保护PHP脚本不受未经授权的访问

Question

I'm currently developing a set of php scripts that act as a private API that is only to be used by some authorized machines. The scripts interface directly with the MySQL database so I must make sure that no public unauthorized access, as in making the scripts run successfully, is possible.

I've been considering the different alternatives but I decided to come here for some different opinions.

I'm running with nginx.

The API is used externally by a C# program (using WebClient) and a few other servers, which IPs may change, so I was avoiding a IP based approach.

I was considering passing a "key" parameter through post to check for a match

if($_POST['key'] == 'key')

There are probably better alternatives, what you do think?

Answer 1

You can configure TLS authorization using client certificates:

• http://nginx.org/r/ssl_client_certificate
• http://nginx.org/r/ssl_verify_client

Flexible and secure.

Here is a tutorial: http://blog.nategood.com/client-side-certificate-authentication-in-ngi

Answer 2

I usually use the key method you wrote but I definitely believe in a defense in depth method. SO I would add some server level protection, check out nginx access control methods. maybe something like:

deny: all allow IP: 127.0.0.1

Answer 3

I would use either a public/private key authentication or use a username and password/api key for each client. Only other option IMO would be using LDAP or other directory authentication, which likely isn't ideal for most situations.

Answer 4

You can use basic HTTP auth, but this method is not 100% secure, it is vulnerable to middle man attacks

http://www.php.net/manual/en/features.http-auth.php

http://evertpot.com/223/