Sometimes I have some APIs that should only be accessible by certain specifically listed trusted internal clients.
I had been protecting these at the apache layer with client IP restrictions and/or HTTP basic auth. Neither of these are actually secure, client IP can be easily spoofed, and HTTP basic auth is known to be entirely insecure and nobody should use it — but implementing the somewhat more secure digest auth in apache is annoyingly not as simple/well-supported.
So I was thinking, isn’t there some way to use known public key exchange, similar to how you set up passwordless SSH, with the https SSL connection? Hopefully that can be done in just a couple easy lines of apache conf, on a standard apache install? I figured there must be, but never spent the time to figure it out.
There is! You can set up mod_ssl to protect only certain parts of your website (the protected APIs), allowing access only to clients using certs signed by a specific Certificate Authority. For these purposes the “certificate authority” can be local/self-signed.
This is still a bit of a pain. I need to figure out the simplest way to create that local CA and the neccessary keys. (A bit more complex than the specified-key exchange to set up SSH, alas). And then I need to figure out how to use my various http client libraries to make https/ssl requests using specified keys from disk.
But this seems to be the best ‘right’ way to do this, yes? Any other ideas? Any tips on how to accomplish the things I haven’t figured out yet?