【发布时间】:2013-12-27 19:19:21
【问题描述】:
所以我们创建了一个 api,我们要确保它是通过 https 安全连接调用的,我们如何从 api 中知道它正在安全地服务。例如,如果从另一个域向我们的 api 发出这样的请求:
https://ourdomain.com/api.php?appId=dev4&apiKey=XXXX
来自api.php,我们如何知道我们是通过 https 安全访问的?
【问题讨论】:
【发布时间】:2013-12-27 19:19:21
【问题描述】:
您可以在api.php 中添加此条件:
if (empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == 'off') {
// no ssl
} else {
// ssl
}
编辑:正如@Salman A 所说,$_SERVER['HTTPS'] 可以是“开”或“关”。所以我修改了代码。
【讨论】:
-
$_SERVER['HTTPS']可以包含字符串"off"并且"off"不为空。 -
还是错了。您同时检查空和 == off,将始终为 false。
-
@Ghigo,谢谢。改的有点太快了。
当 HTTPS 请求由 PHP 脚本处理时,$_SERVER autoglobal 会填充许多与 SSL 相关的额外标头。您可以检查其中的一些。
我会检查$_SERVER['HTTPS']=='on'
[HTTPS] => on
[SSL_SERVER_S_DN_C] => IT
[SSL_SERVER_S_DN_ST] => Some-State
[SSL_SERVER_S_DN_L] => Italy
[SSL_SERVER_S_DN_O] => test
[SSL_SERVER_S_DN_OU] => test
[SSL_SERVER_S_DN_CN] => test
[SSL_SERVER_S_DN_Email] => test@example.com
[SSL_SERVER_I_DN_C] => IT
[SSL_SERVER_I_DN_ST] => Some-State
[SSL_SERVER_I_DN_L] => Country
[SSL_SERVER_I_DN_O] => test
[SSL_SERVER_I_DN_OU] => test
[SSL_SERVER_I_DN_CN] => test
[SSL_SERVER_I_DN_Email] => test@example.com
[SSL_VERSION_INTERFACE] => mod_ssl/2.2.24
[SSL_VERSION_LIBRARY] => OpenSSL/1.0.1e
[SSL_PROTOCOL] => TLSv1
[SSL_SECURE_RENEG] => true
[SSL_COMPRESS_METHOD] => NULL
[SSL_CIPHER] => DHE-RSA-AES256-SHA
[SSL_CIPHER_EXPORT] => false
[SSL_CIPHER_USEKEYSIZE] => 256
[SSL_CIPHER_ALGKEYSIZE] => 256
[SSL_CLIENT_VERIFY] => NONE
[SSL_SERVER_M_VERSION] => 1
[SSL_SERVER_M_SERIAL] => C6D11EC56F9B9F1A
[SSL_SERVER_V_START] => Oct 31 09:51:34 2013 GMT
[SSL_SERVER_V_END] => Jul 27 09:51:34 2018 GMT
[SSL_SERVER_S_DN] => /C=IT/ST=Some-State/L=Italy/O=test/OU=test/CN=test/emailAddress=test@example.com
[SSL_SERVER_I_DN] => /C=IT/ST=Some-State/L=Italy/O=test/OU=test/CN=test/emailAddress=test@example.com
[SSL_SERVER_A_KEY] => rsaEncryption
[SSL_SERVER_A_SIG] => sha1WithRSAEncryption
[SSL_SESSION_ID] => 832D61116CB619ACF9B9FD3080B2BC8DB48343B3033023D683AC8A9D22C6A064
【讨论】:
-
谢谢,这就是我想要的。只要允许我就会接受这个答案。