仅使用Zend \\ Http \\ Client和Curl从特定服务器获取PHP页面内容
[英]Get PHP page content only from specific server with Zend\Http\Client and Curl
问题描述
how can i secure the content of a php page to access it only with a curl request of a specific server? 
我怎样才能确保php页面的内容仅在特定服务器的curl请求下才能访问? It should not be possible to get the content in a browser with a request like " https://cms.domain.com/home ", but if I create a Zend Client on a specific server it should be possible to get the content. 可能无法通过诸如“ https://cms.domain.com/home ”之类的请求在浏览器中获取内容,但是如果我在特定服务器上创建Zend Client,则应该可以获取内容。
Is it possible to check the referer or something else? 是否可以检查引荐来源或其他内容?
$adapter = new Zend\Http\Client\Adapter\Curl();
$client = new Zend\Http\Client();
$client->setAdapter($adapter);
$client->setMethod(\Zend\Http\Request::METHOD_GET)
->setUri('https://cms.domain.com/home');
$response = $this->client->send();
3 个解决方案
解决方案1
0 2017-06-28 12:05:47
It's not so simple because according to HTTP protocol request is by definition independent from other request. 这不是那么简单,因为根据HTTP协议,请求根据定义独立于其他请求。
HTTP_REFERER is simple to fake and not always present. HTTP_REFERER易于伪造,并不总是存在。
More information you can find under: 您可以在以下位置找到更多信息:
How to check if a request if coming from the same server or different server? 如何检查来自同一服务器还是不同服务器的请求?
解决方案2
0 2017-06-29 05:49:46
If you find a short way, I would then say no! 如果您找到一个简短的方法,那么我会拒绝!
The one and only reliable solution is to use OAuth2 protocol to restrict your API https://cms.domain.com/home . 唯一且唯一可靠的解决方案是使用OAuth2协议来限制您的API https://cms.domain.com/home 。 Because Google, Facebook, Twitter use OAuth2 for their APIs. 因为Google,Facebook,Twitter使用OAuth2作为其API。
Therefore, you need to create an RESTful application. 因此,您需要创建一个RESTful应用程序。 A typical RESTful web service will use HTTP to do the four CRUD (Create, Retrieve, Update, and Delete) operations. 典型的RESTful Web服务将使用HTTP来执行四个CRUD(创建,检索,更新和删除)操作。 Meaning you can operate those four operations to different endpoints of your api like https://cms.domain.com/v2/api/oauth , https://cms.domain.com/v2/api/etc for example. 这意味着你可以操作这些四个运算的API等不同的端点https://cms.domain.com/v2/api/oauth , https://cms.domain.com/v2/api/etc例如。
As you are using Zend\\Http\\Client as a client to handle your api then yon need an server for authentication which is OAuth2 server. 当您使用Zend\\Http\\Client作为客户端来处理您的api时,则不再需要用于身份验证的服务器,即OAuth2服务器。 Here you can get OAuth2 Server Library for PHP by Brent Shaffer. 在这里,您可以通过Brent Shaffer获得用于PHP的OAuth2服务器库 。
You can also use OAuth2 server from php league . 您还可以使用php League中的OAuth2服务器 。
Another option is Zend Framework's Apigility which is very useful if you need to get an OAuth 2.0 API up and running. 另一个选项是Zend Framework的Apigility ,如果您需要启动并运行OAuth 2.0 API,这将非常有用。 Check out their doc for the implementation please! 请查看他们的文档以获取实现!
解决方案3
0 2017-07-01 08:00:18
You can check User Agent on HTTP Request . 您可以在HTTP Request上检查User Agent 。 Here the example of cURL User Agent: curl/7.37.0 . 这里是cURL用户代理的示例: curl/7.37.0 。
So, you can check at onBootstrap(MvcEvent $mvcEvent) if the user agent not curl/* , the request will be rejected. 因此,您可以在onBootstrap(MvcEvent $mvcEvent)处检查用户代理不是curl/* ,请求将被拒绝。
class Module
{
public function onBootstrap(MvcEvent $event)
{
$headers = $event->getRequest()->getHeaders();
$userAgent = $headers->get('User-Agent');
if (is_null($userAgent) || preg_match("/^curl\/.*/", $userAgent->getFieldValue() !== 1) {
$response = $this->getResponse();
$response->setStatusCode(400); // give bad request status
$response->sendHeaders();
$stopCallBack = function($mvcEvent) use ($response){
$mvcEvent->stopPropagation();
return $response;
};
//Attach the "break" as a listener with a high priority
$event->getApplication()->getEventManager()->attach(MvcEvent::EVENT_ROUTE, $stopCallBack,-10000);
return $response;
}
}
}
If you want, you can add some like security token to make restriction better. 如果需要,可以添加一些类似的安全令牌以使限制更好。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.