Document SSH console and RCON password secrets file (#3843)

Author: EmilyxFox

docs/configuration/server-properties.md

@@ -238,15 +238,46 @@ By default an existing `server-icon.png` file will not be replaced, that can be
 
 ### RCON
 
-RCON is **enabled by default** to allow for graceful shut down the server and coordination of save state during backups. RCON can be disabled by setting `ENABLE_RCON` to "false".
+RCON is **enabled by default** to allow for graceful shut down of the server and coordination of save state during backups. RCON can be disabled by setting `ENABLE_RCON` to "false".
 
 !!! warning
 
     Disabling RCON will remove and limit some features, such as interactive and color console support.
 
-The default password is randomly generated on each startup; however, a specific one can be set with `RCON_PASSWORD`.
+#### RCON Password
 
-**DO NOT MAP THE RCON PORT EXTERNALLY** unless you are aware of all the consequences and have set a **secure password** with `RCON_PASSWORD`. 
+The default password is randomly generated on each startup. However, you can specify a password using one of the following environment variables:
+
+* Set `RCON_PASSWORD` to your desired password.
+* Set `RCON_PASSWORD_FILE` to the path of a file containing the password.
+
+Using `RCON_PASSWORD_FILE` is the recommended method for managing sensitive data, as it allows full support for [Docker Secrets](https://docs.docker.com/compose/how-tos/use-secrets/).
+
+??? example
+    ```yaml title="compose.yaml"
+    services:
+      mc:
+        image: itzg/minecraft-server:latest
+        pull_policy: daily
+        tty: true
+        stdin_open: true
+        ports:
+          - "25565:25565"
+        environment:
+          EULA: "TRUE"
+          RCON_PASSWORD_FILE: /run/secrets/rcon_pass # Points to the path where the secret is mounted
+        volumes:
+          # attach the relative directory 'data' to the container's /data path
+          - ./data:/data
+        secrets:
+          - rcon_pass
+    
+    secrets:
+      rcon_pass:
+        file: ./rcon_password # local file containing the password
+    ```
+!!! warning
+    **BE CAUTIOUS OF MAPPING THE RCON PORT EXTERNALLY** unless you are aware of all the consequences and have set a **secure password**.
 
 !!! info 
 
@@ -444,4 +475,4 @@ When using `docker run` from a bash shell, the entries must be quoted with the `
 | STATUS_HEARTBEAT_INTERVAL               | [status-heartbeat-interval](https://minecraft.wiki/w/Server.properties#status-heartbeat-interval)                             |
 | SYNC_CHUNK_WRITES                       | [sync-chunk-writes](https://minecraft.wiki/w/Server.properties#sync-chunk-writes)                                             |
 | USE_NATIVE_TRANSPORT                    | [use-native-transport](https://minecraft.wiki/w/Server.properties#use-native-transport)                                       |
-| VIEW_DISTANCE                           | [view-distance](https://minecraft.wiki/w/Server.properties#view-distance)                                                     |
+| VIEW_DISTANCE                           | [view-distance](https://minecraft.wiki/w/Server.properties#view-distance)                                                     |

docs/sending-commands/ssh.md

@@ -0,0 +1,70 @@
+---
+title: Over SSH
+---
+
+The container can host an SSH console. It is enabled by setting `ENABLE_SSH` to `true`.
+The SSH server only supports password based authentication. The password is the same as the RCON password.
+
+!!! question
+    See [the RCON password](../configuration/server-properties.md/#rcon-password) section under configuration/server-properties for more information on how to set an RCON password.
+
+The SSH server runs on port `2222` inside the container.
+
+??? tip "Tip: Exposing the SSH port"
+
+    !!! warning "Security Implications"
+        By default, publishing ports in Docker binds them to all network interfaces (`0.0.0.0`), making the SSH console accessible to any device that can reach your host machine.
+        
+        Since the SSH console grants **full administrative access** to your server, it is critical to use a strong [RCON password](../configuration/server-properties.md/#rcon-password). 
+        
+        If you wish to restrict access to the local machine only, refer to the [Docker documentation](https://docs.docker.com/engine/network/port-publishing/#publishing-ports) on binding to specific IP addresses (e.g., `127.0.0.1:2222:2222`).
+      
+        If SSH access is only intended for inter-container connections, consider **NOT** forwarding the port to the host machine, and putting the containers in a shared [Docker network](https://docs.docker.com/engine/network/#user-defined-networks).
+
+    ```yaml title="compose.yaml"
+    services:
+      mc:
+        ports:
+          - '25565:25565'
+          - '2222:2222'
+    ```
+
+## Connecting
+
+Connecting should be as simple as running
+```bash
+ssh [email protected] -p 2222
+```
+and typing in the RCON password.
+
+## Environment variables
+
+| Environment Variable | Usage                     | Default |
+| -------------------- | ------------------------- | ------- |
+| `ENABLE_SSH`   | Enable remote SSH console | `false` |
+
+
+## Example
+
+```yaml title="compose.yaml"
+services:
+  mc:
+    image: itzg/minecraft-server:latest
+    pull_policy: daily
+    tty: true
+    stdin_open: true
+    ports:
+      - "25565:25565"
+      - "2222:2222"
+    environment:
+      EULA: "TRUE"
+      ENABLE_SSH: true
+      RCON_PASSWORD_FILE: /run/secrets/rcon_pass
+    volumes:
+      # attach the relative directory 'data' to the container's /data path
+      - ./data:/data
+    
+secrets:
+  rcon_pass:
+    file: ./rcon_password
+```

docs/sending-commands/websocket.md

@@ -1,8 +1,8 @@
 ---
-title: With websocket
+title: With WebSocket
 ---
 
-With `WEBSOCKET_CONSOLE` set to `true`, logs can be streamed, and commands sent, over a websocket connection.
+With `WEBSOCKET_CONSOLE` set to `true`, logs can be streamed, and commands sent, over a WebSocket connection.
 The API is available on `/console`.
 
 ## Password
@@ -21,7 +21,16 @@ The listen address and port can be set with `WEBSOCKET_ADDRESS` (defaults to `0.
 ## Log history
 When a connection is established, the last 50 (by default, configurable with `WEBSOCKET_LOG_BUFFER_SIZE`) log lines are sent with a `logHistory` type message.
 
-??? tip "Tip: Remember to forward the websocket port on the host"
+??? tip "Tip: Remember to forward the WebSocket port on the host"
+
+    !!! warning "Security Implications"
+        By default, publishing ports in Docker binds them to all network interfaces (`0.0.0.0`), making the WebSocket console accessible to any device that can reach your host machine.
+        
+        Since the WebSocket console grants **full administrative access** to your server, it is critical to use a strong [WebSocket password](#password) or [RCON password](../configuration/server-properties.md/#rcon-password).
+      
+        If you wish to restrict access to the local machine only, refer to the [Docker documentation](https://docs.docker.com/engine/network/port-publishing/#publishing-ports) on binding to specific IP addresses (e.g., `127.0.0.1:80:80`).
+        
+        If WebSocket access is only intended for inter-container connections, consider **NOT** forwarding the port to the host machine, and putting the containers in a shared [Docker network](https://docs.docker.com/engine/network/#user-defined-networks).
 
     ```yaml title="compose.yaml"
     services:
@@ -34,12 +43,12 @@ When a connection is established, the last 50 (by default, configurable with `WE
 ## Environment variables
 | Environment Variable               | Usage                                                      | Default      |
 | ---------------------------------- | ---------------------------------------------------------- | ------------ |
-| `WEBSOCKET_CONSOLE`                | Allow remote shell over websocket                          | `false`      |
-| `WEBSOCKET_ADDRESS`                | Bind address for websocket server                          | `0.0.0.0:80` |
+| `WEBSOCKET_CONSOLE`                | Allow remote shell over WebSocket                          | `false`      |
+| `WEBSOCKET_ADDRESS`                | Bind address for WebSocket server                          | `0.0.0.0:80` |
 | `WEBSOCKET_DISABLE_ORIGIN_CHECK`   | Disable checking if origin is trusted                      | `false`      |
 | `WEBSOCKET_ALLOWED_ORIGINS`        | Comma-separated list of trusted origins                    | ` `          |
 | `WEBSOCKET_PASSWORD`               | Password will be the same as RCON_PASSWORD if unset        | ` `          |
-| `WEBSOCKET_DISABLE_AUTHENTICATION` | Disable websocket authentication                           | `false`      |
+| `WEBSOCKET_DISABLE_AUTHENTICATION` | Disable WebSocket authentication                           | `false`      |
 | `WEBSOCKET_LOG_BUFFER_SIZE`        | Number of log lines to save and send to connecting clients | `50`         |
 
 ## API Schema