Brazil's biggest MU Online portal — since 2003
Tutorial Advanced Tutoriais

How to Configure Reverse Proxy to Protect MU Server IP

Learn to configure a TCP reverse proxy with HAProxy and Nginx to hide your MU Online server's real IP and protect it against DDoS attacks using two VPS nodes.

VI ViciadosMU Team · Updated on 3 jul 2026 · ⏱ 12 min read

Exposing your MU Online server's real IP is an open invitation to DDoS attacks. A single attacker with access to common booter tools can take down an unprotected VPS in minutes. The solution is to place a TCP reverse proxy on a separate server so that players and attackers never see the IP where MuServer actually runs.

This guide covers the full configuration using HAProxy and Nginx (stream module) on a separate edge VPS, along with MuServer adjustments and firewall rules on the main server.

Solution Architecture

Players → Edge/Proxy VPS (public IP, disclosed) → MuServer VPS (real IP, hidden)
           44405, 55901-55910 (TCP)                  44405, 55901-55910

The proxy VPS is the only server with those ports open to the internet. The MuServer VPS blocks all external connections on those ports, accepting only traffic originating from the proxy IP.

Standard MU Online ports that need proxying:

ServiceTCP Port
ConnectServer44405
GameServer (per channel)55901, 55902, 55903...
DataServer57900 (rarely exposed)
Nota: You need two servers: the main VPS running MuServer and an edge VPS (can be a cheap node) acting as the proxy. The edge VPS is the only one whose IP will be published to players.

Part 1 — TCP Proxy with Nginx (stream module)

Step 1: Install Nginx with stream support

On the proxy VPS (Ubuntu/Debian):

apt update && apt install nginx-full -y
nginx -V 2>&1 | grep -- --with-stream
# Expected output: --with-stream or --with-stream=dynamic

Step 2: Configure the stream block in nginx.conf

Edit /etc/nginx/nginx.conf and add the stream block outside the http block, just before the end of the file:

stream {

    # ConnectServer
    upstream mu_connect {
        server 203.0.113.50:44405;  # Real IP of your MuServer VPS
    }
    server {
        listen 44405;
        proxy_pass mu_connect;
        proxy_timeout 10m;
        proxy_connect_timeout 5s;
    }

    # GameServer channel 0
    upstream mu_gs1 {
        server 203.0.113.50:55901;
    }
    server {
        listen 55901;
        proxy_pass mu_gs1;
        proxy_timeout 30m;
        proxy_connect_timeout 5s;
    }

    # GameServer channel 1
    upstream mu_gs2 {
        server 203.0.113.50:55902;
    }
    server {
        listen 55902;
        proxy_pass mu_gs2;
        proxy_timeout 30m;
        proxy_connect_timeout 5s;
    }
}
Atenção: Replace 203.0.113.50 with your MuServer VPS real IP. Keep this IP absolutely secret. Never mention it in public panels, forums, or logs.

Step 3: Validate and reload

nginx -t
# nginx: configuration file /etc/nginx/nginx.conf test is successful
systemctl reload nginx
systemctl status nginx

Part 2 — Alternative with HAProxy

HAProxy provides automatic health checks and a statistics dashboard, making it preferable when managing multiple GameServers or load balancing.

Step 4: Install and configure HAProxy

apt update && apt install haproxy -y
haproxy -v
# HAProxy version 2.4.x or higher

Edit /etc/haproxy/haproxy.cfg:

global
    log /dev/log local0
    maxconn 50000
    daemon

defaults
    log     global
    mode    tcp
    option  tcplog
    option  dontlognull
    timeout connect 5s
    timeout client  30m
    timeout server  30m

# ConnectServer
frontend mu_connect_front
    bind *:44405
    default_backend mu_connect_back

backend mu_connect_back
    server vps_real 203.0.113.50:44405 check inter 5s rise 2 fall 3

# GameServer channel 0
frontend mu_gs1_front
    bind *:55901
    default_backend mu_gs1_back

backend mu_gs1_back
    server vps_real 203.0.113.50:55901 check inter 5s rise 2 fall 3

# GameServer channel 1
frontend mu_gs2_front
    bind *:55902
    default_backend mu_gs2_back

backend mu_gs2_back
    server vps_real 203.0.113.50:55902 check inter 5s rise 2 fall 3

# Statistics dashboard (restricted access)
listen stats
    bind *:8404
    mode http
    stats enable
    stats uri /haproxy-stats
    stats auth admin:ReplaceWithStrongPassword
    stats refresh 10s
haproxy -c -f /etc/haproxy/haproxy.cfg
systemctl restart haproxy && systemctl enable haproxy

Access http://PROXY_IP:8404/haproxy-stats to monitor active connections and backend status in real time.

Part 3 — MuServer Adjustments

Step 5: Update CSConfig.ini on the ConnectServer

Edit ConnectServer/CSConfig.ini on the MuServer VPS:

[CONNECT_SERVER]
Port = 44405
PublicIP = 177.77.77.10        ; Proxy VPS IP — disclosed to game clients
InternalIP = 0.0.0.0           ; Listen on all local interfaces
MaxConnections = 10000
ServerListFile = ServerList.dat

Step 6: Update ServerList.dat

The file ConnectServer/ServerList.dat must reference the proxy IP for every GameServer entry:

[SERVER_INFO]
ServerCode = 0
ServerName = Main Server
ServerAddress = 177.77.77.10   ; Proxy IP, not the real VPS IP
ServerPort = 55901

Step 7: Update the SQL table (Season 6+)

In Season 6 and later servers, the ConnectServer reads the server list from the database:

USE MuOnline;
GO

-- Check current configuration
SELECT ServerCode, ServerName, ServerIp, ServerPort
FROM GameServerInfo
ORDER BY ServerCode;

-- Update all GameServers to the proxy IP
UPDATE GameServerInfo
SET ServerIp = '177.77.77.10'
WHERE ServerCode IN (0, 1, 2);
-- Adjust server codes to match your channel configuration

GO
Dica: In Season 2-S4 versions, look for ConnectServer/ServerList.dat or ServerInfo.dat. The IP field is usually the second column, comma or tab separated. Replace all occurrences of the real IP with the proxy IP.

Part 4 — Firewall on the MuServer VPS

Step 8: Restrict direct access to MU ports

On the MuServer VPS (Windows Server), open PowerShell as Administrator:

$ProxyIP = "177.77.77.10"   # Proxy VPS IP

# Allow ConnectServer only from proxy
New-NetFirewallRule -DisplayName "MU ConnectServer via Proxy" `
    -Direction Inbound -Protocol TCP -LocalPort 44405 `
    -RemoteAddress $ProxyIP -Action Allow

# Allow GameServers only from proxy
New-NetFirewallRule -DisplayName "MU GameServers via Proxy" `
    -Direction Inbound -Protocol TCP -LocalPort 55901-55910 `
    -RemoteAddress $ProxyIP -Action Allow

# Block direct external access (lower priority rule)
New-NetFirewallRule -DisplayName "MU Block Direct External" `
    -Direction Inbound -Protocol TCP `
    -LocalPort 44405,55901,55902,55903,55904,55905 `
    -Action Block
Atenção: In Windows Firewall, Allow rules take precedence over Block rules when both apply to the same packet. Confirm behavior in the wf.msc panel before ending your admin session. Test by connecting to the server before closing your RDP session.

Final Verification

From the proxy VPS, test connectivity to the MuServer VPS:

nc -zv 203.0.113.50 44405   # should return "succeeded"
nc -zv 203.0.113.50 55901

From your local machine, test the proxy ports:

# Linux/Mac
nc -zv 177.77.77.10 44405

# Windows PowerShell
Test-NetConnection -ComputerName 177.77.77.10 -Port 44405
Test-NetConnection -ComputerName 177.77.77.10 -Port 55901

Confirm the real IP is not leaking to clients using Wireshark on the game client: capture packets on port 44405 and verify that the ServerAddress field in the 0xF4 packets returned by the ConnectServer shows the proxy IP, not 203.0.113.50.

Troubleshooting

Players cannot connect after the change:

  1. Verify Nginx/HAProxy is running: systemctl status nginx or systemctl status haproxy
  2. Test the port locally on the proxy: nc -zv 127.0.0.1 44405
  3. Confirm the ConnectServer is running on the MuServer VPS
  4. Check logs: tail -f /var/log/nginx/error.log or journalctl -u haproxy -f

MU client shows "Unable to connect to server":

The game client executable or connect.ini still points to the old IP. In Season 6 clients, locate connect.ini in the client folder and update the ConnectServer IP field to the proxy IP.

Latency is higher than expected:

Use a proxy VPS geographically close to the MuServer VPS, ideally in the same datacenter. The latency difference should be under 5ms on quality networks. If both are in the same datacenter, use the internal network IP (10.x.x.x) instead of the public IP for proxy to MuServer communication to reduce latency to under 1ms.

Dica: To reload HAProxy configuration without dropping connected players, use systemctl reload haproxy. This applies new settings gracefully without closing existing TCP connections — players currently in-game are not disconnected during the reload.

Perguntas frequentes

Why use a reverse proxy instead of just a firewall?

A firewall filters traffic but still exposes your VPS real IP. With a reverse proxy, players and attackers only see the proxy node IP — the actual game server IP stays completely hidden, even if it leaks through DNS logs or packet analysis with Wireshark.

Does the reverse proxy add latency for players?

Yes, but minimally. A proxy in the same region as your server adds typically 2-8ms. For MU Online this is acceptable; the real latency bottleneck is the geographic distance between the player and the server, not the extra hop through the proxy.

Do I need two VPS servers for this to work?

Yes. The recommended architecture uses a cheap VPS as the proxy node (1vCPU/1GB RAM is sufficient) and your main VPS for the MU server. The proxy VPS absorbs or filters DDoS while the real server stays unreachable directly.

How do I update ConnectServer.ini after switching to proxy?

Update the PublicIP or ServerAddress field in CSConfig.ini to the proxy VPS IP. In Season 6+, also update the GameServerInfo table in the MuOnline database via SQL: UPDATE GameServerInfo SET ServerIp = 'PROXY_IP' WHERE ServerCode IN (0,1,2).

Can I use Nginx for TCP proxy instead of HAProxy?

Yes. Nginx with the stream module does native TCP proxying. Install nginx-full (which includes --with-stream) and add a stream block outside the http block in nginx.conf with ports 44405 and 55901-55910.

VI

ViciadosMU Team

Equipe editorial do ViciadosMU — portal de MU Online no ar desde 2003.

Keep reading

Related articles