Load Balancing Security Concern

Options
JPGOrdon
JPGOrdon
in Photon Server
After reading the docs, I have a potential security concern regarding how game servers register them selves. It seems like the master server automatically accepts all game servers who attempt to register them selves, and, there is no way to authenticate this action.

If I am able to launch additional game servers with my master server running, then can't any other person with my master server IP able to do the same? Am I not understanding how the game servers register themselves?

Comments

  • chvetsov
    chvetsov mod
    Options
    hey, hey @JPGOrdon

    yes, the concern is correct. That is why we setup listener in such a way that it listens only on internal IP. External is not accessible. Also you could implement something like IP 'white' list. Another options is token auth between game servers and master. The idea is that GS and Master share one secret key and GS sends something encrypted using that secret key. If master able to decrypt request it allows GS to connect. that is it

    best,
    ilya
  • JPGOrdon
    JPGOrdon
    edited October 2020
    Options
    chvetsov wrote: »
    hey, hey @JPGOrdon

    yes, the concern is correct. That is why we setup listener in such a way that it listens only on internal IP. External is not accessible. Also you could implement something like IP 'white' list. Another options is token auth between game servers and master. The idea is that GS and Master share one secret key and GS sends something encrypted using that secret key. If master able to decrypt request it allows GS to connect. that is it

    best,
    ilya

    I understand that both the master server and game server are listening to only internal IP addresses in the load balancing setup, given that they are running on the same machine. In a real-world scenario involving a master server and GS with separate IPs, I would change the MS listeners to listen specifically for my game server(s). Would I have to change the listener on my game server, too, to handle connections properly? Why does the game server also have a wild-card IP?

    Also, is there a way to list multiple acceptable IP addresses for the IPAddress value? The documentation neglects this.
  • chvetsov
    chvetsov mod
    Options
    in every data center you machine has internal and external interface. If you are not going to use different data centers than you are fine.

    no there is not way to have multiple IPAddresses.

    best,
    ilya

Cookies,
anyone?

We use cookies and related technologies to enhance your experience, show you personalised content and analyze performance and traffic on our website. By clicking on the „Accept All“ button you consent to the use of non-functional cookies and the subsequent processing of personal data to optimize our website and services as described in more detail in our Privacy and Cookie Policy.

By clicking on the „Customize or Deny all“ button you can decide otherwise. Clicking on the „Customize“ button will take you to a page where you can configure the usage of non-functional cookies (and related technologies) or deny all of them. You can access these settings at any time and also subsequently deselect cookies at any time in the footer area of our website.

ACCEPT ALL

Cookie Overview

We use the following categories of cookies and related technologies to enhance your experience, show you personalized content, and analyze performance and traffic on our website. We respect your right to privacy and accordingly you can chose to not allow some types of cookies (and related technologies). Click on the different category sliders and change our default settings to manage your cookie settings.

For more information on the specific cookies/related technologies we use and on how we use these, please see section 15 E. of our Privacy and Cookie Policy.

ABSOLUTELY NECESSARY

Authentication cookies we use are required to run our services … Cookies are required: Link

FUNCTIONAL AND MARKETING COOKIES

These cookies collect anonymous data and allow us to optimize our website and user experience. These cookies are listed here:

ANALYTICS

Help us to understand how visitors interact with our services, enables us to analyze and improve our services (also through third party analytics).