How to Configure Reverse Proxy to Protect MU Server IP
Learn to configure a TCP reverse proxy with HAProxy and Nginx to hide your MU Online server's real IP and protect it against DDoS attacks using two VPS nodes.
Exposing your MU Online server's real IP is an open invitation to DDoS attacks. A single attacker with access to common booter tools can take down an unprotected VPS in minutes. The solution is to place a TCP reverse proxy on a separate server so that players and attackers never see the IP where MuServer actually runs.
This guide covers the full configuration using HAProxy and Nginx (stream module) on a separate edge VPS, along with MuServer adjustments and firewall rules on the main server.
Solution Architecture
Players → Edge/Proxy VPS (public IP, disclosed) → MuServer VPS (real IP, hidden)
44405, 55901-55910 (TCP) 44405, 55901-55910
The proxy VPS is the only server with those ports open to the internet. The MuServer VPS blocks all external connections on those ports, accepting only traffic originating from the proxy IP.
Standard MU Online ports that need proxying:
| Service | TCP Port |
|---|---|
| ConnectServer | 44405 |
| GameServer (per channel) | 55901, 55902, 55903... |
| DataServer | 57900 (rarely exposed) |
Part 1 — TCP Proxy with Nginx (stream module)
Step 1: Install Nginx with stream support
On the proxy VPS (Ubuntu/Debian):
apt update && apt install nginx-full -y
nginx -V 2>&1 | grep -- --with-stream
# Expected output: --with-stream or --with-stream=dynamic
Step 2: Configure the stream block in nginx.conf
Edit /etc/nginx/nginx.conf and add the stream block outside the http block, just before the end of the file:
stream {
# ConnectServer
upstream mu_connect {
server 203.0.113.50:44405; # Real IP of your MuServer VPS
}
server {
listen 44405;
proxy_pass mu_connect;
proxy_timeout 10m;
proxy_connect_timeout 5s;
}
# GameServer channel 0
upstream mu_gs1 {
server 203.0.113.50:55901;
}
server {
listen 55901;
proxy_pass mu_gs1;
proxy_timeout 30m;
proxy_connect_timeout 5s;
}
# GameServer channel 1
upstream mu_gs2 {
server 203.0.113.50:55902;
}
server {
listen 55902;
proxy_pass mu_gs2;
proxy_timeout 30m;
proxy_connect_timeout 5s;
}
}
203.0.113.50 with your MuServer VPS real IP. Keep this IP absolutely secret. Never mention it in public panels, forums, or logs.Step 3: Validate and reload
nginx -t
# nginx: configuration file /etc/nginx/nginx.conf test is successful
systemctl reload nginx
systemctl status nginx
Part 2 — Alternative with HAProxy
HAProxy provides automatic health checks and a statistics dashboard, making it preferable when managing multiple GameServers or load balancing.
Step 4: Install and configure HAProxy
apt update && apt install haproxy -y
haproxy -v
# HAProxy version 2.4.x or higher
Edit /etc/haproxy/haproxy.cfg:
global
log /dev/log local0
maxconn 50000
daemon
defaults
log global
mode tcp
option tcplog
option dontlognull
timeout connect 5s
timeout client 30m
timeout server 30m
# ConnectServer
frontend mu_connect_front
bind *:44405
default_backend mu_connect_back
backend mu_connect_back
server vps_real 203.0.113.50:44405 check inter 5s rise 2 fall 3
# GameServer channel 0
frontend mu_gs1_front
bind *:55901
default_backend mu_gs1_back
backend mu_gs1_back
server vps_real 203.0.113.50:55901 check inter 5s rise 2 fall 3
# GameServer channel 1
frontend mu_gs2_front
bind *:55902
default_backend mu_gs2_back
backend mu_gs2_back
server vps_real 203.0.113.50:55902 check inter 5s rise 2 fall 3
# Statistics dashboard (restricted access)
listen stats
bind *:8404
mode http
stats enable
stats uri /haproxy-stats
stats auth admin:ReplaceWithStrongPassword
stats refresh 10s
haproxy -c -f /etc/haproxy/haproxy.cfg
systemctl restart haproxy && systemctl enable haproxy
Access http://PROXY_IP:8404/haproxy-stats to monitor active connections and backend status in real time.
Part 3 — MuServer Adjustments
Step 5: Update CSConfig.ini on the ConnectServer
Edit ConnectServer/CSConfig.ini on the MuServer VPS:
[CONNECT_SERVER]
Port = 44405
PublicIP = 177.77.77.10 ; Proxy VPS IP — disclosed to game clients
InternalIP = 0.0.0.0 ; Listen on all local interfaces
MaxConnections = 10000
ServerListFile = ServerList.dat
Step 6: Update ServerList.dat
The file ConnectServer/ServerList.dat must reference the proxy IP for every GameServer entry:
[SERVER_INFO]
ServerCode = 0
ServerName = Main Server
ServerAddress = 177.77.77.10 ; Proxy IP, not the real VPS IP
ServerPort = 55901
Step 7: Update the SQL table (Season 6+)
In Season 6 and later servers, the ConnectServer reads the server list from the database:
USE MuOnline;
GO
-- Check current configuration
SELECT ServerCode, ServerName, ServerIp, ServerPort
FROM GameServerInfo
ORDER BY ServerCode;
-- Update all GameServers to the proxy IP
UPDATE GameServerInfo
SET ServerIp = '177.77.77.10'
WHERE ServerCode IN (0, 1, 2);
-- Adjust server codes to match your channel configuration
GO
ConnectServer/ServerList.dat or ServerInfo.dat. The IP field is usually the second column, comma or tab separated. Replace all occurrences of the real IP with the proxy IP.Part 4 — Firewall on the MuServer VPS
Step 8: Restrict direct access to MU ports
On the MuServer VPS (Windows Server), open PowerShell as Administrator:
$ProxyIP = "177.77.77.10" # Proxy VPS IP
# Allow ConnectServer only from proxy
New-NetFirewallRule -DisplayName "MU ConnectServer via Proxy" `
-Direction Inbound -Protocol TCP -LocalPort 44405 `
-RemoteAddress $ProxyIP -Action Allow
# Allow GameServers only from proxy
New-NetFirewallRule -DisplayName "MU GameServers via Proxy" `
-Direction Inbound -Protocol TCP -LocalPort 55901-55910 `
-RemoteAddress $ProxyIP -Action Allow
# Block direct external access (lower priority rule)
New-NetFirewallRule -DisplayName "MU Block Direct External" `
-Direction Inbound -Protocol TCP `
-LocalPort 44405,55901,55902,55903,55904,55905 `
-Action Block
Final Verification
From the proxy VPS, test connectivity to the MuServer VPS:
nc -zv 203.0.113.50 44405 # should return "succeeded"
nc -zv 203.0.113.50 55901
From your local machine, test the proxy ports:
# Linux/Mac
nc -zv 177.77.77.10 44405
# Windows PowerShell
Test-NetConnection -ComputerName 177.77.77.10 -Port 44405
Test-NetConnection -ComputerName 177.77.77.10 -Port 55901
Confirm the real IP is not leaking to clients using Wireshark on the game client: capture packets on port 44405 and verify that the ServerAddress field in the 0xF4 packets returned by the ConnectServer shows the proxy IP, not 203.0.113.50.
Troubleshooting
Players cannot connect after the change:
- Verify Nginx/HAProxy is running:
systemctl status nginxorsystemctl status haproxy - Test the port locally on the proxy:
nc -zv 127.0.0.1 44405 - Confirm the ConnectServer is running on the MuServer VPS
- Check logs:
tail -f /var/log/nginx/error.logorjournalctl -u haproxy -f
MU client shows "Unable to connect to server":
The game client executable or connect.ini still points to the old IP. In Season 6 clients, locate connect.ini in the client folder and update the ConnectServer IP field to the proxy IP.
Latency is higher than expected:
Use a proxy VPS geographically close to the MuServer VPS, ideally in the same datacenter. The latency difference should be under 5ms on quality networks. If both are in the same datacenter, use the internal network IP (10.x.x.x) instead of the public IP for proxy to MuServer communication to reduce latency to under 1ms.
systemctl reload haproxy. This applies new settings gracefully without closing existing TCP connections — players currently in-game are not disconnected during the reload.Perguntas frequentes
Why use a reverse proxy instead of just a firewall?
A firewall filters traffic but still exposes your VPS real IP. With a reverse proxy, players and attackers only see the proxy node IP — the actual game server IP stays completely hidden, even if it leaks through DNS logs or packet analysis with Wireshark.
Does the reverse proxy add latency for players?
Yes, but minimally. A proxy in the same region as your server adds typically 2-8ms. For MU Online this is acceptable; the real latency bottleneck is the geographic distance between the player and the server, not the extra hop through the proxy.
Do I need two VPS servers for this to work?
Yes. The recommended architecture uses a cheap VPS as the proxy node (1vCPU/1GB RAM is sufficient) and your main VPS for the MU server. The proxy VPS absorbs or filters DDoS while the real server stays unreachable directly.
How do I update ConnectServer.ini after switching to proxy?
Update the PublicIP or ServerAddress field in CSConfig.ini to the proxy VPS IP. In Season 6+, also update the GameServerInfo table in the MuOnline database via SQL: UPDATE GameServerInfo SET ServerIp = 'PROXY_IP' WHERE ServerCode IN (0,1,2).
Can I use Nginx for TCP proxy instead of HAProxy?
Yes. Nginx with the stream module does native TCP proxying. Install nginx-full (which includes --with-stream) and add a stream block outside the http block in nginx.conf with ports 44405 and 55901-55910.