• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!
  • If you're using Gesior 2012 or MyAAC, please review this thread for information about a serious security vulnerability and a fix.

Is it ok to use website and server on separate machines?

imperianic

Well-Known Member
Joined
May 20, 2020
Messages
213
Solutions
1
Reaction score
76
It's the correct way.

Every big game has the main sytems of a server on separated machines, like site, voice system, chat system.

Isolating the applications ensure a better perfomance and also the security, like layer7 attacks in webserver that may harm the gameserver if hosted in the same machine.

The only disvantage is the cost, so it depends in how big you are and the budget that you have.

If you are thinking about it, remember to get a machine located near your game database to avoid website slowness while doing queries.
 
OP
OP
Luan Luciano

Luan Luciano

Member
Joined
Apr 28, 2014
Messages
41
Reaction score
11
GitHub
luanluciano93
Thanks for the answers ...

Let's move forward...

WEBSITE:
  • a VPS (ubuntu 22.04) only with HTTPS input and MYSQL output to access the database that is together with the server on another machine.
  • Installed only NGINX and PHP (and its extension for mysql).
  • Using znote AAC exploring cache issue.
  • Using cloudflare free.

SERVER:
  • dedicated (ubuntu 22.04)
  • Installed LEMP stack and PHPMYADMIN.
  • Created user with remote access to the database for the website.
  • Open SSH, 7171, 7172, MYSQL ports and close port 80 (open only when using phpmyadmin)
  • it is interesting to change the port number of all the services mentioned just as another security measure.

I did this to test and so far everything is fine.

Any more ideas on the infrastructure issue? Let's exchange knowledge.
 

Stellow

C++/C#/PHP/LUA
Joined
Oct 23, 2008
Messages
1,100
Reaction score
210
Location
Germany
GitHub
eubrunomiguel
If your web gets flooded, it would still flood the game server by trying to access the database remotely.

To create a further layer of protection, I would make a cached middle-layer between the web and the game-server, so you don't access the database too frequently (besides crucial functions like login, create stuff, etc.)

Now since you have a middle layer, you don't have just to leave the 3306 port simply open. You can add further security, by opening the 3306 specifically to the middle-layer IP.

Then, you block the middle layer to be accessible only via the web server. (Maybe Cors)

As a final result:

The website is fully accessible.
The middle layer is only accessible via the website.
The middle layer protects frequent (flood) access to the game server.
3306 port on the game server is only accessible via the middle layer.


Note:
I would open PHPMyAdmin on a different port, and block that port to specific IP addresses. Opening 80 just to access it is not optimal, and opens short periods of vulnerability.
 
OP
OP
Luan Luciano

Luan Luciano

Member
Joined
Apr 28, 2014
Messages
41
Reaction score
11
GitHub
luanluciano93
Thanks for the answer @Stellow
To create a further layer of protection, I would make a cached middle-layer between the web and the game-server, so you don't access the database too frequently (besides crucial functions like login, create stuff, etc.)
I'm learning to use PHP's APC User Cache (APCu) to work with cache on the website.

Now since you have a middle layer, you don't have just to leave the 3306 port simply open. You can add further security, by opening the 3306 specifically to the middle-layer IP.
Do you mean open port 3306 on the server machine's firewall only to the website machine's IP?
For example .. sudo ufw allow from 123.123.123.123 to any port 3306

Then, you block the middle layer to be accessible only via the web server. (Maybe Cors)
I don't know how to do this =(

Note:
I would open PHPMyAdmin on a different port, and block that port to specific IP addresses. Opening 80 just to access it is not optimal, and opens short periods of vulnerability.
Let's say I would only use phpmyadmin in very rare cases.

Thank you for the tips.
 
Last edited:

imperianic

Well-Known Member
Joined
May 20, 2020
Messages
213
Solutions
1
Reaction score
76
I use MySQL Benchmark Workstation, but it's confused as fuck to learn. HeidiSQL is a better option.

Also, to increase security, learn a little bit about iptables rules, to allow only your servers to communicate with opened ports, like MySQL. Just take care with SSH access xD
 
Top