Putting FiveM behind a proxy

Enfer · September 21, 2018, 5:15pm

So, I’ve been a system admin for a server for a while now and we’ve recently had a few DDoS attacks.

To combat this, I thought of having a few smaller servers to act as gateways to the FiveM server. This all works fine, I can get the “players.json” file and everything fine but, when I try and connect to the server with the client it fails (tries three times then gives up).

So, I was wondering if there’s something I need to do extra to get this to work. Currently I have the setup:
Proxy Server 1 -> FiveM Server (TCP 30120) - With Nginx
Proxy Server 1 -> FiveM Server (UDP 30120) - With a python script

When looking at the NGINX logs for the TCP connections, It looks like it’s working (it’s sending a POST request to /client):

and the python script shows that the UDP packets are being sent through:

Nexicon · September 22, 2018, 11:12pm

Move to Dedicated Game Server at OVH and DDoS wont hit you.

Enfer · September 22, 2018, 11:28pm

I’m already with OVH and I feel like they can’t do any protection for FiveM with it being so heavy on the badwidth. So, they can’t distinguish the real traffic from the fake traffic.

Nexicon · September 22, 2018, 11:54pm

Do you use OVH Game Dedicated Server? They protect better than normal servers

SaltyGrandpa · September 23, 2018, 12:15am

Yeah but there’s no need for a dedibox for FiveM, it’s super overkill.

Enfer · November 24, 2018, 6:34pm

Yea, no. That’s way too much power for a simple FiveM server. I don’t want to do that at all.

Still looking for solutions if anyone has an idea.

HUM4N · April 18, 2019, 6:17pm

Hello,

With this simple Nginx config, all pass.
Ressources downloaded correctly, but when it’s time to connect, it’s impossible…

stream {
    server {
        listen 30120;
        proxy_pass ServerIP:30120;
    }

    server {
        listen 30120 udp;
        proxy_pass ServerIP:30120;
    }
}

I think it’s when you initialize the socket that it does not work.
The idea is good because it would make it possible to define complex filtering rules.

If official developers have answers to our questions, it would be cool, even if in the idea, it weighs down the process.

VictorMinemu · August 8, 2019, 11:55am

Using nginx might be a good way to cache the files and improve the download speeds but is not the best way to foward all the traffic.

LouisJDM · March 7, 2020, 6:32pm

I’m using nginx stream module aswell to proxy my servers and its working just right, however the backend (fivem) server authenticates to nucleus it does send its real IP to the fivem server list.

When people put up the server in their favorites they connect directly to the backend server and can grab its IP in netstat.

I’m trying to find a way to circumvent that whilst still showing in server listing with the proxied IP instead.

whipsaw · April 20, 2020, 8:07am

Yeah I think we need better support for reverse proxy so we can protect our backend servers… still getting alot ddos attacks…

TrovaoGamingPt · May 10, 2020, 5:32pm

I am getting exactly the same problem. Did you find a solution?

HUM4N · June 7, 2020, 6:58pm

Hi, no solution was found at the moment.

Honza147_Vu · September 2, 2020, 8:28pm

Hi mate, did you find some solution? We are recieveing good amount of DDOS many days in row and its really not helping… We have OVH

kommatias · October 27, 2020, 2:19pm

It is very disappointing seeing how little the community cares about such situations where more or less most server owners are going through.

Answers like get OVH and “learn to code” are so wrong.

kFxDaKing · February 16, 2021, 3:48pm

Thats not truth, im on ovh game server, and ddos still timeouts my players, since there are fivem bypass.

MathiAs2Pique · May 1, 2021, 8:20am

You need nginx version 1.17+ to use the UDP solution.
On my side, I manage to set up all the proxies, but my cfx link doesn’t work anymore, and the players can’t join from the server list (HTTP error 502).

If you need help to configure, I can help you.

nta · May 1, 2021, 8:35am

Have you set up sv_listingHostOverride correctly?

MathiAs2Pique · May 1, 2021, 9:21am

Hi, yes.
There is the end of my server.cfg file :

# License key for your server (https://keymaster.fivem.net)
sv_licensekey "w8kzm9m5htbgxxxxxok2sqk52"
endpoint_add_tcp "0.0.0.0:40037"
endpoint_add_udp "0.0.0.0:40037"
set sv_forceIndirectListing true
set sv_listingHostOverride "xxxx.xxxxx.xyz:40037"
set sv_listingIpOverride "fxxxx.xxxxx.xyz:40037"
set sv_proxyIPRanges "194.9.172.xxx/32 194.9.172.xxx/32 45.145.167.xxx/32 194.9.172.xxx/32 194.9.172.xxx/32"
fileserver_add ".*" "http://xxxx.xxxxx.xyz:40037/files"

When connecting from the list or CFX, I get the 502 error, which I don’t get when connecting from the domain name. The strange thing is that my server appears in the list, but I can’t join it

nta · May 1, 2021, 10:52am

Host override can’t specify a port, it has to be on 443.

MathiAs2Pique · May 1, 2021, 12:52pm

Ok.
Do I need an SSL certificate or is just listening on port 443 enough?

EDIT : Just fowarded the 443 port, but have this error…
How can I have a debug of the request or something to help me to find the mistake ?

Failed handshake to server mathias2pique-b6xxx6d.users.cfx.re - HTTP 502