Server and SSL API Security

Question

Currently I'm developing an REST API

my API access are only between my server and my client server(B2B, business to business). example : myserverapi.com(My REST API Server) and myclientserver.com(My Client Server who access My API) *no 3rd connection/application

we are implementing api_key(of course it a must), and domain name(so the client specific the domain name that he will access the api, so my server api will only accept from that)

for myserverapi.com, how to only receive connection from myclientserver.com ? is only using $_SERVER['REMOTE_ADDR'] ? Is that enough ? but after reading from a few place, that i can't use that because the IP may be wrong if it under proxy or loadbalancer farm. What's the solution ?

and how if i installed SSL Certificate ? is i must change my code ? or just buy and install on the server side that automatically my api will be secure ?

is openssl-verify function only the secure way to realy get know that the access are from specific server or not ? http://php.net/manual/en/function.openssl-verify.php Is that mean i must change my code to encrypt and decrypt data like in this link http://3stepsbeyond.co.uk/2010/12/openssl-and-php-tutorial-part-two/

so basically i just want to make sure for myserverapi.com to only get access from myclientserver.com. and the myclientserver.com only accept data from myserverapi.com. how to do that ?

I hope some one give me a good explain.

Thank You

Answer 1

There's a series of things you can do. The most code agnostic is HTTPS client certificates. If you don't care about who the user exactly is, but just want to make sure that is an allowed one let apache handle that. It's only a few lines in the config file, and you won't have to touch your code.

Your second option is ACLs, which you can handle again within Apache even at the path level. And of course at an OS level you can apply them as well to IPs and ports. Same applies to a firewall in or in front of your server/servers.

If you don't want to deal with managing certificates or IP/port firewalling and ACLs you can implement 2 legged Oauth. The clients can use a library since they exists in virtually any language already, and the code for the server is not too complicated.

Answer 2

For the SSL Certificate, you don't have to alter your code. You may, however, want to check the server port and throw an exception if not SSL:

if ($_SERVER['SERVER_PORT'] != 443) {
    header('405 Method Not Allowed');
    exit();
}

Of course, you could accomplish similar restrictions using Apache, by simply not serving out on port 80.

For the IP restrictions, $_SERVER['REMOTE_ADDR'] should work under most conditions. Unfortunately, I don't think there's a way around proxies. However, an API key should be sufficient for most security requirements.

Answer 3

A little late for an answer, but for checking remote_addr for requests that might come via proxy you can check if X-forwarded-for header is set, and use that if it exists.

http://en.wikipedia.org/wiki/X-Forwarded-For