https SSL trusted client access

Sometimes I have some APIs that should only be accessible by certain specifically listed trusted internal clients.

I had been protecting these at the apache layer with client IP restrictions and/or HTTP basic auth. Neither of these are actually secure, client IP can be easily spoofed, and HTTP basic auth is known to be entirely insecure and nobody should use it — but implementing the somewhat more secure digest auth in apache is annoyingly not as simple/well-supported.

So I was thinking, isn’t there some way to use known public key exchange, similar to how you set up passwordless SSH, with the https SSL connection? Hopefully that can be done in just a couple easy lines of apache conf, on a standard apache install? I figured there must be, but never spent the time to figure it out.

There is! You can set up mod_ssl to protect only certain parts of your website (the protected APIs), allowing access only to clients using certs signed by a specific Certificate Authority. For these purposes the “certificate authority” can be local/self-signed.

This is still a bit of a pain. I need to figure out the simplest way to create that local CA and the neccessary keys. (A bit more complex than the specified-key exchange to set up SSH, alas).  And then I need to figure out how to use my various http client libraries to make https/ssl requests using specified keys from disk.

But this seems to be the best ‘right’ way to do this, yes?  Any other ideas? Any tips on how to accomplish the things I haven’t figured out yet?

This entry was posted in General. Bookmark the permalink.

2 Responses to https SSL trusted client access

  1. Peter Corrigan says:

    The facade pattern in software design is well proven at the granularity of objects. Does this utility scale to software architecture? I think it does.

    Assuming you have a high degree of control over both sender and receiver, how about a CGI or mod_whatever constructed facade to the API. Create this on the same server that hosts the API. In most cases you can whip up such an abstraction quite quickly. Utilize a shared secret and pass all traffic via SSL. As far the API is concerned the calls are coming from localhost and, of course, only localhost originated calls are accepted.

  2. jrochkind says:

    I am not sure what ‘facade pattern’ means, but I think you are describing the same thing as I did above? The application is behind an apache layer, the apache layer restricts access using https/ssl, by means of only accepting https/ssl connections from keys signed by a trusted CA.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s