Really just a theory crafting question. I am mainly asking to see if anyone sees any major potential problems out of a setup like this scenario:
- Unity is compiled into a dedicated server which is run on a private dedicated machine (run by the company, not by any end-users).
- MySQL server is a separate machine.
- Unity clients/peers connect to the dedicated Unity server instance.
- Unity dedicated server connects to the MySQL server and accesses the database to execute queries.
My question is, would this setup be secure if a) the MySQL server is instructed only to receive connections from whitelisted machines (any dedicated servers launched); b) the login credentials for the MySQL server are stored in another file (say XML or plaintext) away from the Unity client/server (i.e. not hardcoded); and c) the Unity dedicated server instance knows the filename and path to get the XML or plaintext file holding MySQL login credentials and loads those at runtime?
Essentially, I would store login credentials for the MySQL DB in a separate file which is not given in the distro to clients/peers, would load that information at runtime only on the server, and the server would then load this information to connect to the MySQL database.
The question: Do you see any glaring security holes in a setup such as this? I would prefer not to use PHP as a middleman connector between the Unity server and the MySQL server, I would like for the MySQL server and Unity server to exist on different hardware to offer better scalability, and the client should never have direct access to the MySQL server.
Due to the architecture, the code in Unity would contain either the MySQL queries hardcoded or (more preferably) would access the query definitions in a similar way to the credentials (pulling in the query definitions from an external file also not stored on the client machines).
No system will ever be 100% secure, but you can take steps toward that goal. I merely want to see if anyone with more security experience sees holes or has tips for avoiding common pitfalls in a setup like what I described.