I'm writing some APIs for another website to be able to interact with my website. They say this in their documentation:
All calls made over HTTPS.
I don't know what that means for me on my end. Does it just mean I need to be hosted on a
httpS://www.mywebsite.com
page instead of
http://www.mywebsite.com
What do I need to do on my end (PHP based code) to accept "calls over https".
I don't need any code written or anything like that, I just need to understand the scope of what I'm trying to do. Is it my code that deciphers the HTTPS call? Is it the server that I'm hosted on? What does this mean?
You need an SSL certificate installed on your server, which you can get from a Certificate Authority like Thawte or Verisign. Once that is done, your site will be able to serve the same content over https://... and http://...
You can then restrict it via the webserver's configuration to only allow the https://.... (simplest thing to do). Or you can leave it at the default which will allow both, and you can make a determination in the particular script being called whether it will accept both or only one or the other.
But for simplicity (especially when you really don't understand the concept of SSL as to when you should use it or don't really have to) you probably ought to just restrict your webserver to serve only https://... How you do that depends on whether you are using IIS or Apache HTTPD, etc.
Related
I am trying to setup a web proxy so I can bypass the web filter. I am using Glype proxy php script but the web filter detected it and blocked it. Is there any way I can config or edit the script so the web filter would not be able to detect my proxy?
You have to rename the file browse.php and all references to it. Here is explained how: http://glypetemplates.com/rename-browse.php-to-prevent-abuse-from-automated-scripts.html
Two useful hints:
Avoid the name 'proxy' in your url. This might trigger someone's attention (or a script that scans for this term) which will make sure that the url is quickly added to the blacklist.
If you have already been blocked you are probably on a blacklist from which you won't be removed. Therefor, try to put your proxy on a new url (e.g. if your previous url was example.com/secret now try example.com/randomWord).
A bit of background information: The following article gives a nice overview of what companies can do to detect proxy sites: http://www.sans.org/reading-room/whitepapers/detection/detecting-preventing-anonymous-proxy-usage-32943
It is a bit outdated (2008) but what it says is that the Glype is detected by looking at the link the user is browsing to. Since this is always of the same format (browse.php?u=....):
To block or detect any usage of a Glype anonymous proxy server, use
the following regular expression: (browse\.php\?u=).+(&b).*
Renaming browse.php will solve this problem. This is assuming your webfilter is not using any more advanced techniques...
I'm building an online dating website at the moment.
There needs to be an admin backend to the site to approve users/photos etc.
I can add this admin part of the site/login etc to the same domain.
eg: www.domainname.com/admin
Or from my experience with PHP CURL I can put this site on a different domain and CURL the requests through.
Question: is it more secure to put the admin code/site on a completely different domain? or it really doesn't matter if it sits on the same domain? hacking/security is the really point of this.
thx
Technically it might be more secure if you ran it from a different server and hosted it on a subdomain using a different IP/vhost, or use a proxy mod for your webserver (see Apache mod_proxy) to proxy requests from yourdomain.com/admin to admin.otherdomain.com and enforce additional IP or access control using .htaccess or equivalent to access the proxy url.
Of course, if those other domains are web accessible, then they are only as secure as the users and passwords that use them.
For corporate applications, you may want to make the admin interface accessible from a VPN connection, but I don't know if that applies to you.
If there is a vulnerability on your public webserver that allows someone to get shell access, then it may make it slightly more difficult to get administrative access since they don't have the code for the administration portion.
In other words, it can provide additional security depending on the lengths you go to, but is not necessarily a solid solution.
Using something like cURL is a possibility, but you'd have far less troubleshooting to do using a more conventional method like proxy or subdomain on another server.
There is this PHP script on my website which I don't want people to be able to run by just typing its name in the browser.
Ideally I would like this script to be run only by registered users and only from within a Windows app (which I will have to provide). Can this be done ?
Alternatively, how can I protect this script so that it can only be called from a specific page or script?
Also how can I hide the exact URI from appearing on the address bar?
Thanks !
If you are running Apache for your webserver, you can protect it with a username/password combo using .htaccess. It takes a little configuration if your server is not already configured to allow .htaccess. Here are the Apache docs.
If you need authentication based on application-specific factors, you can put something at the top of your script like
<?php
if(!$user->isLoggedIn()) {
// do 404
header('HTTP/1.0 404 Not Found');
}
Do you have a question about how you would implement isLoggedIn?
You can also use mod_rewrite to rewrite URIs, and those directives can go inside your .htaccess as well. mod_rewrite can rewrite incoming requests transparently (from the browser's perspective) so a request for /foo/bar can be translated into secret_script.php/foo/bar. Docs for mod_rewrite.
However you decide to implement this, I would urge you to not rely solely on the fact that your script's name is obscure as a means to secure your application. At the very least, use .htaccess with some per-user authentication, and consider having your application authenticate users as well.
As Jesse says, it's possible to restrict your script to logged in users. There are a large number of questions on this already. Search for PHP authentication.
However, it is not possible to restrict it to a single application. It is fairly simple to use a program like Wireshark to see exactly how the program logs in and makes request. At that point, they can reproduce its behavior manually or in their own application.
There are a variety of different ways that you could go about securing a script. All have pluses and minuses, and its likely that the correct answer for your situation will be a combination of several.
Like mentioned, you could lock down the account with Apache...it's a good start. Similarly, you could build a powerful 'salt-ed' security system such as this: http://www.devarticles.com/c/a/JavaScript/Building-a-CHAP-Login-System-An-ObjectOriented-Approach/ If you use SSL as well, you're essentially getting yourself security like banks use on their websites--not perfect, but certainly not easy to break into.
But there are other ideas to consider too. Park your script in a class file that sits inaccessible via direct URI, then do calls to the various functions from an intermediary view script. Not perfect, but it does limit the ways that someone could directly access the file. Consider adding a "qualifier" to the URL via a simple get--have the script check for the qualifier or fail....again, not a great solution on its own, but one additional layer to dissuade the bad guys. If you have control of who's getting access (know exactly which networks) you could even go so far as to limit the IP's or the http referers that are allowed to access the file. Consider setting and checking cookies, with a clear expiration. Don't forget to set your robots file so the browsers don't stumble upon the script your trying to protect.
A while back my company did a membership app using Delphi on the front end, talking to php and MySql on the backend....it was a bit clunky given that we were all web application developers. If you're so inclined, perhaps Adobe Flex might be an option. But ultimately, you'll have to open a door that the application could talk to, and if someone was determined, theoretically they could dig through your app to find the credentials and use them to gain instant access to the site. If you're going the desktop app route, perhaps its time to consider having the app avoid talking to an intermediary script and do its work on the local machine, communicating the db that sits remote.
you can use deny access on .htaccess on a folder with a php authentification that will redirect to those php file
I'm vaguely aware that on a computer joined to a domain IE can be asked to send some extra headers that I could use to automatically sign on to an application. I've got apache running on a windows server with mod_php. I'd like to be able to avoid the user having to log in if necessary. I've found some links talking about Kerberos and Apache modules.
http://www.onlamp.com/pub/a/onlamp/2003/09/11/kerberos.html?page=last
https://metacpan.org/pod/Apache2::AuthenNTLM
Since I'm running on Windows it's proven to be non-trivial to get Perl or Apache modules installed. But doesn't PHP already have access to HTTP headers?
I found this but it doesn't do any authentication, it just shows that PHP can read the NTLM headers.
http://siphon9.net/loune/2007/10/simple-lightweight-ntlm-in-php/
I'd like to be able to have my users just point to the application and have them automatically authenticated. Has anyone had any experience with this or gotten it to work at all?
UPDATE
Since originally posting this question, we've changed setups to nginx and php-fcgi still running on windows. Apache2 and php-cgi on windows is probably one of the slowest setups you could configure on windows. It's looking like Apache might still be needed (it works with php-fcgi) but I would prefer a nginx solution.
I also still don't understand (and would love to be educated) why HTTP server plugins are necessary and we can't have a PHP, web server agnostic solution.
All you need is the mod_auth_sspi Apache module.
Sample configuration:
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain mydomain
# Set this if you want to allow access with clients that do not support NTLM, or via proxy from outside. Don't forget to require SSL in this case!
SSPIOfferBasic On
# Set this if you have only one domain and don't want the MYDOMAIN\ prefix on each user name
SSPIOmitDomain On
# AD user names are case-insensitive, so use this for normalization if your application's user names are case-sensitive
SSPIUsernameCase Lower
AuthName "Some text to prompt for domain credentials"
Require valid-user
And don't forget that you can also use Firefox for transparent SSO in a Windows domain: Simply go to about:config, search for network.automatic-ntlm-auth.trusted-uris, and enter the host name or FQDN of your internal application (like myserver or myserver.corp.domain.com). You can have more than one entry, it's a comma-separated list.
I'd be curious about a solution that uses OpenID as a backend (of sorts) for this... I wasn't seeing anything that would hook into ActiveDirectory directly when I googled (quickly). However, it could be pretty painless to implement over plain HTTP(S) (you'd be an OpenID provider that checked credentials against your local AD). In a best case scenario, you might be able to just add a couple classes to your app and be off and running -- no web server modules required. There is a lot of open source code out there for either side of this, so if nothing else, it's worth taking a look. If you exposed the backend to the users (i.e. gave them OpenID URLs), you'd have the added benefit of them being able to log in to more than just your internal sites using these credentials. (Example: Stack Overflow.)
As an aside, I'd be against making it so that Internet Explorer is required. I'm not sure if that is the goal from the way you wrote the question, but depending on your IT environment, I'd expect people who use Firefox or Safari (or Opera or ...) to be less than enthusiastic. (You're not developing against IE first, are you? That's been painful whenever I've done so.) This is not to say that you couldn't use this feature of IE, just that it shouldn't be the only option. The link you posted stated that NTLM worked with more than IE, but since I don't have any experience with it, it's hard to judge how well that would work.
I had a similar problem which I needed to solve for my organization.
I was looking into using adLDAP.
There is some documentation on the site for achieving seamless authentication with Active Directory too.
One option for you is to use CAS (central authentication service).
It has php client library.
How-to link to MS Active Directory: http://www.ja-sig.org/wiki/display/CASUM/Active+Directory
You would require Apache maven 2 though.
For IIS/PHP FCGI, You need to send out an unauthorized header:
function EnableAuthentication()
{
$realm = "yoursite";
header('WWW-Authenticate: Digest realm="'.$realm.'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
header("HTTP/1.1 401 Unauthorized");
exit;
}
You can then get at the username with:
$winuser = $_SERVER["REMOTE_USER"];
I then make sure the $winuser is in my database of allowed users.
Be SURE and test this under a non-privileged account. When I first installed this I tested it and it worked fine, but later when a standard non-server-admin user tried it this failed. Turns out some of the temporary directories need to have permissions changed for guest users. I can't recall the exact settings.
I am creating a web service using php's SoapServer built-in class. I have run some basic tests and it seems to be working fine, but now I need to limit who can use the service.
Assuming that only other scripts on the same server are trying to consume my service, and that they would do this server-side (as opposed to with AJAX or similar means), does my service have any means of identifying the owner of the requester?
I could limit access the service to only requests coming from a specific origin, but this seems either very strict or very unreliable, depending on if I allow access to any script in a directory vs. only specific scripts.
I'm just not clear if I can limit access by the user on the server since the user that the original requesting script will be www.
here are some of your options:
as vivek mentioned, a key in the url could do the trick, i have used this many times, and it works nicely, and also allows you to monitor who's consuming the service (different consumers, different keys)
you could restrict usage of the scripts by IP. this is like the nuke of restrictions, i've seen it used mostly in places where service is granted outside the original server, but where a VPN would be an overkill.
of course, you may require full authentication, but this has too much overhead, both in terms of programming, and in terms of usefulness.
however, i must ask:
if only scripts on the same server are consuming the service, why make it a service at all?
if you have (unrestricted) pages that consume this (restricted) service, what's stopping anyone from scraping those pages - no matter how hard you protect the service?
You can always implement HTTP authentication against a data source of your choice. Apache has various options for doing Digest and Basic auth against a myriad of sources (we use mod_auth_mysql to secure a php webdav solution) but PHP also has good documentation about how to do it at the app level.
http://php.net/manual/en/features.http-auth.php
Why not just make the web service available on the localhost vhost?
Not completely water-tight, admittedly but relatively simple to implement.
Or on a vhost running on a firewalled port?
C.
You could use a registration key as most famous API's do, like weather bug....
so when a request comes in, you could check the the code and see whether the user has registered to use your API.