简体繁体 English

使用自定义服务器通过HTTP安全传输数据

[英]Secure data transfer over http with custom server

原文 2010-07-03 07:03:05 0 4 c++/ windows/ security/ sockets

I am pretty new to security aspect of application. 我对应用程序的安全性方面还很陌生。 I have a C++ window service (server) that listens to a particular port for http requests. 我有一个C ++窗口服务（服务器），它侦听HTTP请求的特定端口。 The http requests can be made via ajax or C# client. 可以通过ajax或C＃客户端发出http请求。 Due to some scope change now we have to secure this communication between the clients and custom server written in C++. 由于范围的变化，现在我们必须保护客户端与用C ++编写的自定义服务器之间的通信安全。

Therefore i am looking for options to secure this communication. 因此，我正在寻找确保这种通信安全的方法。 Can someone help me out with the possible approaches i can take to achieve this. 有人可以帮助我解决可能采取的方法吗？

Thanks Dpak 感谢Dpak

4 个解决方案

使用HTTPS 。

Given that you have an existing HTTP server (non-IIS) and you want to implement HTTPS (which is easy to screw up and hard to get right), you have a couple of options: 假设您有一个现有的HTTP服务器（非IIS），并且想要实现HTTPS（这很容易搞砸，很难解决），则有两种选择：

Rewrite your server as a COM object, and then put together an IIS webservice that calls your COM object to implement the webservice. 将您的服务器重写为COM对象，然后将一个IIS Web服务组合在一起，该IIS Web服务将调用您的COM对象以实现该Web服务。 With this done, you can then configure IIS to provide your webservice via HTTP and HTTPS. 完成此操作后，您便可以将IIS配置为通过HTTP和HTTPS提供Web服务。
Install a proxy server ( Internet Security and Acceleration Server or Apache with mod_proxy ) on the same host as your existing server and setup the proxy server to listen via HTTPS and then reverse proxy the requests to your service. 在与现有服务器相同的主机上安装代理服务器（ Internet Security and Acceleration Server或具有mod_proxy的Apache ），并将代理服务器设置为通过HTTPS侦听，然后将请求反向代理到您的服务。

The second option requires little to no changes to your application; 第二个选项几乎不需要更改应用程序； the first option is the better long-term architectural move. 第一个选择是更好的长期架构迁移。

A good toolkit for securing your communication channel is OpenSSL . OpenSSL是保护您的通信渠道的一个很好的工具包。

That said, even with a toolkit, there are plenty of ways to make mistakes when implementing your security layer that can leave your data open to attack. 就是说，即使有了工具箱，在实现安全层时也有很多方法会出错，从而使数据容易受到攻击。 You should consider using an existing https server and having it forward the requests to your server on the loopback channel. 您应该考虑使用现有的https服务器，并使其通过环回通道将请求转发到您的服务器。

It's reasonably easy to do this using either OpenSSL or Microsoft's SChannel SSPI interface. 使用OpenSSL或Microsoft的SChannel SSPI接口可以很容易地做到这一点。

How complex it is for you depends on how you've structured your server. 对您而言，它的复杂程度取决于服务器的结构。 If it's a traditional style BSD sockets 'select' type server then it should be fairly straight forward to take the examples from either OpenSSL or SChannel and get something working pretty quickly. 如果它是传统风格的BSD套接字“选择”类型服务器，那么从OpenSSL或SChannel中获取示例并使其快速运行应该是相当简单的。

If you're using a more complex server design (async sockets, IOCP, etc) then it's a bit more work as the examples don't tend to show these things. 如果您使用的是更复杂的服务器设计（异步套接字，IOCP等），则需要做更多的工作，因为示例并不倾向于显示这些内容。 I wrote an article for Windows Developer Magazine back in 2002 which is available here which shows how to use OpenSSL with async sockets and this code can be used to work with overlapped I/O and IOCP based servers if you need to. 我早在2002年就为Windows Developer Magazine撰写了一篇文章，该文章在此处提供，该文章展示了如何将OpenSSL与异步套接字一起使用，并且如果需要，此代码可用于与重叠的基于I / O和IOCP的服务器一起使用。