
The following diagram illustrates the final server architecture of our fictitiousVirtuaParkproject:


· Web Server: since most of the server side calls will be directed to the SmartFoxServer extension, including user registration, password recovery etc..., we will probably be able to handle all the web traffic with a single web server machine. Additionally, in order to avoid a single point of failure, we may want to keep a spare mirror machine in case the web server goes down.

· SmartFoxServer: each instance will run on a high-spec dual-core, dual-CPU machine capable of handling at least 8 - 14.000 users (this includes chats, instant messenger, multiplayer games, etc...) for a total of 40.000 or more concurrent users.

· Database Server: the database will process the requests coming from all region instances. For this reason we decided to use a clustered solution, in order to guarantee the best availability of the service.

( You can read more about performance and scalability in this f.a.q.)

» Securing the Virtual World虚拟世界安全

We've seen that MMOGsarepretty complex applicationsbased on various server technologies, and for each of them we could write an entire book that delves into specific security concerns. Since this article is centered around theSmartFoxServertechnology we will take a look at some common sense techniques and best practices to reduce the amount of hacking to the minimum possible.


· Basic security tools:SmartFoxServer comes with a basic set of security tools that can be configured to avoid typical hacking attempts like connection and message flooding. To avoid these problems we provide anti-flood filters and an IP filter that prevents too many connections from a single IP address. Additionally the server is extremely paranoid with connected sockets that don't perform a login request. Such connections can't interact with the server and they are shut down after a configurable amount of time.

· Server public requests:SmartFoxServer exposes a number of public commands that any client can invoke on the server, provided that they successfully logged in. Among these requests we have: login request, join request, public and private messages etc... All these public commands are heavily validated by the server to avoid malicious requests and they can be inhibited through the configuration file, to avoid unwanted requests. You can learn more aboutdisabling public requests here

· Server side logic:it is vital that all the application logic is kept on the server side, as the Flash client can be easily reverse engineered and modified to perform malicious calls. Additionally you should be paranoid with every client request and heavily validate them, especially in prize-based games, transactions that involve money informations and similar ...

· Money / Prize transactions:if you run prize-based games (whether it's money, goods, services etc...) you will certainly attract the interest of hackers. In order to achieve the best security you should run your prize transactions betweenSmartFoxServerand an external SSL-enabled web server. This way the communications happens between the two servers, hidden fromindiscrete eyesand through a highly secure protocol.

· Client side hardening:since SWF files are easily reverse engineered with a decompiler, it is crucial to make the life of the hacker-wannabe as hard as possible. There probably isn't a perfect solution for completely securing the client application, but you can achieve good-enough results by combining various techniques:

2. If you are loading external XML data containing sensitive informations about other application resources, encrypt it.

4. Use the cross-domain policy file to stop unwanted domains. If someone steals your client application and tries to upload an hacked version on another website, the connection to your servers will be refused.

5. With the latest Actionscript 3.0 you can transfer entire swf files as byte arrays through the socket. By doing so you will skip the browser cache and make it very hard to capture.

» Development tips and tools开发技巧和工具

Now that we have analyzed the client/server architecture, scalability and security concerns, we should finally be able to put our hands on the keyboard and jump right into coding...


Even if the temptation is strong we should hold on for a moment and discuss a few more aspects of the development that we haven't mentioned so far.VirtuaParkwill probably be a great success if we clearly have in mind what we want to achieve, and if we have set a number of realistic goals in terms of money, time and resource investments.


The following is a list of important aspects that should be taken into account before starting to develop our virtual world:

· Planning:as obvious as it may sound, a project like this requires careful planning. It is really advisable to write down one ore more documents that contains all the aspects of the application, the architecture overview, a list of features, the estimated resources needed and a small business plan.
The document typically requires a number of reviews and, as you get more into the details, you will probably realize that the it won't be possible to pack all the features in the first release. You will probably need tosplit the project in multiple development phasesso that you can set a realistic schedule for the initial release.
Additionally, starting (relatively) small lowers the risks of failures because you can receive user feedback at an earlier stage and fix what is not working before it's too late.

· Prototyping: creating quick-and-dirty prototypes is usually a great way to verify if an idea will work as expected. When facing new challenges like those involved in the creation of an MMO, this is the best approach to avoid rewriting large pieces of code that were supposed to "just work".
SmartFoxServerallows to quickly prototype server side code with highly productive scripting languages such as Actionscript and Python which can significantly cut down the development/prototyping times.

· Documentation:keeping documents that describe the application in all its aspects is essential to avoid forgetting ideas that you have discussed and never put into writing. Additionally it makes it easier to instruct new members of the team or to explain the project to people outside the company.
The same goes for both client side and server side code. Maintaining the habit of adding clear comments to the source code will literally save hours of staring at the screen with no clue about where to start, and avoid tedious debugging sessions.

· Versioning:this is an essential tool when coding in a team. By keeping your code versioned you reduce the chances of loosing code, you get a central repository for the project files and you can let multiple developers work on the same files simultaneously. When everyone is finished coding they just need to submit their changes to the central repository. Modifications made by other team members will be merged automatically, and in case the same part of code was modified by another developer, you will be asked to resolve the conflicting code sections. If at any time a new piece of code breaks the application you can quickly roll back to the previous version without wasting precious time.
There are many commercial and free versioning tools available, we recommend starting fromSVN, which is free and open-source.

· Logging:debugging multi-user applications can sometimes be an horrible nightmare. In order to avoid long and frustrating debugging sessions, it's highly adivsable to log a lot of informations on both client and server sides. This will allow you to easily check what's going on on both ends of the application while testing.
SmartFoxServerutilizes the JDK Logging API to output informations to the OS console and log files. The API are also accessible through the extensions, using any of the available languages (java, actionscript, python)

· Beta phase:a limited public beta phase is essential to do the final testings. Once the application has been sufficiently tested internally, it is time to publish it live and let a selected group of users play with it and report issues. This can be done in various ways: by recruiting professional beta testers, by inviting selected users / gamers in signing up for beta access, by letting anyone register for a beta account without restrictions.
The important part of this phase is to receive as much feedback as possible from players, in order to seek and squash the final bugs. This also allows you to see how many resources are being used in a real-life environment and foresee what will happen when the application will reach a larger audience.

