Protect PHP Scripts from unauthorized access
Question
I'm currently developing a set of php scripts that act as a private API that is only to be used by some authorized machines. The scripts interface directly with the MySQL database so I must make sure that no public unauthorized access, as in making the scripts run successfully, is possible.
I've been considering the different alternatives but I decided to come here for some different opinions.
I'm running with nginx.
The API is used externally by a C# program (using WebClient) and a few other servers, which IPs may change, so I was avoiding a IP based approach.
I was considering passing a "key" parameter through post to check for a match
if($_POST['key'] == 'key')
There are probably better alternatives, what you do think?
4 answers
solution1
1 2014-04-10 23:30:17
You can configure TLS authorization using client certificates:
Flexible and secure.
Here is a tutorial: http://blog.nategood.com/client-side-certificate-authentication-in-ngi
solution2
0 2014-04-10 23:12:16
I usually use the key method you wrote but I definitely believe in a defense in depth method. SO I would add some server level protection, check out nginx access control methods. maybe something like:
deny: all allow IP: 127.0.0.1
solution3
0 2014-04-10 23:16:34
I would use either a public/private key authentication or use a username and password/api key for each client. Only other option IMO would be using LDAP or other directory authentication, which likely isn't ideal for most situations.
solution4
0 2014-04-10 23:31:01
You can use basic HTTP auth, but this method is not 100% secure, it is vulnerable to middle man attacks
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.