I've got two servers on two locations. Server 1 subtracts client-information (like addresses, email and telephone numbers) of server 2 via a php CURL session with a custom user agent which server 2 checks. Server 2 serves a JSON string.
I want to make sure two things:
After looking at different methods I was thinking to encrypt the JSON text string on server 2; get it with curl from server 1; and decrypt it with a shared key.
Things i would like to know:
BTW: merging the two servers is not an option!
Instead of implementing your own encryption routine, I'd recommend serving your json data from server 2 over https, that will take take care of the encryption nicely.
Note that you do not need to purchase a certificate, you can self-sign server2 and have curl in server1 allow "insecure" https connection (insecure means that the cert is not trusted, but the data is still encrypted).
To whitelist who is allowed to request data from server 2, whitelist by ip if you are able. Another way (or in addition), could be a simple signature system with a shared secret.
For illustration, set up a custom http header when server 1 makes the request (say "My-Signature") and use a set up your signature "algorithm" (simple example in php below):
$sig = sha1($user_agent
. $date_header_value
. $http_request_path
. $http_query_string
. $http_raw_post_payload
. $shared_secret);
Then you can set up the request header:
My-Signature: $sig
You can make your signature system as complicated as you'd like. The idea is that server2 knows the same signature "recipe", can extract all the fields it needs from the request headers, the query string, and post payload, and use the shared secret to compute the signature on its side.
Compare the computed signature, to the signature passed in the My-Signature header and serve the request if they match. If not, serve a 403 response page.