Dynmap is a great plugin for inspecting your Minecraft Map in a top-down view from your webbrowser. In this post I will show you how to password protect it to prevent the wrong people from viewing it and using it as an attack vector against your server.
The way I did it was simply using a nginx reverse proxy to configure basic-auth for Dynmap. The following commands apply to a Debian based machine.
If you do not have nginx installed on the machine running your Minecraft server, you can do so (on Debian based distros) by running the following command.
sudo apt install nginx
First, create the login credentials. To generate the needed .htpasswd file, you can use the following command on Linux.
sudo htpasswd -c /yourfolder/.htpasswd youruser
To configure the proxy, create a site-configuration called etc/nginx/sites-available/your.domain
. It could look something like this, you will just have to replace your.domain
with the domain that points to your server and yourfolder with the folder where you generated the .htpasswd
file.
server { server_name your.domain; location / { auth_basic "Restricted"; auth_basic_user_file /yourfolder/.htpasswd; proxy_pass http://localhost:8123; } listen 80; }
Next, link the available sites to the enabled sites.
ln -s /etc/nginx/sites-available/your.domain /etc/nginx/sites-enabled
After that, restart nginx.
sudo service nginx restart
Finally, always make sure that you use a SSL certificate with Basic-Auth!
Otherwise the username and password will be easily captured by any intruder in your current network, as they are delivered unencrypted. There are tools like certbot, which make protecting your domain with a valid SSL certificate very easy. To get it installed, please follow their instructions page.
If you installed the tools for nginx ( package python-certbot-nginx
), you can now simply run the command sudo certbot
and the wizard will guide you through the process of getting your SSL certificate.
To add even more security, please consider enabling the firewall ufw
and forbid direct access to port 8123
(the default port of dynmap) and only allow 443
for HTTPS. If you access your server via SSH, don’t forget to allow the port for it too, otherwise you will no longer be able to access your server remotely.