pterodacytl failing after sudo reboot
ubuntu 24.04
php 8.2
custom fresh install of pterodactyl, no wings
Someone told me to disable apache and install caddy, how do i install caddy and how do i disable apache?
1032 Replies
Thanks for asking your question!
Make sure to provide as much helpful information as possible such as logs/what you tried and what your exact issue is
Make sure to mark solved when issue is solved!!!
/close
!close
!solved
!answered
Requested by h.reijerman#0
okay, so
sudo systemctl disable apache
then, execute below:
Then follow from bellow, depending if you want SSL or not:
https://pterodactyl.io/panel/1.0/webserver_configuration.html#caddy-without-ssl
Webserver Configuration | Pterodactyl
Pterodactyl is an open-source game server management panel built with PHP, React, and Go. Designed with security in mind, Pterodactyl runs all game servers in isolated Docker containers while exposing a beautiful and intuitive UI to end users.
Could you please explain why caddy is a better option then apache?
I am also a web-developer, these topics intrest me greatly
apache sucks in everything
caddy is easy to setup, but fast, and have nice qol features like not sending certificates domain name on http/https requests
helps protect backend ips
Apache is extremely old, hard to configure, not really modern, and it's a PITA in general
Caddy is more modern, faster, easier to configure, automatic TLS support, very good ecosystem
Basically these^
Failed to disable unit: Unit file apache.service does not exist.
Then you already don't have apache running?
i think that was a false report, because i cannot acces my pterodactyl panel anymore
and nginx was not installed
You probably have to reconfigure pterodactyl for caddy since you installed that
^^^^^
in this tutorial it specifies <domain>.
Is that: https://customdomain.com
or
http://customdomain.com
or
customdomain.com
I want to enable ssh
Do you want https?
or actually
yes
do you have a domain
that too
also what do you mean i want ssh
you meant tls?
no https
i want https
okay
and i have a domain
Webserver Configuration | Pterodactyl
Pterodactyl is an open-source game server management panel built with PHP, React, and Go. Designed with security in mind, Pterodactyl runs all game servers in isolated Docker containers while exposing a beautiful and intuitive UI to end users.
you follow this
there's no http:// or https://
just put your domain directly
and a subdomain if you want one
so <domain> becomes "panel.customdomain.com"
yeah
correct
aight
do you use cloudflare in proxy mode by the way?
?
what domain provider do you use
hetzner dedicated hosting
do you use cloudflare
hetzner
okay just follow that then
#. systemctl restart caddy
Job for caddy.service failed because the control process exited with error code.
See "systemctl status caddy.service" and "journalctl -xeu caddy.service" for details.
you already have something listening on 443
how can i check that?
How can i check whats listening there?
sudo lsof -i:443I currently get a "502 Bad Gateway" when accessing the website trough my custom sub-domain and a "ERR_SSL_PROTOCOL_ERROR" while accessing the IP.
The custom domain gets a 502 and the ip gets absolutely no response (i looked trough the network tab)
The IP isn't meant to get a response, that's normal
ah good
You followed with Automatic SSL right?
Are you sure the site files are correctly installed?
And you didn't fuck up PHP?
I am currently at the "Configure" stage for setting up pterodactyl with wings
jup, re-installed them 3x
how do you mean that?
Are you sure caddy has perms to access the site files?
No, i only saw commands to preform that action for apache and nginx.
I assumed that it automaticlly had those prems because you said it was easy to set up :D
is "xcaddy build" not missing here?
Uhhh, I don't think that's required
Could you check Caddy logs?
sure
journalctl -u caddy
Then scroll to the bottom
any way to make putty timeout longer?
ah its saying 80 is already in use
I rebooted bc caddy was listening there
Did you ever stop / disable apache?
yup
sure did
3x even
netstat -tlupn | grep 443 should tell you what process is listening on port 443 if I remembered the flags correctly
Likewise replace 443 with 80 for httpyea i did that, 443 was filled with caddy after i swapped. Currently its just talking about port 80 already being occupied.
So i rebooted, because port 80 was used by caddy itself
its failing starting on port 80
You're not meant to do that...
Use port 443
i didn't
Just use the example config in the pterodactyl docs
i did
wierd, lemme re-make that file then
If it's trying to start on port 80 then it isn't using the config file you gave it
Make sure to put it in the correct path
It may be different than the docs
(it may try and start on port 80 for certbot / LE, I can't remember though)
journalctl -u caddy -n 100 -fi used etc/caddy/Caddyfile
?
logs
Run that
mke
Once again conflicting with itself?
Are you absolutely sure nothing is running on 443 already
Try this
bruh apache2 forced its restart
after sudo reboot
then systemctl disable apache2
how to kill apache so that it doesnt revive?
ah good
also did: sudo systemctl stop apache2
Just to make sure its dead dead
I made a request to the server while having logs up and this popped up:
: {"level":"error","ts":1719418083.4575362,"logger":"http.log.error.log0","msg":"dialing backend: dial unix /run/php/php8.1-fpm.sock: connect: no such file or directory","request":{"remote_ip":"<redacted>","remote_port":"<redacted>","client_ip":"<redacted>","proto":"HTTP/3.0","method":"GET","host":"<subdomain.domain.com>","uri":"/auth/login","headers":{"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (<redacted>) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 OPR/109.0.0.0"],"Sec-Fetch-Site":["none"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Dest":["document"],"Cache-Control":["max-age=0"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Accept-Language":["<redacted>;q=0.9,en-US;q=0.8,en;q=0.7"],"Sec-Ch-Ua":[""Opera GX";v="109", "Not:A-Brand";v="8", "Chromium";v="<redacted>""],"Sec-Ch-Ua-Mobile":["?0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Sec-Ch-Ua-Platform":[""Windows""],"Sec-Fetch-User":["?1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h3","server_name":"<subdomain.domain.com>"}},"duration":0.000380314,"status":502,"err_id":"u1c4x9ews","err_trace":"reverseproxy.statusError (reverseproxy.go:1269)"}
You still have default values somewhere I think
There's a <subdomain>.domain.com in that log
rm /etc/caddy/Caddyfile did this
no i changed that
This error indicates phpfqm is not running at the expected path
/run/php/php8.1-fpm.sockin order to not advertise
Oh
im using php 8.2
any way to tell caddy what php version to use?
Then check that
/run/php/php8.2-fpm.sock exists
If so, update it in caddy
(I'm unsure where, never used caddy)no such file or directory
???
Well, then you didn't set it up
/etc/caddy/config/php-fpm.conf
is where you set it
i did use 8.2 during setup, and i had pterodactyl running on multiple occasions
service --status-all verify that you can see php-fqm in that list and copy the exact nameno such file or directory
then do systemctl <name you copied> status
no php there
You may have
php_fastcgi unix//run/php/php8.1-fpm.sock in your actual .conf thenwhat do you mean <name you copied> ?
Then you didn't install all the required dependencies
From the service --status-all command, if php-fpm was there.
command not found
It's not a command...
oh my bad
did sudo apt-get install php8.2-fpm
Follow the instructions on the pterodactyl site exactly as they're written
8.1 would start working with your current config
And is what the ptero docs say iirc?
8.1 is recommended yes
Its super wierd, i followed the dependencies multiple times, exactly as written
You must have missed some steps
I will downgrate to 8.1 then
It was only having trouble connecting to the php-fpm socket at the default path
You may just need to change the expected path of the socket in the caddy config
Given the php-fpm service wasn't installed as a service
There's probably a lot more going on than just not being at the default path
I have downgraded all packages to 8.1, do i need to tell caddy that i have done so?
Sorry, i took a bit of a break
Still getting that pesky 500 internal server error
Caddy logs also no longer add information once i make a call to the server
I cannot find the following php 8.1 extentions:
tokenizer
openssl
pdo
Then install them
php8.1- followed by the extension name
fr?
sudo apt-cache search php8.1-tokenizer
And changing the parts behind the "-" does not bring up enything
is there any way to see caddy's log files of php?
https://pterodactyl.io/panel/1.0/getting_started.html#example-dependency-installation are you following this?
Getting Started | Pterodactyl
Pterodactyl is an open-source game server management panel built with PHP, React, and Go. Designed with security in mind, Pterodactyl runs all game servers in isolated Docker containers while exposing a beautiful and intuitive UI to end users.
i did that a while ago
like 780 lines of commands ago
apt -y install php8.1 php8.1-{common,cli,gd,mysql,mbstring,bcmath,xml,fpm,curl,zip}
have you
uninstalled php 8.2
2nd paragraph π
mb
try running this
these are executed commands on the server btw
did, see img above
Right so
what now
Whatβs happening
maybe i can find it in the php log files
because its a 500 error
Thats most of the time a php error, in the php logs i will find a reason its not working
have you checked ptero queue service?
systemctl status pteroq
^
I couldn't find how to access php logs from caddy on google
thats good to know
run it
show the output
"Failed to start Pterodactyl Queue Worker."
have you tried rebooting your machine
systemctl reset-failed pteroq && systemctl restart pteroq
yess
will do now
will try next
no sigar, same issue
show systemctl status pteroq
fair
lol i don't have that command installed
remove the show
i meant to show the outpout
output*
lol my bad π€£
Was thinking about it for a while, then this
run
tail -n 150 /var/www/pterodactyl/storage/logs/laravel-$(date +%F).log | nc pteropaste.com 99
Does that upload the logs to a log website of pterodactyl?
Or does it show the logs in console?
website
any way i can review what data is send or not?
just
it will output a link
send it here
mke
Hmm it seems to have struggles with redis again, i tought i fixed that
https://pteropaste.com/v4lw
What did you put for the redis password
in the .env
That is the same as i have set for the redis server
ERR AUTH <password> called without any password configured for the default user. Are you sure your configuration is correct?
I used: config set requirepass <yourpasswordhere> to set the password for redis
you have specified a password in ptero .env
Yes
but redis default user has no set password
yes
but redis itself
How do i set that password?
yes i did:
Redis defaults to no password
redis-cli
config set requirepass <yourpasswordhere>
After restart too ?
Stack Overflow
How to set password for Redis?
I'm working with redis on my local machine so I dont really need to set up a password to connect to the server with my php client (I'm using predis as a client). However, I'm moving my app to a live
i tought the command fixed that
:Shrug:
try set the password in .env to nothing for now
Once you get everything working
you can mess with redis
Is redis exposed to the internet? According to what i read its a database that only exists in memory
not by default
Where is the redis.conf file located?
its set to safemode
good
untill you add a password
π
whut?
yeah
redis defaults to no password
It automaticlly exposes itself to the internet if you give it a password??
hence why when setting up ptero it says that
Yea no worries, i will remove it from the .env
It stops listening on 127.0.0.1 and goes to 0.0.0.0, yes
^^
That is absolutely insane
why???
It wouldn't be public if you have a firewall setup
because redis is typically used for internal use
i find that cringe
theres no point having it publicly available
Or you know, firewall it like you should be with other services
^
Still gotta figure all that out, ngl kinda stupid of me
but still
Seems like this all is π
?
I misread your message as it (firewall) being new to you
Right so
harmen
have you cleared the .env redis password
ah, reading my first few messages explains a lot,
I'm a web software developer with 3 years of experience and i am quite familiar with laragon and packages like used here.
But just not with debugging trough linux terminal
yes
how do i restart ptero again?
I cannot re-find that command in my mess of commands
You don't restart pterodactyl, you restart pteroq, caddy or php-fpm
systemctl restart pteroqty
systemctl status pteroq
status: active
http 500 error
pteroq being active/inactive wouldn't help, that's for emails / scheduled tasks
sudo reboot :D?
at this point
just reboot yeah
90 sec
one of the main reasons i wanted to do this is because my community needs it, but i also like learning new stuff.
Kinda difficult to find solutions online tho...
once youβve rebooted send the logs of pteroq, etc
https://pteropaste.com/i9lw
Only outdated info
Active
Are you able to connect
To the panel
nopes still http 500 error
Can this be viable?
I found it on a reddit thread
do this again
thats literally what weve been doing
can you just in case show the error page?
You should get new logs when it 500 errors, send those
redis error, password when no password is configured
Yes, but like i said, those errors are outdated
Did you save the .env
Sure did
hm
^
remove the ββ from the REDIS_PASSWORD
And this
Screenshot it
Needed to remove data to coply with rules, took a bit sorry
I am calling it trough a dns record made using bisect hosting.
The subdomain points to the main server IP
bisecthosting π
Exactly the reason of this entire thing.
The ubuntu server that this thread revolves around is hosted at "Hetzner".
Maybe try delete the log file?
lol sure
how?
as in
idk where its saved
rm /var/www/pterodactyl/storage/logs/laravel-$(date+%F).log
try thatty
Cannot find (date+%F)
send the output of
ls /var/www/pterodactyl/storage/logs
server location and my location do not differ in timezone
remove laravel-2024/06-27.log
rm /var/www/pterodactyl/storage/logs/laravel-2024/06-27.log
no wait
rm /var/www/pterodactyl/storage/logs/laravel-2024-06-27.log
empty output
Run the ls command of the folder
see if itβs still there
only yesterday
right
restart pteroq then try connect
sudo reboot
After that i'll:
tail -n 150 /var/www/pterodactyl/storage/logs/laravel-$(date +%F).log | nc pteropaste.com 99
and send that
yeah
It didn't generate new logs
even with the 500 error?
systemctl status caddy
systemctl status pteroq
Could it be that my firewall is wrongly setup? Does it allow 443 by default seeing that i have changed nothing about the firewall?
http 500 error ye
wouldnt return 500 error
what firewall are you using?
Both running
I didn't install one
Maybe hetzner has one ?
500 error indicates it's an issue with caddy speaking with php-fpm or the php being evaluated
ye
can i see php logs?
check caddy logs
and iirc php logs are in /var/logs somewhere
ty
i went to root and did: tree -d
To show all directories, no files
I cannot find a "caddy" directive at all
The caddy directive does exist, its hidden.
But it only shows the caddyfile
Sorry, i do not know how to reach caddy logs, i will keep looking
Should i delete php 8.2 and 8.3 .ini files?
log (Caddyfile directive) - Caddy Documentation
Caddy is a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go
any logs for php?
i feel stupid, i have been looking at that for a bit. But i cannot find any commands to execute to get the logs.
Nor does it give me a directive to look for....
"output stderr" says that the command "output" is not installed
cat path_to_log
do you know Linux?i do know the "cat" command yes, its for reading files and nano is for writing.
But i cannot find the logs anywhere in my file system. What is "path_to_log" because thats the part i need.
send the contents of /var/log
ty for the help, going amazing
found it finally
nice
sorry for spam:
We have uploaded your file to a paste service for better readability
Paste services are more mobile friendly and easier to read than just posting a file
message.txt
Requested by h.reijerman#0
it just says 500 error again....
Your php-fpm logs will be more useful
i tought so too, still no sigar ;(
all the logs i got, and yes apache is still dead
And you're sure caddy is pointed at php8.1-fpm and not 8.2 after your downgrade?
no, i asked how to tell caddy this tho.
How would i go about doing that?
HostnExtra
Enable PHP Using Caddy on Ubuntu Chapter - HostnExtra
In this article, we'll explain how to enable PHP using Caddy on Ubuntu based server. We have described steps to install and configure PHP.
Should be something like
php_fastcgi in your caddy config, which points to the socket
Unsure which config thoughSeems to say php8.1-fpm.sock
Could previous https certificates be conflicting from certbot?
at this point
just reinstall your OS lmao
sigh, i tought of that too
No idea how to do that tho
Do i need to contact Hetzner?
We bring out the nucliar options
no
tbh
yes
keyboard layout: us right? for normal european qwerty?
Englisch typing countries
yeah
ty, ill nuke it and then re-install everything exactly according to docs.
A friend of mine told me to install php 8.3 so ill just do only nessesary and recommended steps etc.
Using caddy.
Ill let know once im done and have results
yeah, follow the doc step by step
lets hope i didn't ruin my server, lol
bruh
So just to confirm:
<domain> is supposed to be replaced with?:
"panel.minecraftserver.com"
"https://panel.minecraftserver.com"
"minecraftserver.com"
Panel.minecraftserver.com
ty
Does that count for all refrences of <domain>?
yes
the bullsh*t continues:
Any way to completely remove nginx after accidentally installing it?
You could also just use nginx, caddy isnt a requirement
sure, i just want it to work of once
how do i fix the error?
There isn't an error message in the attached screenshot
journalctl -u nginx -n 100
Probably that you didn't generate the SSL certificates for your domain and put them at the path in the config
So it's failing to load them
ah so i gotta run certbot again
check the logs first
and then check they exist in /etc/letsencrypt/live/
well i know i didnt create the ssl
Im starting to loose my patience
How do i "deploy a DNS TXT record"?
systemctl stop nginx
then remove --nginx
from the certbot command
you also set preferred challenge mode to dns, just dont include that
Ill try that later :D
i thank you so much sir(?)
Allrighty, so whe are back where i was.
I want to install wings now, but i am afraid that that will break anything like it did before. Any advise on that?
Wings is a standalone process that shouldn't touch anything you've setup with Pterodactyl
Minus pointing at the domain you've setup in the config
ye okey
Does pterodactyl and its dependencies automaticlly restart when i sudo reboot?
Bc i think redis doesn't. I did configure it to do so
I'll install wings then
If they're installed as services, and are enabled
Yeah
How close to the sun should i fly with the memory and storage allocations for a pterodactyl node ?
I have 63000 mb of memory left so i am gonna use 60000
I have 918gb of storage left so i can use 900 or 850gb?
(sorry for asking the silly questions now, i just want to make sure im done with this)
Memory seems fine
Disk space, just be aware if you run other services on the host (e.g. SQL servers, these can eat up disk space with stuff like coreprotect)
damn, good call
Arent those hosted trough pterodactyl too tho? Or is that still trough the root installation of mysql server?
meaning same database as where the "panel" database is
you have to set up MySQL to allow users to make databases
when you set up a database on ptero, you input the connection & auth details
which is typically your local db
ah ok, ty man
which is on your local storage
aight, then i'll probably take 700gb for the server and leave the rest
appearently i wasn't out of the waters yet.
I currently have this issue while trying to start wings
you need a certificate for it
erm, how do i make a certificate for a pterodactyl node?
its based on its own ip adress
the same way you did for the panel
play.ourdomain is already in use by our other server.
Does that block me from making a certificate now?
you make a ssl cert for the panel and node domain
yes, i want to make one for the node domain right now
if your panel is
panel.ourdomain.com, make a SSL cert for that
if your node FQDN is node.ourdomain.com, make a SSL cert for that.
If you're node is on the same machine as the panel, put the panel domain as your node's FQDNI got it to work, amazing!
First of all, thank you so much for helping me here, i wouldn't have figured it out otherwise!
The server is well and truely up, and i can use it as expected
I only need a firewall, ddos protection and a file system implementatioj, (most likely ftps)
I will look into these myself and come back if i need additional information, any knowledge that is usefull regarding these topics is always handy.
firewall.. just use ufw or firewalld
good to know, ty man
(firewalld > ufw) π
"ftps" nah
sftp is builtinto pterodactyl
and ssh server
lol, exactly why i need help π
ufw doesnt work well with docker, "ddos protection" is, a complicated topic, especially since with panel it isnt super easy (and the cheap options arent easy to setup)
hmm, a guy from this discord told me i would need it because hetzners default isnt great.
Any way to nip that one in the but?
sorry, talking about ddos protection here
will 100% do
apologies
np chief, i didn't specify
as said not a easy topic
but you are right, hetzner ddos sucks, and there's an infinite number of ddos prot providers
good ones are "expensive", and most dont have easy setup
as in money wise? expensive?
yes
thats not good
can be anywhere from 10-100 usd per month, for a single server(machine)
depending on provider/setup
^
and free?
none
well
damn
oracle cloud tunneling, but thats not great
:OMEGALUL:
there are some free providers (iirc?) but their bandwidth allowances are so low it's not worth it
well not the only issue.
Panel will leak backend ip
unless he switches to a cloudflare/internalized panel and node, cloudflare non enterprise cant do ptero's sftp etc
100 mb panel upload limit
essentially the only option would be to move the panel to another server right?
and have it connect to the node externally
then you have to also protect wings with cloudflare
right
true
fr*ck me
generally what i do is cloudflare proxying + cloudflare only + caddy + then external antiddos
but thats not a "easy" nor supported setup
(ptero doesnt support cloudflare proxy setups)
how does this one look?:
https://tcpshield.com
for website ddos protection..?
no gosh
no for the minecraft server we are discussing :D
ah
You will have to reconfigure a lot but if you have time, you can set up Tailscale for you panel
It's not really DDoS protection but instead a VPN
Will prevent the panel from leaking your backend ip, and connections to the panel can ONLY BE MADE from those who are connected to Tailsclae
That's what I usually do
Works like a charm
we have a domain.
That should protect our ip no?
Other people from here told me that the panel leaks my ip tho
no.
it will not protect your ip
It's extremely easy to see DNS records
Even if you proxy it through Cloudflare, people can still use stuff like Censys to find it very easily
Just use Tailscale
@ProGamingDk^ Opinions on this solution?
for a single users accessing panel, sure, for most people dont know how to use tailscale
so ports that are blocked by firewall cannot be ddos'ed?
Uhh, no
they can, it still has to see
The point is you need to hide the main IP
if its blocked or not using cpu etc
good t o confirm
you can also just cloudflare proxy, and then block non cloudflare ips from connecting
works generally fine
or use caddy which doesnt leak cert, can change nginx to not leak cert either
For DDoS protection itself if you feel a little crazy you can proxy your server through OVH VAC(OVH VPSes are extremely cheap, even for high bandwith)
May increase ping by about 3-10ms but it's pretty cheap
do note it adds around 17 ping, and its not layer 7
but how about ddos protecting the actual minecraft server? Not the panel.
If both servers are in Frankfurt it shoulnd't be that bad
the vps dont have the game protection
hetzner doesnt have frankfurt.
its falkenstein
oh.
Okay, well
It will add ping but that is imo the cheapest solution
The panel will leak the server's IP
Even if the port is closed they can still DDoS the actual machine
hmm, but people can also ddos our "play.servername.com" domain no?
on port 25565
I mean, you do need to remind him that NeoProtect costs like 90EUR/m for infinite bandwith while OVH has all that for free...
can be prevented
Yes
If behind DDoS prot, no
using the methods said above*
I recommend Tailscale
It's the easiest and most secure imo
depends on your clean mbit a second usage
NeoProtect may have additional features but most of the gaps can be filled with other software regardless
how would that work?
90 euros gives 400 mbit
Tailscale Β· Best VPN Service for Secure Networks
Tailscale is a zero config VPN for building secure networks. Install on any device in minutes. Remote access from any network or physical location.
I mean, it is unlimited on OVH so
Plus you have very fancy extra features
i was talking about neoprotect and how that wasnt 90/m for infinite bandwidth
You are limited by the VPSes bandwith limit, not the DDoS protections at that point
oh
I meant bandwith as in traffic
All their plans have a traffic limit
i was talking for their full machine protection
that fair use is bullshit imo
lmao
NeoProtect does have nice features but imo I do not think it is worth the price
Also you can't really get access to the good PoPs unless you pay at least 30EUR/m
English isn't my first language, so i cannot follow the spirit of this conversation.
As i currently think there are 2 potential solutions would you mind enlightening me?
Just use Tailscale
tailscale is a vpn, usually used to protect a computer using a remote server.
How would this work as ddos protection and how do i set it up?
It is not for DDoS protection
It is to prevent exposing the panel to the internet
aha, and how do i prevent the game server from getting ddos'ed?
Get a DDoS protection provider
Neo, TCPShield, or what I told you("DIY" DDoS protection via OVH)
like baseclly preventing port 25565 from being reached.
Because panel and server are on the same machine
How would i go about doing that?
uhhhhhhhhhhhhhhhhhhhhhhhhhhhh
how
is it easier to use or more functionality
neo doesn't offer l7
:sad:
vac
surf uses them
you still need a proxy like tcp
no not really
OVH has custom game shields for minecraft
it does
what
this is l7
does it work with remoteshield tho
not sure*
:eyes_dilate:
its stateful so possibly?
any one has any idea?
Okay, I can help right now
Just wait a little
https://snapcraft.io/install/tcp-server-client-tool/ubuntu
Does this work?
Snapcraft
Install Easy TCP Server/Client Tool on Ubuntu using the Snap Store ...
Get the latest version of Easy TCP Server/Client Tool for on Ubuntu - Easily install to test TCP connections.
got it boss
No don't do that
mke
What IP is your panel running on
0.0.0.0 or 127.0.0.1
prettysure its 127.0.0.1 but how can i double check?
Where is the pterodactyl .env file you generated
Actually it should be 127.0.0.1 yeah
Can you install Tailscale really quickly
Tailscale Β· Best VPN Service for Secure Networks
Tailscale is a zero config VPN for building secure networks. Install on any device in minutes. Remote access from any network or physical location.
Then login on both your PC and your server
yea, only 127.0.0.1 there
Alright good
Just install Tailscale now
what was tailscale again?
Download Β· Tailscale
Tailscale is a zero config VPN for building secure networks. Install on any device in minutes. Remote access from any network or physical location.
VPN
loggin in now, is that ok?
yeah
Just log in to Tailscale
ah thats gonna be a problem, the credentials for the company emails are with my boss. So only he can login.
He says i can probably be back around 14:00 (2 PM) my current time:
<t:1719906415> (GMT +2)
sorry for that
allrighty i logged in with tailscale
Whats next chief @Jenkins ?
chief?
How do I install the vpn so that only I can reach it?
@ProGamingDk you mind helping me out with this tomorrow?
Bisect has majorly screwed us again, forcing us to speed up this process.
no, unfortunately not, got a job interview and this isnt the setup i usually do anyways
woah pgdk is getting a job
Mandated by education
work experience?
Ig you can call it thqt, just a 5 year internship that goes handin hand with the education, can only be done at authorized businesses
oh interesting
basically it goes, half in school half at the place for 5 years (the length of my chosen education)
How do i setup firewalld?
Is this a good way?
And i installed, enabled and logged into tailscale.
Do i need to change any settings or info regarding tailscale?
this guide literally only does https
Aaah, I understand now
So two things to do:
Setup what traffic flows to monitor
And setup what ports are accessible trough the Internet.
Ofcourse enabling deny by default and then adding a whitelist off ports
To add a gameserver to the protection I would do it like this, correct?
sudo firewall-cmd --permanent --zone=public --add-port=25565/tcp
I am quite unfamiliar with cyber defence and I want to do it right. It would be bad for my server to loose all data as a result of this process failing so please excuse my many questions :D
That command is correct
also do /udp port too
Thank youu!!
no real point
he has a full ip so he would be able to do 19132 for bedrock if he wants to do that
25565 udp is only for query thats disabled by default anyways afaik
Oh fair
(Neoprotect has been successfully completed)
i would check your domain on search.censys.io
By the emoji response i see this as a good result.
or, censys just didn't have enough time to find your site
lol
Lol, but we want it to not be able to find the site correct?
Not good
They found my panel domain
anddd your ddos protection is now useless
ok, so how do i prevent this?
bc you told me to install a vpnon it, which i did.
And then no further steps where required so?
how are you accessing the panel
trough a panel sub-domain
right, but your panel is accessible from the public internet
correct?
The ddos protection is also on the main.subdomain
And the panel i acces trough panel.subdomain
Even though both are available through both
yes
right the issue is there
I would like it to not be
but i have no idea how to do that
would the following work?:
Only allow anyone to access the panel from my IP, and change this through ssh setting trough ssh when nessesary.
sorry, i don't fully understand
or do you mean i have to access the panel through the ddos protected domain?
if it's accessible from the internet anyone can see it
yes, how do i make that not the case?
How do i make it only accessable to me?
are you selfhosting
nopes, all on hetzner chief!
which makes this wish a little more complicated, seeing that local ip's tend to change from time to time
Please? I would like to get this sorted.
what if you block the port and restrict to cf
restrict to cf, then has to make everything under cf and sftp on panel breaks etc
and i meant right now
+ if a player/malicious actor has domain rn and for the next 24-48 hours or other literally any historical data tool if its just a normal A record, he needs a new ip
wings is also leaked?
cloudflare panel and non cloudflare wings is not great and needs a ssl cert, etc
messy
no it's fine really
i use a even more complex setup
its still messy for a beginner -.-
sure the IP did end up getting leaked on cenys
kekw
-.-
cf -> npm -> pterodactyl
ptero restricted to npm internal IP
and I can't bother restricting NPM to CF
cf -> ptero works fine for my setup and yeah loose sftp on panel but eh dont need it much, and client is fine with it, just less pain
So I delete the subdomain?
no
you knock hetzner's door
and ask for a new IP
Great
unless if you don't mind your cloudflare protection being useless
How do I prevent this happening in the future?
and pay 30-40 usd i think we paid like 22+? from his previous sys-admin causing leaks
properly restrict pterodactyl to cf
What is cf?
a free way to achieve is to infiltrate the hetzner datacenter and hold the technicians at gunpoint
cloudflare
shortened
What is cloudflare?
i think you should begin elsewhere
*
like by learning what cloudflare is
not installing pterodactyl
neoprotect* being useless
oh i thought they paid for cf for a second
Look dudes,
For these past 2 weeks I have only been searching for one thing:
A list that tells me what programs to install to protect my baremetal pterodactyl server from attackers.
If that is not possible, please let me know so I can change any parts of the formula.
I would like this list so we can both stop wasting time on this matter, if I need to know more about the programs or technologies I would research them. I am a webdeveloper not an angry teenager.
I thank you immensely for your support so far, but I need to get this server online. I think this would be the best way to be helped.
If this matter is not as simple as "a list of programs" then please do let me know too, then I can look elsewhere.
Nopes; neoprotect, firewalld and tailscale
I wish there was another way of thanking you lads other than with words.
I really do
Would hetzner firewall work?
against proper ddos attacks? no
haha nono
for a good firewall
or is firewalld better?
should be fine, firewall on machine should be fine aswell
amazing
ty
I am currntly trying to get a ssl certificate from certbot while having ddos protection enabled. But thats not working
@harmen
h.reijerman has reached level 2!
Roles Added:
Level 2
Danm, that took a while
You'll likely want to do the DNS challenge type if you don't want to/can't expose certbot
ok they put me in timeout lol. I'll try later
The limit is 5 attempts per hour
(Rolling)
indeed lolol
My most annoying problem with installing pterodactyl was for sure using certbot
Also something that can help immensely in the long run is
find / -name <name to search>In cannot create a certificate for the neoprotect domain, using: certbot certonly -d prefix.mydomain.com
Gives me a 404
I can make a txt record on my dns service, but would that interfere with the neoprotect domain?
And can i remove this record after the certification?
That makes the certtificate not auto-renewable correct?
It can be auto-renewed via DNS challenge
Any idea how i make a ssl certificate while having neo protect?
Can i create a temporary dns record for this, and will it still auto renew when i remove that temporary record?
Or am i understanding this wrong?
Is only port 25565 coverd by neoprotect and do i have to find another way to protect my panel?
thats what he keeps saying
dns challenge would let you do that
ok so for a dns challenge i need to make a txt type dns record correct?
Can i remove this record after the certificate is granted or do i leave it there? (I am afraid of that scanner finding my ip again)
dns challenge wont have any ip in it
I am sorry, i have some trouble understanding suggestive language in english
so thats safe then, ok good to know
ooh bc its an txt type
I think i get it now ty
Creating SSL Certificates | Pterodactyl
Pterodactyl is an open-source game server management panel built with PHP, React, and Go. Designed with security in mind, Pterodactyl runs all game servers in isolated Docker containers while exposing a beautiful and intuitive UI to end users.
The DNS challenge method for certbot adds a TXT record, either manually, or by using the API of your DNS provider, to add random text provided by letsencrypt to prove you own the domain.
Good to know that, thank you
I have mine setup using cloudflare and have a cloudflare API key on my machine for certbot to use, so the renewal is automatic
hmm, the pterodactyl tutorial told me to put a command in the cronjob. So this will cover the renewal then.
Can i remove the "_acme-challenge.subdomain" record? Or do i leave it there?
After the cert has been issued, you can remove the record if you want
though there's no harm in leaving it
Allrighty amazing then. Ty so much
Ok, so nginx is fully working, i just cannot reach the panel neither by using the ip or neoprotect domain.
I currently have pterodactyl configured on the same subdomain as the neoprotect. Is that good or bad?
I'm not familiar with neoprotect, but I wouldn't think it handles HTTP, only Minecraft traffic
Correct, i cannot even make a configuration for any port below 1024 with them. But sadly i cannot reach my panel right now... it says: ERR_CONNECTION_TIMED_OUT
thats usually firewall
The IP not working means likely firewall, yeah
ufw / iptables
not the hetzner firewall
also btw i would check historic dns records data on securitytrails.com
to see if it has your hetzner ip
i changed ip about a hour ago
i haven't installed ufw or firewalld
hetzner generally give a ip in the same subnet
atleast to us (we had to change ip aswell)
yes they did
they gave a slightly diffrent ip
Then verify via
netstat -tlupn that nginx is listening on your IP or 0.0.0.0 and on the port you expect
If i input the ip in my browser it changes it to my subdomain.domain.com But times out anyway
π
no records whatsoever, it crashes the website if i enter my previous ip
youre not meant to search the ip
search the domain
yea we all clear
none of the current or previous domains and subdomains are present
i re-did the neoprotect linking but i still cannot talk to the panel
Maybe pterodactyl cannot talk to the neoprotect domain?
Ignoring the domain for the moment, going to the IP should still work
Your next step would be to do something like:
iptables -L | grep -i "drop" and seeing if there's any deny all rules from something
yea, it wierdly doesn't
just to sanity check, do you know if your routing your traffic outbound via tailscale?
ip route get 1.1.1.1 or some public address should show what route it takes by default
Because unless your traffic is somehow going out the wrong interface, the default input policy is allow
So you should be getting traffic hitting Nginx
At this point I'd look at tcpdump to see if traffic is reaching you, but that's too much to guide someone through if I want to keep my sanity :pYes i have installed tailscale vpn according to instructions here.
I have not changed anything after the installation.
I will talke a thorough look once I am back home :D
With tailscale, are you routing all outbound traffic over tailscale?
If so, when you're testing this, are you connecting to the Tailscale exit node's IP (and have port forwarding setup for Nginx?), or the Tailscale clients IP directly?
i am logged in to the vpn, but i do not know how the vpn acts.
I have tried to reach the result of "tailscale ip"
And that didn't do it
the command said here will show which interface/address it goes via
Yes, i tried that ip and i got the same issue again.
i tried a bunch of ips and they all gave the issue
I will try something soon, ill let you know if it worked
nvm, no sigar
.
If the IP returned from the
ip route get 1.1.1.1 was your tailscale VPNit is not
Sadly not
Is the IP you're using to browse to nginx the VPN IP? Or the machine directly?
I tried both
But I don't think that vpns are meant for either
What is the purpose of the vpn in this usecase?
If it doesn't work with the direct IP and the traffic is going back out the right interface, it's likely a firewall inbetween causing issues.
No clue, I'm unsure why you even have it installed if you're not using it.
I'm unsure how you're protecting Pterodactyl though
ppl here told me to lol
i have no idea either
They're probably wanting you to tunnel from another provider for protection for stuff like Ptero/Wings
@Jenkins told me to
If I setup the firewall to block everyone but my ip.
Would that not work?
Depends if you're using something like cloudflare infront of pterodactyl or not
What is cloudflare?
Connect, Protect and Build Everywhere | Cloudflare
Make employees, applications and networks faster and more secure everywhere, while reducing complexity and cost.
does this limit pterodactyl too?
yes
not for sftp tho, as sftp doesnt work under proxying
and you would need to sftp to the machine itself
So what is the problem that I am facing and why would using a firewall whitelist not work?
Because that's a lot to pay
You could use a IP whitelist, but then nobody else could connect to your server
If you're meaning specifically for 80, 443 and 22, you could without issues, as long as others don't need to access Pterodactyl
Exactly what i mean
And i am aware that my ip changes, so nothing to worry
ok, thats amazing to know
ty
sadly that did not fix the issue, i am still timing out
Then you'll need to figure out where the traffic is stopping
doing a mtr/traceroute should help
cmd ping command works (computer -> server)
using ping <ip>
I am not so sure what this means (server -> computer)
i found this: https://answers.microsoft.com/en-us/windows/forum/all/domainnotsetinvalid-network-connection-issue/1dbdba8d-ed06-4b71-ab4f-e2849a304beb
not very helpfull tho
?
When you say "my pc" you're doing your external IP right?
The traffic is getting to your server
So it has to be firewall or binding related on the Hetzner side
Correct, that is the computer I am trying to use to reach the server
De-activating firewall and increasing dns ttl doesnt help.
I have had problems with dns caching in the past, is there a way i can rule this out?
there's sites that can show how dns resolves in different parts of the world. That'll tell you if it's dns at least
thats a good one,
It appears that the ip points to one of 2 records: one starting at 194 and one starting at 51
Is there a way to get to know my neoprotect ip?
if you're using neoprotect, then you'll just want to check that the ips are owned by neoprotect
you probably don't have "dedicated" neoprotect ips
yes, they are. Even though the ip appears to be used multiple times
once in germany and 3 times in the us
It appears the canonical name is correct, according to my dns interface
Using: https://dnschecker.org/domain-health-checker.php
It cannot find my subdomain, i'll look into it
DNS Checker
Domain DNS Health Checker - Check DNS & MX Health
DNS Health check tool offers to generate complete domain DNS and MX record health report. It also checks MX records against SMTP service and check if your email server IP and domain IP exists in blacklists services or not.
Any way to force dns updates?
That error from initial glance seems to indicate you don't have a nameserver set in your registrar for the domain?
Or you've typed the domain you're typing in is wrong
i found the issue: https://docs.neoprotect.net/gameshield/setup/
DNS Setup | NeoProtect | Docs
1. Log in to your DNS console
sadly bisect be like:
Even though all values are valid
yes i host my domain with bisect, yes i regret all my past decisions
Can you guys confirm this is a problem? Then i can justify getting another dns that is not bissect.
Yes, you should be using a SRV record for minecraft if you wish to use the same record for your panel too
Otherwise, just put your panel on a subdomain, e.g. panel.whatever.xyz
And leave the A record for neoprotect
SWAP TO CLOUDFLARE!!!!!!!! :supershock:
bisect hosting wont let me
why not
Some domain registrars donβt allow you to transfer domainsπ
bruh bisect does domain registration?
well I just took a look, they do allow transfers but have a fee (which is standard in the industry)
i was just stating that as a general rule. I haven't looked into bisect
and yea that's pretty standard
i mean not transfer but use cloudflare nameservers
and then u can configure dns records on cloudflare
Yup, I tried that.
But they don't allow the change of default nameservers, meaning I cannot actually make the changes work.
I told them to remove my domain about 20 hours ago. Their support is slower then a snail.
*21 hours ago
I have an Epp code.
But i don't think i can use it because i cannot change the default nameservers
That is what i found while following a tutorial i found here: https://developers.cloudflare.com/registrar/get-started/transfer-domain-to-cloudflare/#set-up-a-domain-transfer
Cloudflare Docs
Transfer your domain to Cloudflare Β· Cloudflare Registrar docs
Transferring your domain to Cloudflare tells your registry that a different registrar can now set those authoritative records for you. The β¦
I need some help,
So I cancelled my domain at bisecthosting, and now i want to activate the domain i made at cloudflare. But thats not working.
Its still pending
So when you buy a domain, you have a registrar you buy it from
You can then tell that registrar to point your name servers to whatever provider you want typically
You'd need to update your nameservers to point to the ones provided by cloudflare in the setup steps and wait ~1-24 hours for them to change for it to not be pending
Bisect didnt let me
Then you've transferred the domain to Cloudflare registrar?
Or is the pending you're talking about from just adding the domain to cloudflare DNS?
No idea
I deactivated the domain i have at bisect.
And i re-made it at cloudflare.
Currently if i reach my site it is apperently on a registrar "godaddy".
Nope
I would not have a clue how to do that
But if Bisesct don't allow you to point your nameservers to Cloudflare... then you can't just add it to cloudflare without transferring the domain to somewhere where you can change the nameservers (or cloudflare)
I found the instructions on cloudflares website, but I am not allowed to change the dns servers.
Like i saidπ₯²
Ah oke
Then you'd have to transfer the domain, or live with the Bisect DNS panel
bisect is a godday reseller iirc
I need a feature bisect doesn't offer
Good to know
How would I transfer said domain?
I have an epp code
Depends on what extension it is, e.g. .xyz, .com, .co.uk, etc.
.com
Then you'd need to find a registrar which allows .com's, e.g. Cloudflare
Yea
Go into the Registrar tab within your account, and click the transfer button, enter your domain and follow the steps
But know, when you transfer your domain, you'll need to pay to renew it for another year in addition to whatever length you've currently paid for (even if your current length remaining is >1 year)
Also note, Cloudflare registrar also forces you to use their name servers
i instantly get stuck here, i cannot find a resolution in the documentation either
because i cannot do this step
It seems to come down to this:
1. I cannot transfer my domain to cloudflare because I didn't change the dns servers.
2. I am not allowed to change the dns servers on bisect. (Start over at step 1.)
Also:
I cannot register a new domain with my domain name because it is already in use.
Am I right with that?
How long does godaddy keep your domain after it is cancelled?
until the end of the period
so a year from when you bought
im guessing
Oof
Yeah...
Looks like Cloudflare requires their NS's to be setup before you can transfer
You could always go to a registrar like porkbun, namecheap, etc.
And then just point your nameservers to cloudflare once you're able to
^^
i do that with namecheap currently on a few domains works great
Yeah, same
6 with namecheap, 2 with cloudflare registrar
Got it to work, except that my new dns doesnt work with bisect somehow
harmen i commend you for your determination
this thread has been long AF
Thank you,
The annoying part is that it bisect is still giving me this much trouble making a new server.
But I see progress, so that's good enough and I'm getting there lol
Looks like its finally all dandy
I would check censys and security trails current and historical data
I just need to know what incoming packages pterodactyl needs to be able to log you in.
Just allowing my ip doesn't work
all good literally 0 traces
Can i enable registrar lock on bisect while my dns stuff is now on cloudlfare, with cloudflare nameservers?
(the domain nameservers are set correctly at bisect)
please?
Incoming packages?
yes, when i try to log into pterodactyl while only allowing incoming packages on the server that have my ip.
I cannot login (request times out)
When you're adding the IP limits in place, how/where are you doing this?
hetzner firewall
So you're adding this (or something similar):
first diffrence with first image:
i didn't set a destination IP (blocking still works)
but practiclly the same, yes
When you're connecting to Pterodactyl, are you connecting directly via the IP, do you have cloudflare proxy enabled, etc?
using subdomain with no cloudflare porxy
And your outbound rule is just the default:
yes
except mail ports
Mail ports disabled or?
those are default blocked
yup
ah, ok
Then with the rules you've got, as long as you don't have Cloudflare proxy enabled, should work
( ._.) - reeeeeeee
hmm, it times out after 20000ms
lemme try something
try looking at f12 console on your browser and also look at pterodactyl logs
i have used www.google.com ONCE as a placeholder. But currently i cannot find it in any config files
oh my bad, its trying to do a captia verify
Connection timed out (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://www.google.com/recaptcha/api/siteverify
Additional Configuration | Pterodactyl
Pterodactyl is an open-source game server management panel built with PHP, React, and Go. Designed with security in mind, Pterodactyl runs all game servers in isolated Docker containers while exposing a beautiful and intuitive UI to end users.
ur amazing
;D
when you use ptero enough and for clients who needs different things you learn a fair few amount of random knowledge lol
aaah, now i just get the captia instead of the re-captia. Thats amazing!
i defenetly am yea, so much random knowledge and i love it
euum, sorry.
the issue is still there, i have tried to disable it through sql and artisan.
Both seem to have no effect and the settings table in mysql seems to be empty
should i contact pterodactyl crew about this?
unsupported setup so probably no help, but ig?
Any help would still be incredible!
yea they werent of any help.
The "settings" table is empty tho, is that any concern?
Server just bricked after clearing laravel cache, any ideas on how to re-generate the cache?
Sudo reboot didnt work
chmod -R 755 storage/* bootstrap/cache/ in the /var/www/pterodactyl folderI used a command
php artisan cache:clear
Thats what they told me to use, so i did
And now i get the 500 error again that started this issue
what does ptero logs say?
yea you are probably correct, imma do that
current issue:
It might have deleted these two files?
did you do the permission command
this
jupp defo did
and did sudo reboot after that
chown -R www-data:www-data /var/www/pterodactyl/* tried that?You can try https://pterodactyl.io/panel/1.0/updating.html
Updating the Panel | Pterodactyl
Pterodactyl is an open-source game server management panel built with PHP, React, and Go. Designed with security in mind, Pterodactyl runs all game servers in isolated Docker containers while exposing a beautiful and intuitive UI to end users.
π€¦
yeaaa, that fixed it. Ty man
np
it still throws me off that the "settings" table is empty
cannot get captia to be disabled, so close yet so far
:/
ok so
in some kind of mega brain move the pterodactyl panel requires you to login to the panel to disable re-captia
doesnt require you
its meant to let you disable it from database
as the doc i showed you says
That didnt work, but i managed to fix it anyways
I cannot create servers and my node is showing a red heart.
it seems it cannot connect to the "computer that is supposed to run the server"
logs of wings?
both?
even while removing firewall it shits itself
go to nodes press f12 and copy the console
i tried both ip and domain name.
Please do note that neoprotect is already setup
or should i use 127.0.0.1 or 0.0.0.0?
When I dealt with that, it was because wings was trying to initialize another instance of itself while already daemonized. Would recommend killing all instances of wings and
systemctl restart wings
But like Skullian said provide logs of wings with tail or journalctlregarding second part:
my bad! Didnt realise he meant that.
regarding first part:
doing that now
euuuuuuh
second part:
wings in debug mode does not give anything else then this
Is port 8080 allowed
Traffic from the server to itself is fully allowed
Or do you mean i should allow all traffic to port 8080 from everywhere?
When you have wings debug running does the heart show red
Yessir
this usually means firewall
which means have fun troubleshooting
^^
Ah thats gonna be fun indeed.
Seeing that i already tried it while it was disabled
Oh well i got this far
make sure ufw and iptables are disabled to troubleshoot
make sure ports are allowed through the router
allrighty, last thing to fix i hope:
reaching subdomain.domain.com:8080 gives a ERR_SSL_PROTOCOL_ERROR
How can i check if the SSL certificate is enabled correctly? (nginx is enabled with SSL and panel can be reached with https://)
And in the node list the node has a green lock on the ssl protocol
However subdomain.domain.com has neoprotect over it, which might not be ssl. And the dns is "dns only" using cloudflare
did you use the same domain as your panel for your node FQDN, or is it different
yes the FQDN = subdomain.domain.com.
Which is the one i talk about in this part
did you use certbot to make your certs?
yup, i have 2 dns records. One for the neoprotect domain and one for the panel domain
should i change the subdomains associated with the gameserver to something that is not the panel subdomain?
hmm
realistically it should work fine
man over 1k messages wtf
do you mind sending your node config? You can share it in DM / here and mask the sensitive info if you want
@harmen ur really dedicated
i am trying to get this to work π
/etc/pterodactyl/config.yml iirc
sure why not
seems that this config file has two things that concern me:
ssl: false
and
a empty domain:
domainname: ""
I used the command to enable wings
turn on SSL
make sure you change the cert path if you didnβt redact it
in that config?
yeah
or
just do it in the wings node config
on the panel
If you can*
yea i could
but i was stupid and deleted the subdomain.domain.com that i used to reach my panel
And donβt worry my domain name is also empty
in my wings config
Now i cannot reach my panel anymore and even after adding it back its still broken.
ok good
wait you deleted your subdomain.domain.com dns record??
yea i thought it was conflicting and i make an inpulse decision
Whatβs the error when connecting
So just a ssl certicifate refresh? Or am i cooked?
does ptero output any errors?
DNS records can take up to 24 hours to propagate
propagate*
so i added the subdomain back :
currently it just says "domain unreachable"
and the last ptero log was from our ssl issue
chrome error: DNS_PROBE_FINISHED_NXDOMAIN
ip gets converted to subdomain.domain.com
sudo reboot is no cigar
hmm
if you do
curl localhost does the panel return finesystemctl status nginx shows all good
301 moved permanently
ttl was on 1 min, when i deleted the domain
fuck
I saw this issue
couldnβt remember what fixed it
Did you enable cloudflare proxy maybe
By accident on the dns record
ah BRUH
lol
yea still nothing??
one sec
give it a moment
but yeah that error means youβre missing SSL certificates so make sure your configs for the node are right (the path to the SSL key and cert)
Why does your cert show:
/etc/letsencrypt/live/<ip-adress 2 starting at 172>/fullchain.pem
This should be your domain, not the IP address from my understandinghmm
it was the ip adress
are you sure the cert is generated correctly?
yes there are certs for the subdomain.domain.com
If you run
certbot certificates what does it show?
Then you need to update your config to use those ones, not the ones with your IP in the path^^
ok i will
With red being your domain, right?
Not your IP?
everything in red is the subdomain.domain.com
doing that now
your node remote is https, so you need SSL.
make sure SSL is enabled in the config and your paths are correct to the cert / key like silent said.
:D
π
i can reach my panel again
:AGuraCheer:
:HYPERS:
It cooked up a new error and still a red heart.
red = subdomain.domain.com
shall i re-run the wings setup command?
And overwrite?
I would try it
got it
delete the node / the config.yml if it stays after deleting on the panel
Then setup :)
cloudflare is used but proxy on cloudflare is disabled
so that setting is good?
yes
keep it as not behind proxy
ty
ptero logs:
and chrome console says 504
gateway timeout
is uh
wings running?
how can i check?
systemctl status wings
Is this on your home connection, or a server hosted somewhere out of curiosity?
right
hetzner server
Run wings as debug
wings --debug
and see if thereβs any errorsSo you're likely running into an issue with Cloudflare proxy
itβs disabled
so how would that matter?
Ah, I misread above
they had it previously enabled on their DNS record by mistake but turned it off
ah gotcha lol
but yeah do this
Check if thereβs any errors, and if the node shows green on the panel (refresh it).
Likely the reason why you were experiencing the connection refused error was because wings wasnβt running as you hadnβt daemonized it
looks fine
in the panel is it green?
proxy disabled
the heart*
now it is
nice
stop the debug process
Installing Wings | Pterodactyl
Pterodactyl is an open-source game server management panel built with PHP, React, and Go. Designed with security in mind, Pterodactyl runs all game servers in isolated Docker containers while exposing a beautiful and intuitive UI to end users.
enablaling firewall again
ah alright
did you uh
You've gotta create the service first
make the file
yeah
read the instructions
ffs discord
send messages
nvm
nice
now go to the panel and refresh it
my bad lol
is the heart green
nah dw
yes
right
wooooooooooooooooooooooooooooooooooooooh
youβre set!
imma try to make a server
ill get back to you
1170 messages damn
and otherwise we party
don't jinx it chief
:LUL:
i still have loads of time to f*ck this up
lmao fingers crossed
i like this
nice
:Prayge:
hmm, bungeecord server is not installing
Can i do this and then do a paper server?
my plan was to setup paper backends with proxy main (velocity was the idea)
yeah you can do that
thatβs usually what I do for things like pufferfish as well lmao
do paper then swap jars
all gold
Any way to allow packets from scources that i have sent a request to?
Using hetzner firewall
Or can i manually install servers too?
Using a startup arguments file and the paper jar?
nvm i forgot something
It canβt pull the docker image
yea because of the firewall i guess
does the docker image only need to be pulled once?
iirc yeah until the docker image gets updated
then it updates automatically
What if i make a new server ?
Does it need to pull again? Or can it copy?
I am looking for a way to make this work while not exposing my ip/panel and using firewall
Iβm not entirely sure why it canβt pull the docker image
it should be able to, no???
the firewall blocks all packets
oh-
because i dont want to expose the panel to the internet.
I exposed port 25565 to the internet for the minecraft server
But thats all
i am fairly sure it doesnβt try pull on every server if it already has it downloaded locally
assuming itβs the same docker image
I would recommend you expose your panel then maybe just pull maybe java 8, 11, 17 and 21 to be safe in case you ever need it
your choice though
umm
uh
does the file exist?
im trying to check that rn
trying? Can you not access the file manager?
not inside the panel no, because its "running installer"
that sounds like a screwed up egg
what egg are you using?
If itβs starting the server but still in installing mode thatβs a bad egg
You can toggle install status in the manage section of the server in the admin panel
i used pre-installed paper egg
ill try that
did you specify a custom paper build or something
In the variables when creating the server
yup, no server.jar
no i defenetly didn't
yeah, Iβd just upload the jar yourself
OH
I KNOW WHY
Did you allow packets
through the firewall
When installing?
because it has to download the jarfile from paper
The egg creates the properties file itself but it downloads the jarfile from paper
yup
so if you were still blocking everything through the firewall then it wouldnβt be able to download it
wait
what
i allowed all traffic while installing....
both of you here are having the biggest fucking stroke I have ever seen
and man
:HMM:
this thread is 1k messages
shush
tf is going on here
stop complaining
we are tryinggggg
But regardless, just upload the paper jar
what even is the issue rn
yourself
got it
what????
smh my head
wdym what?
what even is the issue rn
yourself
Paper egg didnβt download the paper jar
read my fucking messages
you sent a message between them
it was a joke
1
smh
2
i cannot go to the papermc website
can you?
yes
Uh
I canβt
wait what
can't either
oops my bad
XD
right
itβs not your problem
jk
itβs paperβs
the paper api is down...
LOL
it all is
hmmm...
wasnt me
Happened about 3 minutes ago
wellp
gotta wait then lolk
o7
yep
you can always try puffer if you donβt need 1.21 lol
around the time i requested my jars 0_o
harmen broke papermc!!!
ban this guy!!!
noooooooooooooo
yeah
wellp guess i wait
mhm
fyi
@harmen@Skullianshttps://api.papermc.io/v2/projects/paper/versions/1.21/builds/109/downloads/paper-1.21-109.jar
download fast, CF has it cached
DOWNLOAD FAST!!!
I cba
I canβt even download it
gotta love caching
heh
now watch the paper jar be unable to check for updates kek
their docs are fine interestingly enough
could just be CF
nice!
glad you got it all working
yea feels good
wellp, if any of y'all manage to find the server. Lemme know you helped me here and ill see if i can arrange anything if thats what you wish for.
especially silentbot, skullians and progamingdk
just happy you got everything working tbh
yea same
^^
Authentication servers are down. Please try again later, sorry!
:Hmm:
it worked, and then i relogged and it didnt.
Firewall issue?
or just mojang
their auth servers arent exactly stable
no, its firewall
how can i allow minecraft authentication server's incoming packets?
its a web request
so 80/443
^
This does not allow authentication server requests to go through
but if i expose 80/443 incoming packets my panel gets exposed, no?
well you shouldnt need to
its not incoming on those ports its just accessing mojangs site
ive had issues with authentication server failing when using a tunnel (like neoprotect) (in my case it was wireguard) due to a wrongly set mtr
but my server expects a response from moyang, no?
doesnt go in on those ports
remember, you dont need to portforward 80/443 on a selfhosted server
i disabled the "allow everything" rule to allow all traffic and authentication worked again
Do you have a suggested solution?
A firewall blocks all packets that don't follow the firewall rules, correct?
this is the issue i am having:
https://www.reddit.com/r/hetzner/comments/12joso2/hetzner_robot_firewall_minecraft_server/
It depends, some can be default allow, so you have to explicitly deny traffic you don't want, or some can be default deny, where you have to explicitly allow any traffic you want to pass.
I want to block all traffic to the server EXCEPT:
- Any traffic to port 25565 to allow players to play the game.
- any traffic the server needs to do minecrafts authentication.
I just don't know hoe to do the latter
Add a rule which looks like this:
Which will allow any traffic to come back based on connections you've initiated outbound
e.g. to mojang auth servers
This should also be included in the template firewall rules you can pick from
Which your rules likely should be ontop of anyway
Amazing, ty so much
That hasn't fixed it however. Is it responsible to allow all ack packets?
I assume your docker containers just don't have access to the internet
If you try and check the version of your server software, does it throw an error?
i was able to connect and play on the server before
how would i check the version of my server software?
Depending on your server, paper, purpur, etc, just the version command
i suppose you are right, how do i give a docker container acces to the internet?
in docker config?
maybe config.yml from earlier?
Pterodactyl sets that up correctly by default
Allowing all ack connections still results in unreachable authentication servers
well it seems to be buggerd right now,
i did updates and upgrades and reboot
i checked configs too
both authentication servers and version command are failing
But the ack is applied correctly
if you do
ip a, what ip does the neoprotect tunnel have?
or is it just a neoprotect dns recordi am unsure what you mean by "ip a"
The neoprotect domain is setup using both dns and has the real ip configured.
The neoprotect domain is setup using a srv record with _minecraft and _tcp on it. Before the subdomain.
The value of this record is the same as i would get using CNAME
ooh it just updated
where is the neoprotect tunnel ip supposed to be?
I cannot find it
hey i got a new error
https://www.spigotmc.org/threads/solved-yggdrasil-public-key-issues.612110/
This guy had the same issue as me
SpigotMC - High Performance Minecraft
(SOLVED) yggdrasil public key issues
(SOLVED) i guess? solution at bottom of post
hello folks
I recently created a spigot server for myself and have run into an issue
yesterday I set the...
I guess i wait
looks like dns
issues
i didn't change anything regarding dns in between logging in first time and the issue
so ill just wait a bit them, unless you got any ideas
still nothing
dns
atleast thats the "error" or else yeah firewall
are you allowing port 53 traffic?
Answer: no
Additional info:
I am allowing all ack packets
:D
What is port 53 used for?
dns
So allow all traffic to port 53 always?
well, might not need it as 53 is for dns servers not clients
you have weird issues but its hard to help in uber specific setups
How does allowing port 53 work on cloudflare?
If thats what you meant.
Or did you mean server firewall?
i was meaning firewall
Roger!
well, might not need it as 53 is for dns servers not clientshavent had to deal with dns issues like this before
I have magic powers for causing super specific and infuriating bugs.
On both my internships too
I'll try that soon, ty
allowing all traffic to port 53 doesnt help, ill try the same with sudo reboot tomorrow
:D
Iβm just amazed that in a thread simply trying to get pterodactyl to start you end up fucking about with tailscale and neoprotect and 1400 messages later you still canβt start your server lol
.
yea no cigar
This is the only domain i have regarding the minecraft server
This is the panel domain. Both red boxes have the same value but the scribbled out parts are diffrent.
On this image the scribbled out part is the server's ip adress which scares me a little bit
i did sudo tcpdump and found the following:
11:02:52.553561 IP <my-server>.34597 > one.one.one.one.domain: 18507+ [1au] A? sessionserver.mojang.com. (53)
11:02:52.553571 IP <my-server>.51342 > one.one.one.one.domain: 16709+ [1au] AAAA? sessionserver.mojang.com. (53)
11:02:52.560410 IP one.one.one.one.domain > <my-server>.34597: 18507 5/0/1 CNAME sessionserver-d5hmddgyhza3g3e5.z01.azurefd.net., CNAME star-azurefd-prod.trafficmanager.net., CNAME shed.dual-low.s-part-0032.t-0009.t-msedge.net., CNAME s-part-0032.t-0009.t-msedge.net., A 13.107.246.60 (246)
11:02:52.561126 IP one.one.one.one.domain > <my-server>.51342: 16709 5/0/1 CNAME sessionserver-d5hmddgyhza3g3e5.z01.azurefd.net., CNAME star-azurefd-prod.trafficmanager.net., CNAME shed.dual-low.s-part-0032.t-0009.t-msedge.net., CNAME s-part-0032.t-0009.t-msedge.net., AAAA 2620:1ec:bdf::60 (258)
It seems like the moment i disable the firewall i get a lot of traffic on port 60, should i allow port 60 to make connections?
according to this chart the requests to and from the sessionserver are made in the "Registered ports" category
I would assume i cannot just allow traffic over those ports correct? As that would be unsafe
It seems that packets from the session server do not get a ack flag, is there a fix?
this makes it work
mojang uses the "syn" tcp flag for login packets instead of ack like it should.
Anyone know some better fix then this? pls
ok so the minecraft response packets are:
NOT TCP
NOT within the "Dynamic and/or private ports" range
NOT send with an ACK flag
ARE: send through a public domain resolver named 1.1.1.1
can you make it any less secure mojang?
Is allowing all trafiic from 1.1.1.1 a bad idea?
Im stuck now
its not response packets
it doesnt get that far
1.1.1.1 is just the dns iirc wings uses it by default
it cant even try to get the minecraft public keys
because it couldnt find the ip for the server the public keys are on
buti requested a reply from mojang authentication servers no?
so any reply to that should be a response packet?
it doesnt know what the ip for the mojang authentication servers ar
e
if dns requests to 1.1.1.1 (the dns server) is blocked
my server sends request to one.one.one.one.domain which is sessionserver.mojang.com
remember the packet logs i send where when the firewall was down
one.one.one.one is the dns server
where your server / wings asks what ip sessionserver.mojang.com has
yes i know that, its the most public and the fastest one
yes
if 1.1.1.1/one.one.one.one is blocked
it cant get the ip of sessionserver.mojang.com
aka cant send the request
then why does adding this rule fix it?
because youre unblocking the connection to the dns server?
so it can get the ip of sessionserver.mojang.com
so the only way to fix this is to allow all incoming connections from 1.1.1.1 ?
with destination ports: 32768-65535
1.1.1.1 is fine
if you want any http/https request on the mc server to go through
can bad ppl not use 1.1.1.1?
or anything that need the ip of a domain
allrighty then
they can use it, but they cant be it
isnt that the same level of danger?
no
not at all
ok then
then im set untill a new issue surfaces
lol
can i select a version for this?
is there a way i can make my domain work while being proxied by cloudflare?
i am afraid of the dns A record exposing our ip.
Or should i just remember my ip at that point? (but pterodactyl doesnt work without dns right?)
any way to setup a dns firewall for a single subdomain in cloudflare pro?
Or does the server firewall achive the same goal? Sorry if i seem a bit paranoid
ptero does work without dns but it would be http so all traffic would be unencrypted
between your browser and ptero
How about creating a srv record that points to a (proxied) "A" record?
Of of which the srv record is the subdomain which is used to reach the panel.
Would that hide my ip adress?
srv doesnt work for web
you do realise at this point youve spent so much time when you could have gone to a provider that has good quality antiddos for not that much more right
kek
Or just throwing $5 to a sysadmin who knows what they're doing π
5 usd would get you a not good sysadmin tbh
Wellp im a special kind of idiot
And i learned
Which was the deal i had with the investor
sure but you can do a proper setup while not being 100% reliant on it
theres learning and then theres improper planning
And besides using premade hosting has already cost us a lot of players and money
not what i meant
at ALL
That was not a reply to your comment above my reply
:D
Anyhoozles
Got more advise? I still feel under protected/uninformed
I shouldn't be 100% reliant on a server?
How not?
thats not what i meant
Would you mind to elaborate?
as you said your learning, you shouldnt rely 100% on what you setup, you should have proper/good host offered antiddos as a fallback
well like i can use smth like pebblehosts dedi which come with inhouse and cosmicguard fallback, and still use neoprotect
antiddos can leak traffic to the backend
I am afraid we don't have the buget for that (yet)
what hetzner machine?
do you have
and pebble was just a example
Dedicated baremetal
64gb
2x ryzen 7 7000
2x?
you mean 1
1tb software raid 1
r7 7700
Euuuh yea
Lemme check on that actually
Yep you where correct
1x ryzen 7 7000 series
14 cores?
8 cores, 16 threads
Lol I got cores and threads confused.
And I rememberd the value with the os removed, so free threads
Free threads = 14
Yea u are right
what where you getting at?
I think the point was that for the price you're paying for a Hetzner dedicated server, you could get one from a provider which handles a lot of the DDoS protection (and other) side of things for you.
Though I may be misreading what Pro was meaning
no that was about it
sorry been busy, had my first alochol cocktail ever and im being hit insanely hard rn lol
have fun π
im... not having fun rn
the cocktails should help with what
one cocktail gets you hammerd? :D
yikes, you good?
YES
head felt heavy, my jaw felt weird
it was weird
5 more will sort that out
Are you American perchance?
no he isnβt
DK = Denmark
iirc
Ah lol
Danish
in germany rn
my initials but same same
lmao
cant be doxxed if parents are doxxing you
https://pterodactyl.io/panel/1.0/troubleshooting.html#containers-don-t-have-internet-probably-a-dns-issue lol this would have explained and found the issue
Troubleshooting | Pterodactyl
Pterodactyl is an open-source game server management panel built with PHP, React, and Go. Designed with security in mind, Pterodactyl runs all game servers in isolated Docker containers while exposing a beautiful and intuitive UI to end users.
Yea lol
Also I'm looking into moving ddos protection to cloudflare
Dont
Its 100 - 1000 usd a tb traffic
For mc
Cloudflare Spectrum accelerates and protects your Minecraft server ...
Cloudflare Spectrum accelerates and protects your Minecraft server
OOF
Yes
nvm
Yeah...
just use neoprotect, works perfectly fine
even tho it's really expensive to cover 1 single node, as there is a base fee of like 70β¬ / month to use it, that doesn't change even if you have more servers
Reee
the button on neoprotect doesnt work?
what plan are you trying to buy?
to protect nodes you need to make a ticket and some random stuff.
the "neo" plan
what do you mean with "nodes"?
if you want to protect the whole server, you do this
this will protect 1 server, not all xD
this is how much it costs on neoprotect pretty much
yea i am aware
the 75β¬ is by default, you can't really change it :/
it's worth going under someone else plan
i want to protect a server and its backends using velocity
you would prob pay like 10β¬ or 20β¬ /month for 1 node, depends on bandwidth π
yea but is your actual server protected?
firewalled and hetzner normal anti ddos i suppose?
because only port 22565 is exposed
ahhh!
and that has neo
yea well if you are planning to run only 1 server, than that will work
yea thats the plan
one server with 3+ backends
my bad xD
np chief
if you need to run more servers, the issue comes xD
yeaa
but the button no worky
how fix?
not sure how their neo plan would work, but i think you just want to accept traffic only from their servers, and block everything else
make a ticket on the discord, you might have a AD blocker or smth tho
that usually, is the issue.
ADVERTISING!1!!1!1!1!1!1. How could you!!!!
disabled that too
:ClownWalk:
well better ask their support ig
instant ban lol
fair
just remember, they might ghost you for small plans xD
typical company
doesnt want your money when they are the only one providing the service
real
i could have coded that button better π
Note 5 tb is really low
For a decent size mc server
yea ahha
depends on how many players :/
Have you seen the fair use
And company plan
but at one point it's worth just to do this, as long as it's not surf xd
neoprotect is acting mega sus?
we click on a bill for 30 eu and we get 3000 bill.
We try to add creditcard it doesnt work
we try to remove credit details, it doesnt work
any other then neoprotect that would suffice?
What about tcpshield?
https://tcpshield.com
https://www.trustpilot.com/review/tcpshield.com
this doesnt inspire confidence
Trustpilot
Tcpshield is rated "Great" with 4.1 / 5 on Trustpilot
Do you agree with Tcpshield's TrustScore? Voice your opinion today and hear what 11 customers have already said.
What?
Never tried so can't say
I don't think you can, you can pay with credit card tho, making a ticket is the go to
Just remember you will be ghosted 99.9% as they don't care for small costumers.
(For support)
yea? thats not a good look for their company
It's just how it works
They don't have many staff members, if you have money of course they prefer to help you
tcpshield is fine alot of server use em
the paid plans are just expensive + no bedrock support
unless you pay 100 usd a month for their second best plan
It's cheaper to protect the whole node xd
we dont want neoprotect any more
yea tpcshield would work tho
prob better support too xd
yea
I seem to have some issues with a player connecting to my old server.
Otherwise we are all done
This issue:
https://discord.com/channels/348681414260293634/1268287919882375261/1268289321341812829
This ticket is resolved by now, we probably broke some record. :D
If y'all find the server, let me know you helped me here and have a good time.
Byee
you can do !resolved
but congrats on solving it π that was quite the journey
already added the solved tag, but i shall!
certainly was
after this excursion, would you recommend tailscale?
tailscale?
pretty sure jenkins linked it to you
don't know if you used it or not
oh, uuuuuuuuuuuuuuuuuuuuuuh
i cannot say much about it, why?
erm just wondering if it's worth looking into
I take it you didn't actually go forward with using it
ill be vey honest. I have no idea
xD
all good lol
but it worked, so thats cool
so you just installed and forgot about it pretty much lol
that's a decent sign ig
yep sure is
!solved
post closed!
The post/thread has been closed!
Requested by harmen_dev#0