#Allowing Transfer-In to Minehut (with limitations) [EXTERNAL-SERVER]

I’d like to suggest reconsidering the current restriction on the transfer feature, specifically regarding incoming transfers (transfer-in).

❓ Context - My Use Case
I'm running a server network where I’d like to route some of my player base (around half) through Minehut’s proxy to a server hosted on Minehut. My intent was:
My Proxy → Minehut Proxy (external server here) → Main Server (for 1/2 of players)

This was to:

• Encourage players to use the Minehut-hosted version of the server.
• Give rewards & better onboarding for those joining via Minehut.
• Still allow others to connect through my proxy directly if they prefer. (I can even give them GUI if they connect via my IP & let them choose if they'd like to connect through minehut proxy or not)

I've built a system (after hours of work 😅) that handles version filtering (sending only these with 1.20.5+), exluding Bedrock (because Bedrock players have custom resource pack in my server), security prompts, and proper routing — but I hit the wall when I found that transfers to Minehut are disabled entirely.

⚠️Concerns Addressed
I understand the concerns raised:

• Transfer-out is the real risk (taking players off Minehut).
• Transfer-in could still be seen as “unwilling” if done silently. (but if you check some servers who direct players via minehut without even telling them using custom IP, like play.XXX.net, it's prob even worse as they redirect 100% of players to Minehut unwillingly)

But I believe there could be reasonable limitations added to support valid use cases like mine, without compromising security or ethical gameplay.

✅ My Suggestions

• Only allow transfer into Minehut, while strictly blocking transfer out. This could be enforced at the proxy level by cancelling any outbound transfer attempt or auto-kicking players if such a transfer is initiated.
• Whitelist trusted proxy IPs or domains allowed to be listed in transforms. This way we could list ONLY the IPs (domains) under the minehut. You can even allow only the IPs provided by minehut like XXXX.minehut.gg, so this way only "in direction" will be enforced
• Security prompts still apply — any transferred player would still be subject to existing security measures like CAPTCHA, IP validation, or bot detection, just as they would if they joined through the official Minehut IP. --> because they'll be redirected to the minehut.gg IP

With this considered, especially the whitelisting part for .minehut.gg IPs, I believe we could get the transfer feature, there's nothing in the way that could probably allow some abusive behavior?

Allowing Transfer-In to Minehut (with limitations) [EXTERNAL-SERVER]

so, this has been suggested before, but was ruled too big a risk

For anyone wanting a summary:

A request to modify Minehut's Minecraft server transfer feature to permit incoming transfers while blocking outbound ones. They've built a system to route players through Minehut's proxy but discovered all transfers are disabled. Their solution suggests whitelisting only .minehut.gg domains and maintaining security protocols to enable this functionality safely.​​​​​​​​​​​​​​​​

because of ips

minehut hides your ip, and you cant do that if they transfer

while it was suggested to only be allowed to partners, frankly, as i said in the partners discord, i dont really trust all of them to not abuse that

And if it limits only the IN & allow whitelists only the XXXX.minehut.gg what can be the risk behind it? It would transfer players only to minehut, the same way as the direct connecting with IP does

If it's transfer to the proxy (haproxy), isn't the IP still hidden? I think it should be?
As like:
My proxy -> Minehut proxy -> backend server

no

normally you do transfer to backend directly, but if it's done to proxy before (the minehut ones), I thought the IPs will be hidden

a transfer packet literally tells the client to disconnect, and reconnect directly(to the transfer ip)

if your suggesting that it just still goes through the minehut proxy, then whats the point

it already does that

my suggestion is like:
use IP play.xxx.net and then 1/2 of players (the ones with 1.20.5 &not bedrock ones, and may some else) will be redirected to the XXXX.minehut.gg (minehut proxy that will connect to backend server then) that's what I wanted to do
Won't this still hide the IP then?
The other 1/2 of players (or even less) will connect normally to backend through my proxy (no transfer to minehut)

if they dont connect through minehut, there is no ip hiding

so even if they're transfered to xx.minehut.gg (the proxy from minehut, they can connect directly to it as well), then it won't hide their IPs right? yeah, that's a bit of downside then if it really does that

wait, are you trying to connect them to minehut proxy, and reroute to your server?

basically, minehut needs to be the first in the chain to hide the ips

not your proxy

but I still assume there's not so high risk, because:
-> you can have xx.minehut.gg that will be used when connecting from minehut
-> you' can have your own IP play.xxx.net that will connect players directly (and you'll know IP of these players)
(no transfer here, just 2 proxies setup & you still know the IP of the people who connect directly, so why would be the risk if you know it even if they're transfered to minehut then)

and redirect packets "break" the chain

yeah that's the issue I guess

I wanted:
my proxy -> minehut special proxy (external server) -> backend server

maybe I specified it a bit wrong, I thought minehut proxy as external server there

yeah, thats not really a great idea imo, unless its location based

yeah but would it be problem that IPs aren't hidden in case own proxy is the 1st in chain?
If you remove the middle part (external minehut server) and it iwll be just
my proxy -> backend server (no minehut here)
you'll still know the IPs of players

in case players wanna connect directly through your IP, why it would be then issue knowing their IPs, as if it wasn't in minehut you'll know them

i mean, if they connect through your stuff first, you will know their ip, even if minehut is later in the chain

its not really a problem

but basically, what im saying is that you arent going to be able to transfer a player out of minehut, only a transfer in is feasable

yeah I wanna do just transfer in, or?
My proxy -> transfer INto Minehut proxy (external server that's behind MInehut haproxy) -> backend serve

once again though, why?

like I made the setup that if player wasn't connected through minehut proxy then he was sent there from my main proxy

does it work?

no because the IN transfers are blocked as well

but when I disabled minehut then it worked, like transfering to proxy was possible
It broke when I connected it behind haproxy

but basically when it wasn't connected to minehut it worked (like:
proxy -> not minehut proxy -> backend