Hi.
I'm trying to set up some security around a small script of mine. It exists to transfer one file from one server to another through https post. But I do not want to receive posts from any other box than one particular server. How can I test this?
How do I check who sent me a post?
Moderator: General Moderators
Re: How do I check who sent me a post?
Is the script on the sender server or the receiver server?
Re: How do I check who sent me a post?
Ok, this is the same scenario as described in viewtopic.php?f=34&t=129640. I threw out my attemts at ssh transfers, as ssh.shell or ssh.tunnel transfers does not support unlink, which is a requirement. Also my client preferes not to use ftp in any form.
So, to recap on that issue; Two php servers are communicating. The first one needs to transfer a file to the second one, but I want the second server to only accept files from the first server. Noone else. This requires me to check if the sender actually is my first server.
I was thinking in lines of checking for post headers or something like that.
Or perhaps I can use SSL in cURL? I allready have set up a public/private key... Anybody know how to do this?
So, to recap on that issue; Two php servers are communicating. The first one needs to transfer a file to the second one, but I want the second server to only accept files from the first server. Noone else. This requires me to check if the sender actually is my first server.
I was thinking in lines of checking for post headers or something like that.
Or perhaps I can use SSL in cURL? I allready have set up a public/private key... Anybody know how to do this?
Re: How do I check who sent me a post?
There are plenty of articles on SSL and curl. I guess it depends on how secure you want to get.
You know that curl can do ftp right? Why would your client care as long as they don't have to actually interact with the FTP themselves. And FTP supports authentication (use secure FTP obviously).
But, if they're that insistent on FTP not being involved at all, it should be a simple matter of sending the file with a form that uses authentication. The script on the client side would have the user name and password, you could also throw in some other parameters to get certain host information and send it as form fields just for extra security. If you're worried about someone with physical access to the server copying the script and applying it to a different machine that presents a whole new set of problems but it sounds like you just want a basic sanity check, not super tight security.
You know that curl can do ftp right? Why would your client care as long as they don't have to actually interact with the FTP themselves. And FTP supports authentication (use secure FTP obviously).
But, if they're that insistent on FTP not being involved at all, it should be a simple matter of sending the file with a form that uses authentication. The script on the client side would have the user name and password, you could also throw in some other parameters to get certain host information and send it as form fields just for extra security. If you're worried about someone with physical access to the server copying the script and applying it to a different machine that presents a whole new set of problems but it sounds like you just want a basic sanity check, not super tight security.
Re: How do I check who sent me a post?
If you POST the file, the receiving server can check the remote IP (for the receiving server, the remote IP will be the IP of the sending server). If the remote IP matches what you've hardcoded, process $_POST.
If you're worried about IP spoofing though, this wouldn't work.
If you're worried about IP spoofing though, this wouldn't work.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.