Lets say there are two server-side applications on two separate servers.
Server #1, IP address 1.2.3.4, contains a PHP web application with MySQL database.
Server #2, IP address 5.6.7.8, contains a NodeJS app with MongoDB database.
How can the PHP app "commands" the NodeJS app (or vice versa) to do something, like :
"please save this data on your database", or
"I want to retrieve data from your database, where some_id = 123"
These internal communication should be secure, it means that no one except both servers can execute them.
I think that this is possible with simple HTTP POST / GET requests.
For example, the NodeJS app sends a POST request with parameters to http://1.2.3.4/do_something.php
Or maybe the PHP app sends GET request to http://5.6.7.8/retrieveSomething
But I think it is not secure because the URL is exposed to public. (correct me if I'm wrong)
I don't even know the google search keyword for this problem.
Is it web services? SOA? RPC?
Your example is perfectly fine. In terms of securing it, a simple way would be to have the "client/sender" send some sort of agreed upon API key along with the request. The "server/receiver" would then check this API key. If it is valid, then the appropriate command would be executed. If it's not, the server will simply return a 404 Not Found.
Related
I'm making a game in Unity which makes use of a remote MySQL database, hosted on a web server. Although it's entirely possible to communicate with a database directly from Unity/C#, I'm also aware of how easy it is to reverse engineer the app in order to find any hard-coded authentication information (such as URLs, passwords, etc)... So, because the server is a web server and not a VPS, that means that all database connections and modifications would need to be done via server-side scripting.
But the client app would still need to make requests to the web server, where some PHP scripts would handle the requests and perform the appropriate actions. So using a url with a php query string still revisits the original hacking issue, and even using HTTP GET/POST requests can easily be packet-sniffed without any decompilation of the game.
So unless I'm missing something, does the most secure way to do this involve a mixture of direct HTTP GET/POST requests, where the data is somehow encrypted/obfuscated? Maybe via HTTPS instead of HTTP? Or is there an even better way to do this?
Expose a RESTful API over HTTPS
I want to update records in a database through an api.php. I do this by sending GET requests to the API on the server from another particular server.
I tried limiting CORS to only that specific server, but GET requests were still accepted from the browser. I also tried to set a condition to match the server's IP with the one specified in the API and abort if it's false. However, I fear that this is an imprudent move as I am not that experienced in these types of situations.
Can I safely limit the api to allow GET requests only from this specific server address?
System architecture
Webserver: Nginx
App language: php(5.3), javascript, html, css
Database: Mysql
An solution would be to use JSON Web Tokens.
JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.
You can find the PHP framework to generate/check the tokens at https://github.com/web-token/jwt-framework
I am developing an app which has many users and (hopefully) will have many more in the future and therefore I want to get rid of my current one-server-makes-it-all solution to a many server structure. My app has customers in different countries and I want to handle each country with an own server. You can see this in the picture above. The app only knows the URL of the distribution server and I want to achieve, that the distribution server redirects to the right server.
How can I technically do this? I am using PHP / MySQL and my app is talking to my server with simple HTTP requests (GET and maybe later also POST) like
http://distributionServer.com/script.php?appCountry=us&work=getListOfItems
Server Sends back JSON data.
I have some technical questions:
how to make the redirect in PHP with all the parameters? The Servers that will finally handle the user need these params. Can I just make a simple redirect with "header()" ?
When I make redirect with header() does the communication still runs then over the distribution server? Because I don't want that all the "return" traffic is going over the distribution server, this server only needs to say "ok USA-App you talk to server USA". When server USA sends back data it should not go the way: ServerUSA -> Distribution Server -> App. Because these Server do not share a LAN, just somewhere in the net.
I know I could just hardcode the server URLs in the app so that US user always connect directly to USA Server but I need some flexibility to add new servers / change servers / change URLs / add new countries.. and I don't want to always update the app when something changed on the server side.
This is simplest way you can do this : https://support.rackspace.com/how-to/simple-load-balancing-with-apache/
I use a JSON API to get data for a website. I am aware of various methods that I could make it secure, but my situation is different from common methods.
Because of cross domain issues, I had to create an API folder with various PHP files that do cURL requests to the REStful API. I then request these local PHP files through AJAX on my site. On the next release it should be JSONP to avoid this issue.
Many of these JSON requests contain sensitive information so the first thing I did was check for the HTTP Referrer so people don't just grab the URL when inspecting the JavaScript code and try to run it on their browser. This is obviously not safe nor should I rely on it.
Any data I may try to post to the request will be through JavaScript so something like an API key or token would be visible and would defeat the whole purpose.
Is there a way I can prevent these PHP files to be run outside the website or something? Basically make them inaccesible for visitors?
This does not have to do anything with REST. You have a server side REST client, in which you call the REST service with cURL and the browser cannot see anything of this process. Until you don't want to build your own REST service for this AJAX client this is just a regular webapplication (from the perspective of the browser and the AJAX client ofc.). As Lorenz said in the comment, you should use sessions as you would do normally. That's all. If you want to restrict access to certain pages, you can use an access control solution, e.g. role based access control is very common.
I have an application that retrieves some info and give them to user from a certain public website. However, i am not sure whether i should let my app immediately connect to the target website or it should get the info through my web server using a simple PHP script (JSON).
Actually I am using Jsoup to get the information and I tried both and they worked perfectly ( immediate and PHP) using Jsoup. However, I have not published my app yet due to the confusion aforementioned.
Use the web service. If your client has logic to parse the HTML, it can break when the web page changes. The web service can absorb this change and make corrections, but your client cannot. Not unless you release another version of your app, and that can be a pain.