I am using the X4B DDoS scrubbing service. I have my GRE-Tunnel operational and my server config’d and working just fine.
When I try to implement the HTTPS/30120 service per their instructions on the website, I am running into some issues.
The main thing is I get no PMA-voice in the server if the HTTPS service is implemented. Their instructions do not give any rules to implement that would make sure PMA-voice is passed to the server. These are the rules they say to implement as the base service:
You can define these however you want, but the rules below protect your resource endpoints and adds some extra checks for valid FiveM client (and proxy) traffic:
# This rule ensures that the only accessible endpoints on your filtered IP (and HTTPS port) are:
# - /client
# - /info.json
# - /dynamic.json
# - /players.json
RequestUri.Regex("^(/client|(/info|/dynamic|/players)\.json)") == false
# This rule blocks common browsers from accessing any endpoints:
HttpHeader.Exists("via") == true || HttpHeader.Exists("upgrade_insecure_requests") == true
# And this one adds a user-agent check, which will catch most traffic during HTTP floods (unless specialized):
UserAgent.Full() != "CitizenFX/1"
Be aware that if you access any resource endpoints (i.e for prometheus metrics), you will have to do it through your backend IP address if you choose to use these rules. If you have additional endpoints for users (e.g chat) you will have to extend these rules as appropriate as these rules are an example of an explicit whitelist (reject anything unexpected).
You should also generally avoid making any requests to your Filtered IP for purposes such as Discord bots. Use your backend IP for that.
Any ideas how to make sure my PMA-voice gets passed-through the HTTPS protocol?
TYVM…
Nate
I am taking a guess that I need to set ConVar’s for my backend IP and port to force Mumble/pma-voice through?
voice_externalAddress
voice_externalPort
Hey Nate,
From the details you’ve shared, I’m convinced that the core issue lies with your HTTPS setup. Here’s the step-by-step resolution:
- HTTPS Setup: Ensure the external port is set to 80. For the backend, use your server’s IP and port 30120 (or whatever port your FXServer/FiveM server operates on). Additionally, for the SSL/TLS component of your HTTPS service, it’s crucial to upload both the
server-tls.crt and server-tls.key files to X4B’s SSL section. You can find this section by clicking on the lock icon when adjusting the HTTPS port 80 settings. Acquire these files from your server’s artifacts folder after booting up the server.
For those who may also be navigating X4B’s complexities without much prior knowledge:
- GRE Tunnel: If you’re using a GRE tunnel, always use the filtered IP given by X4B for your convars. This step ensures players connect via the safeguarded route.
- Convars Configuration: For those running external mumble from PMA voip, remember to tweak the convars:
voice_externalAddress
voice_externalPort
However, if PMA-voice is internal within the same FXServer, these convars aren’t necessary.
Some extra backend configuration and encapsulation pointers:
- Backend Configuration: In your server.cfg, substitute
<replace_with_filtered_IP> with the IP allocated by X4B:
set sv_forceIndirectListing true
set sv_listingIpOverride "<replace_with_filtered_ip>:30120"
set sv_endpoints "<replace_with_filtered_ip>:30120"
# This is specifically for Reverse Proxy setups
set net_tcpconnlimit 10000
- Encapsulation: Here, switch
<replace_with_tunnel_IP> with the local tunnel IP address:
endpoint_add_tcp "<replace_with_tunnel_IP>:30120"
endpoint_add_udp "<replace_with_tunnel_IP>:30120"
For a complete rundown, refer to X4B’s Knowledge Base.
While I previously had an extensive history with X4B, certain challenges led me to explore other avenues. Nevertheless, it’s essential to remember that experiences can differ.
Lastly, it’s worth noting X4B’s potential bandwidth costs. Depending on server specifications and player base size, these can vary. For a better grasp and possibly resolution to any bandwidth “run-ups”, check FiveM’s Proxy Setup Guide, which draws inspiration from this community guide.
All the best with your setup, and I hope to hear about your progress soon.
Warm Regards, Kerminal