External Auth Server

[inkredible]

Hey,

I am running a mobile game forums and some popular streamers offered to do advertisements during their streams. Hence we expect very large peaks where a lot users will register and/or authenticate. I know that the password hashing procedure (login or register) takes a lot CPU and we've measured that our dedicated server (4c / 8t) can perform 10 hashes per second which is not enough for our case. However the server is able to handle ~2k concurrent users.

Because of this scenario I wonder if it's possible to add an external server which is primarily busy with creating the hashs to compare/insert them against the Database. Maybe you've got better suggestions to handle such large peaks? Take note we don't use AWS or any other cloud services so we can't adapt our server's resources easily. We also don't plan to change everything to AWS but we could add servers for computational expensive tasks (like auth). What would you recommend?

I hope this is the right place to post the question but who could answer this question better than one of the IPS developers theirselves.

[KT Walrus]

I suggest you look into running your web server using Docker containers. Docker has a Swarm mode where you can distribute containers across multiple servers to handle scaling your website to meet demand. So, you would run your forums on a single node Swarm initially and have the ability to quickly spin up new Swarm nodes and scale the site as traffic requires. Scaling the NGINX/PHP services is very easy to do in a Docker Swarm. 

I think it is better to scale your website using containers than trying to break out certain parts of the PHP code to distribute only those parts. If IPS4 embraced micro-services and implemented those services in a distributed manner, then you could scale your website by running an auth server like you are thinking of doing. But, I think it would be too much work for too little benefit for you to do this yourself.

 

[bfarber]

I would be surprised if 10 hashes per second were not sufficient for any site. We have seen sites with many more than 2000 users online concurrently and the password hashing speed has never been an issue. Keep in mind, we are not generating and checking a hash on every page load - once the user logs in, they are logged in.