1

(first question on stack exchange, feel free to comment/criticize)

Context

I have a Debian server with

  • Flash Media Server (FMS) listening on port 80 and 1935 (which is the default)
  • Apache2 listening on port 8134

FYI, FMS purpose is video streaming, among other things. It uses the RTMP protocol.

From what I understand :

When FMS requests are blocked on 1935, there is a fallback on 80. The protocol changes and becomes HDS, which is RTMP over HTTP (slower, but it works).

FMS needs 80 port to do that fallback.

Apache, on the other way, delivers html, css, ... and swf files, which are flash files used on client to connect the server.

From client side, you reach these files on port 80. FMS then proxies to Apache the HTTP requests it can't handle.

This way Apache doesn't need to be configured on port 80, thus avoiding port conflict on 80.

Everything is working great so far.

But recently, I had to add SQL functionnality to FMS. And FMS hasn't SQL connection built-in natively. It can barely do HTTP requests. So you have to handle SQL on another server-side technology. Since Apache is already in the house, PHP/MySQL comes to mind.

So I installed PHP and MySQL, and created a gateway .php script which acts as a very simple data access layer.

It works, FMS can request JSON data made from PHP/MySQL with json_encode, and since FMS langage is ActionScript, read Javascript, I did (new Function("return " + src))() and voilà, I had my js object straight from the database.

Very simple and avoids to build a J2EE server or bring back Zend Framework to speak AMF.

Now comes my security problem :

the .php gateway is accessible to everybody, which means anybody can come up with the .php URL with the right GET arguments and read from the database, or mess with it.

I'd like to allow only FMS to speak with the gateway. But I need clients to still be able to request for every other file (html, css, swf...).

HoverGuy
  • 11
  • 4

2 Answers2

2

Use an .htaccess rule, sort of like this:

<Files ~ "\yourscript.php$">
    Order allow,deny
    Allow from your.fms.ip.address
    Deny from all
</Files>

Obviously you'd need to make changes to apply to your application, but this is the easiest way.

Nathan C
  • 14,901
  • 4
  • 42
  • 62
  • What does the ~ (tilde) mean? Searched and had hard time finding that since google doesn't index this kind of characters. – HoverGuy Jul 17 '13 at 08:12
  • "Current directory". – Nathan C Jul 17 '13 at 12:10
  • Actually it seems your code denies every php file for everybody, which means my FMS server won't be able to request Apache for the gateway php script. There is no difference between a request issued from FMS and one issued from the outside, since every request from the outside must pass through FMS via port 80. – HoverGuy Jul 17 '13 at 14:46
  • @HoverGuy I modified it. Change "yourscript" to the script that will be pinged by your FMS server. You can also use `Allow from x.x.x.x` where x is the IP address of your FMS server. Place that above the Deny line. – Nathan C Jul 17 '13 at 14:54
  • Like I said, for Apache there is no IP address difference between what comes from the outside and what comes the FMS server, since every request goes through FMS via port 80. Every request that hits Apache is from localhost. Hence the filtering by IP won't work here. – HoverGuy Jul 17 '13 at 15:22
0

I ended adding some kind of basic authentification for the gateway script.

I decided to call the script with

http://localhost/script.php?login=user&password=xyz&action=todo&param=something&...

Everybody can access to this script if he knows the credentials, but now a password is set and you have to know it. Thus it makes it a little more complicated to find this url. Since this request runs from localhost to localhost on the server, I think the security is now good and nobody can "listen the packets" to find it. Maybe it's not perfect. Comments welcome.

HoverGuy
  • 11
  • 4