0

Scenario:

I have a webserver running php, I want to be able to be able to securely send a request to a separate server running nodejs and get a response back. The node server will never need to send anything to the webserver by itself, e.g notifications/updates. So I don't think I need the 2 way communications that websockets would provide.

PHP sends a request to node, node processes the request, sends back data (most likely in JSON), php continues with it's script using the returned data.

Problem

I own the server running node, but the webserver is out in the wild. I need a way of making sure that any requests that come in to the node server are actually from the webserver not someone/something else, and I need the request and response data to be encrypted.

I have gathered I don't want to rely on something simple like checking ip addresses, I know that the webserver and the node sever will have to both have some shared secret information/algorithms to encode data. I could have a go at implementing this myself, but I know this problem is already solved with some encryption protocol / libraries. I'm familiar with the concepts of encryption and keys, but I have never had to implement them.

Question

  • What is the best way to go about this?
  • What kind of encryption should/can I use, that is both supported by php and nodeJs?
  • What would be the potential security threats, if any?
Dooglz
  • 21
  • 6
  • Apart from checking that the webserver has a preset IP/IP range, you can also assign a secret hash in both servers and encrypt the data with openssl_encrypt. – Mohammad Tomaraei Dec 30 '13 at 18:06
  • 1
    http://stackoverflow.com/a/3422787/2083292 – Mohammad Tomaraei Dec 30 '13 at 18:12
  • Just encrypt the data with a shared secret (AES would be fine and works on both). Or, you could step it up and encrypt with a public/private key. Or, if you just used SSL on the NodeJS server, and passed a token/key, that should be fine too as it would be a secret that only the 2 servers would know. It would be even easier to implement if you use SSL on the NodeJS server for traffic. – WiredPrairie Dec 30 '13 at 20:14

1 Answers1

2

I would suggest interact between two web servers using REST APIs.

REST APIs are used in these types of implementations.

If you can build proper authentication strategy, then the communication should be secure. If you enable SSL on Node, the communication will be encrypted. You can also limit by IP addresses, hostnames, and user agent strings.

Token based authentication with SSL should be good enough security. Utilize a strategy that implements nonce, and always have the tokens expire.

Implement CSRF strategy to prevent MITM attacks.

Build a token-based strategy that relies on common encryption methods, such as:

Community
  • 1
  • 1
tpae
  • 6,286
  • 2
  • 37
  • 64