验证HTTP请求
[英]Authenticate HTTP requests
问题描述
I'm developing an API that receives HTTP requests from the Internet. 
我正在开发一种API,该API可以从Internet接收HTTP请求。 One of the problems I'm facing is how to authenticate those requests in order to know that they are actually coming from a specific IP address. 我面临的问题之一是如何对那些请求进行身份验证,以便知道它们实际上来自特定的IP地址。
- I have read the X-Forwarded-For header is not safe at all 我已经读过X-Forwarded-For标头根本不安全
- RSA does not prevent Man in the Middle RSA不会阻止中间人
- What I'm doing is: given an id and a password, both parameters are sent in each request so the system can validate the request, but I think it's not the best option at all. 我正在做的是:给定一个ID和一个密码,这两个参数都在每个请求中发送,以便系统可以验证该请求,但是我认为这并不是最好的选择。
Any ideas? 有任何想法吗?
Thank you! 谢谢!
2 个解决方案
解决方案1
0 2018-06-30 19:49:43
Given that it's truly the IP address that you're needing to authenticate, and not any sort of user, then HTTP is too high on the networking stack. 鉴于它确实是您需要认证的IP地址,而不是任何类型的用户,因此HTTP在网络堆栈上太高了。 You need something like IPSec or WireGuard to authenticate IP addresses. 您需要IPSec或WireGuard之类的东西来认证IP地址。
解决方案2
0 2018-06-30 19:52:49
I suggest to redirect user to authenticate on HTTPS server that generates a token for him and then with that token request the infos on the HTTP server, so even a man in the middle can obtain current session and when the user logout it is useless. 我建议将用户重定向到HTTPS服务器上的身份验证,该服务器会为他生成令牌,然后使用该令牌请求HTTP服务器上的信息,因此即使是中间人也可以获取当前会话,并且当用户注销时它是无用的。
And then you can even validate the IP from login on HTTPS on each HTTP request. 然后,您甚至可以通过在每个HTTP请求上登录HTTPS来验证IP。
Edit: I think the whole process is explained really well here 编辑:我认为整个过程在这里解释得很好
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.