Let's say that I have a website somewhere over the internet. At my house there is a raspberry pi.
Can I send data from that website to that raspberry pi?
I have web server on that raspberry pi, and I tried sending a POST request from website, and it worked, but now anyone, who knows how to send POST request can just send that data to raspberry pi. I want to send that data to C++ program, that I'll write. How can I do it?
Can I do it another way, or somehow secure that POST request?
If you want to prevent your users from seeing that is being posted to the RasPi and from tampering with it, you'll need to send that data from the server, not from user's browsers. You can still do this by POSTing to some sort of web service on the RasPi, or you can cache the information on the web server and poll it from the RasPi. In either case, you should protect that flow by requiring that it take place over HTTPS (as opposed to plain-text HTTP) and authenticating the client using either a TLS client certificate or some sort of API key.
Use SSL (secure transmission) - not perfect but will stop a lot
Use a 'nonce' (https://security.stackexchange.com/questions/30519/prevent-cross-domain-form-submission-with-nonce plus google).
Filter requests not coming from the correct IP address (assuming your web server will have a fixed outgoing IP address). [Side note: this is fakable so not perfect]
Individually encrypt each instructions manually, including a shared private key on your webserver and a unique ID embedded in each message. If you get exactly the same encrypted message it's a repeat post can be safely be dropped.
Related
I have 3 server that same server application is running on each of them. each installation of server app has its own configurations, data and settings.
other client users or client applications can connect to this servers and communicate with them.
this servers are in different places.
this application are created by PHP and servers are ubuntu servers, each server has its own static IP.
but now i need to share some data between this server applications. for example server A needs to access to information of server B's customers. or main admin of system want to see some information of server C. other scenario may be back up/sync. each server with 4th server with special application.
what is the best and more secure way to share some data between server applications? for example application A on server A needs some data get from application B on server B, or send some data to it.
There are several ways to do this, and it depends on if your goal is to send data synchronously or asynchronously.
If you want to send data synchronously (that is, send data, and wait for a response before proceeding to whatever the next step), use HTTPS.
If you want to send data asynchronously (that is, send data, then go off and do something else while the response can come back at any time), use XMPPS.
Both run over SSL, so that will handle the security side of things. Both HTTP and XMPP services are plentiful, so building the scripts to use these services for communication would be relatively straight-forward.
I want to send a value from my website to my arduino using httprequest.
as the image explain, i want to enter my site from a device (let's say mobile phone) and send a request to my arduino from my website (webserver)
so i'm having this problems:
1- how to address the arduino without dns, should i have a fixed ip address for my arduino, is there any way else ?
2- what is the PHP code that i need to let the website send the request ??
i know i can connect arduino to web using httpclient, but i want the reverse process, that is connect the website to arduino ( the website as client and a arduino as a server)
is there anyway to do that ?
thank you and sorry for my bad english
I've recently made a similar project with a Raspberry Pi. But this doesn't make a difference.
First be careful with my solution. Anybody can join on your device, if they have your IP and Port. It might be not the best solution, but it works pretty good.
So what I did is, I've set a DynDNS to my router, so that I doesn't have to change the IP in my script every time. You can get a DynDNS from your provider or you can use the free service No-IP. Next I set a static local IP adress to my arduino/pi via the settings on my router. Then I also set port-forwarding to the arduino/pi.
Then you should be able to access your arduino/pi via the internet. And if you have this, you can also control it via any website you want.
To accomplish an HTTP request in PHP, there will be a lot of possible solutions. But I prefer this:
$response = file_get_contents(YOUR_DYNDNSIP_AND_PORT)
https://www.w3schools.com/php/func_filesystem_file_get_contents.asp
You also can additionally can get a response via this function.
To protect your own network, you can use HTTP Basic Authentication, which you have to add a username and a password to the request. This make it difficulter to access your arduino.
I hope this might help you.
I have a car GPS device, the only thing I can change is the IP-address.
Is it possible to have shared hosting with a dedicated IP-address (that part is possible) and then to have a PHP script that picks up the data that is being send?
So what is in my mind:
GPS device send gps data to IP-address.
That IP-address has a PHP script that picks up the data and use it.
As requested a little bit more detailed.
There is a question that is exactly the same but don't have an answer: how-to-get-data-from-gps-and-send-to-server-and-how-save-to-database
It is a Chinese car GPS device with a standard IP address. So it sends data to that IP address. Then they give us a website where we can login with the product code and we can see the GPS location.
It is possible to change the IP address in this device. I have found shared hosting with a dedicated IP address, but that means the IP address just replaces the URL so it works just as an URL, so it is not that I can change the server and install something like openGTS.
But I have no idea what kind of data (I don't think it is just GET or POST data) this device is sending. So I am wondering if the GPS is sending the data to an IP address whether I have to do something special with java on that server or I am able to use a PHP script to pickup what the GPS device is sending? Once I get the data I know what to do with it. All I need is the data to be picked up by a PHP script.
There is not a shortcut as I was hoping. For a gps tracker device that sends TCP/UDP data to an ip address and port we really need a server. There will be no POST/GET data. The server will receive data through a port that needs to be decoded. But it was not as complicated as I thought. Even without any knowledge of Java I was able to install a software and manipulate it to my liking.
What I did:
Got a windows server (2012) hosting (6 months for free) so I could
try it out.
Downloaded opengts and followed their instruction manual exactly. And did not find it hard at all. It worked without having much headache
Once I got to the part where everything was working I could play around with the device and it was working fine. Ofcourse we need to know the protocol (the data) that the device is sending and decode so it can be saved in the database.
you need this:
The phone(Number) (with GPS).
A SmartPhone( Androir and develop your own APP) - (Like a Sub-Server).
A (Home Server) or (WebServer) with MySQL(Data Base).
A Script with PHP in your Server or WebPage(Point 3).
So:
The (Phone Number with GPS) just wait for a call or something to send the "Data".
(The SmartPhone) get the data from (The Phone Number with GPS).
Read the Message Board ONLY from your (Phone Number with GPS) with (your Own APP Android) AND Process the "Data" with (your Own Android APP).
Get the "String" of (Lat) and (Lon) Coordinates Or ALL your need from the (Message Board) and SEND to your (PHP Script) using HTTP request to your (Home Server or WebPage) From your (SmartPhone) Using your (Own Android APP).
Work with your (PHP Script) and save in your (MySQL Data Base).
... you can do everything now with the "Data", like show with other php script and google maps api, or use for a desktop application on java, or visual basic, etc..etc..., or all you wish.
Note:
*Not use your (SmartPhone) for nothing, only for prossesing "Data" of ALL (Phone Numbers) your want Using your (Own Android APP) Reading the Message Board with Code, so your (SmartPhone) now is like a "Mini Server" and only works as an intermediary between your (Phone Number with GPS) and your (PHP Script) in your (Home Server or WebPage) with (MySQL Data Base).
You need to use Database, create php script (POST query) and update query into database when GPS position change, than you can have access to this position from database with another php script (GET and return json object)
If you have a shared hosting, you'll only have the 80 port open. So in your device, you will need to make HTTP requests to that IP on port 80.
In order to make a correct HTTP request, read the RFC2616 (http://www.w3.org/Protocols/rfc2616/rfc2616.html) to get started with HTTP protocol.
At minimum, you will need to provide a hostname and URI in your HTTP request.
On that URI, your PHP script will be able to read data and do something with it.
I would try to explain in diagrams
[REST SERVER] <--------> [JAVASCRIPT BASED WEBSITE] <--------> [USER]
192.168.0.2 192.168.0.3 192.168.0.123
How can I get the IP of the website that consumes the REST server instead of the USER's IP.
I tried using $_SERVER['REMOTE_ADDR'] and $_SERVER['HTTP_REFERRER'] but they both return the IP of the user.
Is it possible in the web? I'm using PHP for my REST server.
I'll assume here that you mean the website is hosted on 192.168.0.3. This means the user will be downloading the Javascript and HTML data from said server, and then execute it locally on 192.168.0.123. That Javascript is then going to make remote calls to the REST service from that local IP.
You want to know how to get the IP of the server that hosted the Javascript/HTML files before the client downloaded them, presumably in a reliable fashion. And the answer is that this is not possible. Because your actual schema looks like this:
[JAVASCRIPT BASED WEBSITE] <--------> [USER]
192.168.0.3 192.168.0.123
^
|
[REST SERVER] <--------------------------+
192.168.0.2
You cannot do this securely. You will have to make the javascript pass this to the server. And since javascript is run client side, this can be spoofed.
And even then, javascript does not have native functions to get you the IP address of the website. It can give you the domain name though. And then in, for example, PHP you can resolve this domain name to an IP address. Or have the javascript based web server give its IP address directly along. For example with the help of PHP, you can do in javascript: var myIP = '<?php echo $_SERVER['SERVER_ADDR']; ?>';
As a sidenote, the Origin header (can be spoofed) is ment for this purpose but a secure workaround would be some kind of handshake between JS server and REST server.
Javascript based webpage requests a token code via serverside, you put this token code into the javascript and send it to the rest server.
The rest server verifies the token code and then you know for sure where the javascript resides.
This is the only method of verifying the origin, it is not possible via plain IP addresses.
I have recently written a socket server in PHP that will be handling communication between an Android phone application and my PHP webserver. Due to the fact that Android doesn't natively support push style notifications we are going to be using our webserver as the middleware layer to handle our 'pushes'.
The socket server is stable, runs well, and seems to scale nicely. While I would eventually like to re-write this in C I don't have the skill necessary to do that right now so I am going to be staying in PHP for at least a short while. As of this moment our Android emulator is able to communicate through the server, get pushes, etc. so that part is all covered.
My concern is that, right now, anyone can open a socket to my server and will be given a client connection. While we won't be passing sensitive data back and forth I don't want to allow just anyone to connect over and receive broadcast information, eat up my resources, and clog my server in general.
The question is, how do I secure a server like this? Let's assume that I am running on port 25,000--can I set up some sort of SSL layer on that port and expect devices like the Android to be able to communicate over that port without any special protocols or jumping through hoops?
I have considered asking the connecting clients to authenticate their user against our user database before being given a client connection, but that would require the passing of credentials in plain text over the network which I am NOT about to do.
Any suggestions on this would be very helpful--I am rather new to straight TCP communication from PHP and feel like I might just be missing something simple that allows for authentication on this level.
Additional information: If I am able to get a valid username and password securely I would be using MySQL to validate the user and then accept/reject their connection based on the results of the query.
Thanks in advance..
First, I hope you've implemented your PHP socket server in a fashion that allows more than one client to be connected at the same time. This is not as trivial as it should be given the absence of threads in PHP, but it's certainly.
Now, if you already have a socket server implemented, adding TLS support is easy. Just run stunnel and have your PHP socket server only accept requests on the local interface.
I don't think SSL is really going to solve your problem. At best with SSL you can provide each client with a client certificate and do client certificate validation on the server. But you'll need to manage tons of certificates then. Or give everyone the same client certificate (not a good idea).
You'll have to authenticate the client using his credentials. You are right that you don't want to send the credentials in plain text over the network, but there are simple alternatives. Take a look at e.g. HTTP Digest Authentication (http://en.wikipedia.org/wiki/Digest_access_authentication) or xAuth (http://dev.twitter.com/pages/xauth). You don't have to implement these techniques over HTTP; you can just as well send a challenge (a realm) over a simple tcp socket after you have accepted the connection. The client should then send a valid response within a short timeframe or the server aborts the connection.
By the way, did you consider HTTP streaming? See http://ajaxpatterns.org/HTTP_Streaming
It would probably make your life a lot easier as you can rely upon some other service (e.g. Apache) doing the hard work for you, and you can focus on the business value of your application.
you might want to consider:
Cloud to Device Messaging : http://code.google.com/android/c2dm/index.html
The only drawback is that it is only supported by android >=2.2
Not sure why you guys didn't use some off the shelf messaging library/server for java, then create an android service that connects to the message broker and handles all initial authentication.
The service would simply sit there and wait for any incoming messages.
(I'm pretty sure that listening for network data doesn't power up the radio, only when the data is actually there that the radio powers up. I suspect this is how C2DM works.)
This is better then polling because you're only waiting for data. You're not constantly sending packets requesting data. But you knew that already.
I did this, (I used the rabbitmq-java library and the rabbitmq message queue server) and had push style notification for my app in no-time. Even with Android 1.5 devices.
About security:
You could also implement your own security but without having to send plain-text passwords. Simply encrypt the passwords using something like MD5 before passing it through the network.
Then compare the encrypted password with the encrypted password you have on file.
This way, only encrypted passwords will go through the network.