Keep moincraft.service disabled if using pm2-mc.service — never both (causes EADDRINUSE + session.lock conflicts)
  • launch_all.sh attempts to stop conflicting user systemd units

CI and Secrets#

  • GitHub Actions runs static checks only
  • Do NOT commit API keys, RCON passwords, or .env files with secrets