服务器和 SSL API 安全 [英] Server and SSL API Security
问题描述
目前我正在开发 REST API
Currently I'm developing an REST API
我的 API 访问仅在我的服务器和我的客户端服务器(B2B,企业对企业)之间进行.例如:myserverapi.com(我的 REST API 服务器)和 myclientserver.com(访问我的 API 的我的客户端服务器)*没有第三个连接/应用程序
my API access are only between my server and my client server(B2B, business to business). example : myserverapi.com(My REST API Server) and myclientserver.com(My Client Server who access My API) *no 3rd connection/application
我们正在实现 api_key(当然是必须的)和域名(所以客户端指定了他将访问 api 的域名,所以我的服务器 api 只会接受)
we are implementing api_key(of course it a must), and domain name(so the client specific the domain name that he will access the api, so my server api will only accept from that)
对于 myserverapi.com,如何只接收来自 myclientserver.com 的连接?只使用 $_SERVER['REMOTE_ADDR'] 吗?够了吗 ?但是在从几个地方阅读之后,我不能使用它,因为如果它在代理或负载均衡器农场下,IP 可能是错误的.有什么解决办法?
for myserverapi.com, how to only receive connection from myclientserver.com ? is only using $_SERVER['REMOTE_ADDR'] ? Is that enough ? but after reading from a few place, that i can't use that because the IP may be wrong if it under proxy or loadbalancer farm. What's the solution ?
如果我安装了 SSL 证书怎么办?我必须改变我的代码吗?或者只是购买并安装在服务器端,这样我的 api 就会自动安全?
and how if i installed SSL Certificate ? is i must change my code ? or just buy and install on the server side that automatically my api will be secure ?
openssl-verify 功能是否只是真正了解访问是否来自特定服务器的安全方式?http://php.net/manual/en/function.openssl-verify.php 这是否意味着我必须更改我的代码来加密和解密数据,如此链接 http://3stepsbeyond.co.uk/2010/12/openssl-and-php-tutorial-part-two/
is openssl-verify function only the secure way to realy get know that the access are from specific server or not ? http://php.net/manual/en/function.openssl-verify.php Is that mean i must change my code to encrypt and decrypt data like in this link http://3stepsbeyond.co.uk/2010/12/openssl-and-php-tutorial-part-two/
所以基本上我只想确保 myserverapi.com 只能从 myclientserver.com 获得访问权限.而 myclientserver.com 只接受来自 myserverapi.com 的数据.怎么做?
so basically i just want to make sure for myserverapi.com to only get access from myclientserver.com. and the myclientserver.com only accept data from myserverapi.com. how to do that ?
我希望有人给我一个很好的解释.
I hope some one give me a good explain.
谢谢
推荐答案
您可以执行一系列操作.大多数代码不可知的是 HTTPS 客户端证书.如果您不关心用户到底是谁,但只想确保这是允许的,让 apache 处理.它只是配置文件中的几行,而且您不必接触您的代码.
There's a series of things you can do. The most code agnostic is HTTPS client certificates. If you don't care about who the user exactly is, but just want to make sure that is an allowed one let apache handle that. It's only a few lines in the config file, and you won't have to touch your code.
您的第二个选项是 ACL,即使在路径级别,您也可以在 Apache 中再次处理它.当然,在操作系统级别,您也可以将它们应用于 IP 和端口.这同样适用于您的服务器内部或前面的防火墙.
Your second option is ACLs, which you can handle again within Apache even at the path level. And of course at an OS level you can apply them as well to IPs and ports. Same applies to a firewall in or in front of your server/servers.
如果您不想处理管理证书或 IP/端口防火墙和 ACL,您可以实施 2 条腿 Oauth.客户端可以使用库,因为它们几乎已经以任何语言存在,而且服务器的代码也不太复杂.
If you don't want to deal with managing certificates or IP/port firewalling and ACLs you can implement 2 legged Oauth. The clients can use a library since they exists in virtually any language already, and the code for the server is not too complicated.
这篇关于服务器和 SSL API 安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
