Communication between two servers via curl and mcrypt

I have two servers in two locations. Server 1 subtracts client information (such as addresses, email address, and phone numbers) of Server 2 through a php CURL session with a user agent that validates Server 2. Server 2 serves up a JSON string.

I want to make sure two things:

  • If someone sniffs my packages, they won't see the actual data;
  • If someone tries to call a php page on server 2 (with the corresponding user agent) en got something that doesn't make sense to them (like the email address or phone number of the client).

After looking at different methods, I thought to encrypt a JSON text string on server 2; get it with curl from server 1; and decrypt it using the public key.

Things I would like to know:

  • Which cipher should I use?
  • Is this excess?
  • Or is there a better way to achieve this?

BTW: Combining two servers is not an option!


source to share

2 answers

Instead of implementing your own encryption routine, I would recommend serving your json data from server 2 via https, which will keep an eye on encryption just fine.

Please note that you do not need to purchase a certificate, you can sign server2 yourself and hang on server1, allow an "insecure" https connection (insecure means that the certificate is not trusted, but the data is still encrypted).

For a whitelist that is allowed to request data from server 2, use the whitelist by ip if you are able. Another way (or in addition) could be a simple shared secret signature system.

To illustrate, set up your own HTTP header when server 1 makes a request (eg "My-Signature") and uses your signature "algorithm" setting (simple example in php below):

$sig = sha1($user_agent
            . $date_header_value
            . $http_request_path
            . $http_query_string
            . $http_raw_post_payload
            . $shared_secret);


Then you can customize the request header:

My-Signature: $sig


You can make your signature system as complex as you like. The idea is that server2 knows the same signature "recipe", can extract all the fields it needs from the request headers, query string, and mail payload, and use the shared secret to compute the signature on its side.

Compare the computed signature with the signature passed in the My-Signature header and submit a request if they match. If not, open the 403 answers page.



  • No, this is not too much. It is good practice to encrypt data during transmission between servers.
  • Along with your user agent, do your servers have static IP addresses as well? Do an IP check. If the IP is not what you expected, just display the default denied screen at 403 to force the user to track that they were blocked by Apache and not your script.

As far as encryption is concerned, I cannot help. You have Google.



All Articles