Introduce Gate Lite mode (#113)

closes #110
minekube · Dec 18, 2022 · 154dbf6 · 154dbf6
1 parent 7b03987
commit 154dbf6
Show file tree

Hide file tree

Showing 23 changed files with 729 additions and 57 deletions.
diff --git a/.web/docs/.vitepress/config.ts b/.web/docs/.vitepress/config.ts
@@ -117,6 +117,14 @@ export default defineConfig({
                             text: 'Configurations',
                             link: '/guide/config/',
                         },
+                        {
+                            text: 'Security & DDoS Protection',
+                            link: '/guide/security'
+                        },
+                        {
+                            text: 'Lite Mode',
+                            link: '/guide/lite'
+                        },
                         {
                             text: 'Enabling Connect',
                             link: '/guide/connect'

diff --git a/.web/docs/guide/compatibility.md b/.web/docs/guide/compatibility.md
@@ -28,8 +28,9 @@ Forks of Spigot are not well-tested with Gate, though they may work perfectly fi
 
 ## Proxy-behind-proxy setups
 
-These setups are only supported with [Connect enabled](connect).
+These setups are only supported with [Lite mode](lite#proxy-behind-proxy) or [Connect enabled](connect)!
+
 You are best advised to avoid other kinds of setups, as they can cause lots of issues.
 Most proxy-behind-proxy setups are either illogical in the first place or can be handled more
-gracefully by purpose-built solutions like [Connect](https://connect.minekube.com/).
+gracefully by purpose-built solutions like [Connect](https://connect.minekube.com/) or [Lite mode](lite).
 
diff --git a/.web/docs/guide/lite.md b/.web/docs/guide/lite.md
@@ -0,0 +1,80 @@
+# Gate Lite mode
+
+## What is Lite mode?
+
+Gate has a `Lite` mode that makes Gate act as an ultra-thin lightweight reverse proxy between
+the client and the backend server.
+
+Using different domains or subdomains Lite efficiently routes client connections based on the
+host address the player joins with.
+This allows you to protect multiple backend servers behind a single port to a Gate Lite proxy instance.
+
+Player connections are offloaded to the destined backend server, including ping requests and player authentication.
+
+**Lite mode supports proxy behind proxy setups**, but advanced features like backend server switching or proxy commands are no
+longer available in this mode and have no effect when extensions use higher level Gate APIs or non-Lite events.
+
+## Host based Routing
+
+If you point your domain to the IP address Gate listens on, you can use the domain name as the host address.
+This allows you to use a single Gate and port for multiple backend servers.
+
+Gate Lite mode `routes` is a list of `host` -> `backend` mappings.
+For each hostname, Gate will forward the player connection to the first matching backend server.
+
+[![Graph](/images/lite-mermaid-diagram-LR.svg)](https://gate.minekube.com)
+
+In this configuration, **Gate Lite** will route:
+- `Player Bob` -> `Backend A (10.0.0.1)`
+-  `Player Alice` -> `Backend B (10.0.0.2)`
+```yaml config-lite.yml
+config:
+  lite:
+    enabled: true
+    routes:
+      - host: abc.example.com
+        backend: 10.0.0.3:25566
+      - host: '*.minecraft.com'
+        backend: 10.0.0.2:25567
+      - host: [ example.com, localhost ]
+        backend: [ 10.0.0.1:25568 ]
+```
+
+
+## Enabling Lite mode
+
+You can switch to Lite mode by enabling it in the `config.yml`.
+
+```yaml config-lite.yml
+<!--@include: ../../../config-lite.yml -->
+```
+
+## Proxy behind proxy
+
+Gate Lite mode supports proxy behind proxy setups meaning you can use another proxy like
+Gate, BungeeCord or Velocity as a backend server.
+
+To preserve the real player IP address you should enable `proxyProtocol: true` or `realIP: true`
+(if using TCPShield) for the route as well as on the backend server.
+
+```yaml config-lite.yml
+config:
+  lite:
+    enabled: true
+    routes:
+      - host: abc.example.com
+        backend: 10.0.0.3:25566
+        proxyProtocol: true // [!code ++]
+```
+
+- [Gate - Enable Proxy Protocol](https://github.com/minekube/gate/blob/7b03987bcdc7e8a6ed96156fa147bdd9dbf6ba4c/config.yml#L85)
+- [Velocity - Enable Proxy Protocol](https://docs.papermc.io/velocity/configuration#advanced-section)
+- [BungeeCord - Enable Proxy Protocol](https://www.spigotmc.org/wiki/bungeecord-configuration-guide/)
+
+## Security considerations
+
+If you use Lite mode and you backend servers do player authentication,
+you do not need to worry.
+
+Checkout the [Anti-DDoS](security#ddos-protecting-your-minecraft-server) guide for how
+to protect your Minecraft servers from DDoS attacks.
diff --git a/.web/docs/guide/quick-start.md b/.web/docs/guide/quick-start.md
@@ -17,9 +17,14 @@ INFO	gate/root.go:94	using config file	{"config": ""}
 INFO	config	gate/gate.go:205	config validation warn	{"warn": "java: No backend servers configured."}
 INFO	java	proxy/proxy.go:299	Using favicon from data uri	{"length": 3086}
 INFO	java	proxy/proxy.go:472	listening for connections	{"addr": "0.0.0.0:25565"}
-
 ```
 
+::: tip Running Gate Lite Mode
+
+Gate also has a [Lite mode](lite) that can passthrough connections based on the hostname.
+
+:::
+
 ## Configuring Backend Servers
 
 Gate connects to your Minecraft servers and forwards client connections to them.

diff --git a/.web/docs/guide/security.md b/.web/docs/guide/security.md
@@ -0,0 +1,56 @@
+# Security considerations
+
+Gate is a Minecraft reverse proxy that connects players to backend servers.
+This means that the backend server might be exposed to the Internet if they listen on public IPs
+and players could bypass your Gate instance without authentication.
+
+To prevent this, you should configure your backend servers to only listen on private IPs and/or
+use a firewall to only allow connections from your Gate instance. You can also enable modern
+forwarding mode _(Velocity mode)_ with using a secret and PaperMC to prevent players from
+connecting to your backend servers directly.
+
+::: tip
+
+This does not apply to [Lite mode](lite), where backend servers should do the authentication.
+
+:::
+
+## DDoS Protecting your Minecraft server
+
+If you are running a public Minecraft server, and you are not using [Connect](https://connect.minekube.com),
+having a good DDoS protection is essential to prevent your server from being taken offline.
+
+If you are under attack, your server will be lagging, become unresponsive and timeout players.
+This is not good player experience nor your brand.
+
+There are many ways to protect your server from DDoS attacks.
+Here are common methods proven to work very well in production:
+
+### OVHcloud Anti-DDoS <VPBadge>cheap & reliable</VPBadge>
+
+_OVH is a well known service provider that offers a very good
+[DDoS protection](https://www.ovhcloud.com/en/security/anti-ddos/) service for your servers._
+
+You don't need to host all your Minecraft servers on OVH, but you can set up
+[Gate Lite](lite) on a tiny [VPS instance](https://www.ovhcloud.com/en/vps/) and
+forward all your traffic to your backend servers.
+
+::: details OVH Anti-DDoS setup
+
+1. [Create a VPS instance](https://www.ovhcloud.com/en/vps/) _(any provider with good Anti-DDoS)_
+2. [Install Gate](install/) on your VPS with [Lite mode](lite) enabled to point to your actual servers (not required)
+3. [Activate Anti-DDoS](https://www.ovhcloud.com/en/security/anti-ddos/) in the OVH dashboard for your VPS
+4. Configure your DNS to point your domain to your VPS IP address
+
+:::
+
+### Cloudflare Spectrum <VPBadge type='warning'>very costly</VPBadge>
+
+Cloudlare is a well known service provider with global scale DDoS protection
+for TCP services using [Cloudflare Spectrum](https://www.cloudflare.com/products/cloudflare-spectrum/minecraft/)
+
+
+### TCPShield <VPBadge type='danger'>uses OVH</VPBadge>
+
+TCPShield is a Minecraft proxy service that uses OVH's DDoS protection.
+It is free for small servers.
diff --git a/.web/docs/images/lite-mermaid-diagram-LR.svg b/.web/docs/images/lite-mermaid-diagram-LR.svg
diff --git a/.web/package.json b/.web/package.json
@@ -10,6 +10,5 @@
   "devDependencies": {
     "vitepress": "^1.0.0-alpha.29",
     "vue": "^3.2.45"
-  },
-  "dependencies": {}
+  }
 }
diff --git a/README.md b/README.md
@@ -16,7 +16,7 @@ _written in Go and ready for the cloud!_
 
 > Gate is currently subject to have breaking changes,
 > but you can already start using it!
-> It is already being used by the [community](https://minekube.com/discord) and powers the open [Connect Network](https://connect.minekube.com/)!
+> It is already being used by our wide [community](https://minekube.com/discord) and powers the open [Connect Network](https://connect.minekube.com/)!
 
 ## [Website & Documentation](https://gate.minekube.com)
 
@@ -29,3 +29,26 @@ guides and any more information needed!
 Follow our [quick start guide](https://gate.minekube.com/guide/quick-start/) on creating a simple Minecraft network!
 
 [![Server list](.web/docs/images/server-list.png)](https://gate.minekube.com)
+
+
+## Gate Lite Mode
+
+Gate has a Lite Mode which is a lightweight version of Gate that can expose
+multiple Minecraft servers through a single port and IP address and reverse proxy
+players to backend servers based on the hostname/subdomain they join with.
+
+See the [Lite Mode](https://gate.minekube.com/guide/lite/) guide for more information.
+
+```mermaid
+graph LR
+    A[Player Alice] -->|Join example.com| C(Gate Lite)
+    B[Player Bob] -->|Join my.example.com| C(Gate Lite)
+    C -->|10.0.0.1| D[Backend A]
+    C -->|10.0.0.2| E[Backend B]
+    C -->|10.0.0.3| F[Another Proxy]
+    
+    linkStyle 0 stroke:orange
+    linkStyle 1 stroke:purple
+    linkStyle 2 stroke:purple
+    linkStyle 3 stroke:orange
+```