确保连接到PHP服务器 [英] securing connection to php server
问题描述
我有以下情形: 而Android客户端通过HTTP发布PHP服务器通信。 PHP的服务器和MySQL数据库进行通信,并把其作为JSON的Android客户端的输出。
I have following scenario: The Android clients communicate with a PHP server via HTTP Post. The PHP server is communicating with mySQL database and sends the output as JSON to the Android client.
现在我关注的是人的嗅探流量,找出URL,并会在我的数据库上传了很多虎视眈眈的。 我嗅着有效载荷无关。所以它并不一定被加密。
Now I am concerned that people sniffing the traffic, find out the URL and will post a lot of grap in my database. I have no concern of sniffing the payload. So it does not necessarily be encrypted.
我在想TLS / SSL其中谈到,因为HTTP连接的初衷。但是我不知道什么是prefered路要走这种情况。
I was thinking of TLS/SSL which comes in mind because of the HTTP connection. But I am not sure what is the prefered way to go in this scenario.
推荐答案
你想要做的是采用相互认证的SSL,让你的服务器将只接受来自您的应用程序的传入连接,您的应用程序将只与您的服务器进行通信
What you want to do is employ mutually-authenticated SSL, so that your server will only accept incoming connections from your app and your app will only communicate with your server.
下面是高层次的方法。创建自签名服务器SSL证书,并部署在Web服务器上。您可以使用附带的Android SDK用于此目的的密钥工具。然后创建一个自签署的客户端和部署在自定义密钥库您的应用程序中包含在你的应用程序作为一种资源(密钥工具会产生这个问题,以及)。将服务器配置为要求客户端SSL认证,并只接受你生成的客户端证书。配置客户端使用客户端证书来识别自己和只接受你的服务器的那一部分上安装了一个服务器端证书。
Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. You can use the keytool included with the Android SDK for this purpose. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource (keytool will generate this as well). Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.
如果有人/不是您的应用程序之外的其他尝试连接到服务器,SSL连接不会被创建,作为服务器将拒绝传入的SSL连接,不这样做present您已经包含在客户端证书的应用程序。
If someone/something other than your app attempts to connect to your server, the SSL connection will not be created, as the server will reject incoming SSL connections that do not present the client certificate that you have included in your app.
一个在这一步一步的是比这里是必要更长的答案。我建议分阶段这样做,因为有关于如何处理与Android的自签名的SSL证书,服务器和客户端在网络上的资源。还有一个完整的步行通过我的书,应用安全为Android平台,由O'Reilly出版。
A step-by-step for this is a much longer answer than is warranted here. I would suggest doing this in stages as there are resources on the web about how to deal with self-signed SSL certificate in Android, both server and client side. There is also a complete walk-through in my book, Application Security for the Android Platform, published by O'Reilly.
这篇关于确保连接到PHP服务器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
