(first question on stack exchange, feel free to comment/criticize)
Context
I have a Debian server with
- Flash Media Server (FMS) listening on port 80 and 1935 (which is the default)
- Apache2 listening on port 8134
FYI, FMS purpose is video streaming, among other things. It uses the RTMP protocol.
From what I understand :
When FMS requests are blocked on 1935, there is a fallback on 80. The protocol changes and becomes HDS, which is RTMP over HTTP (slower, but it works).
FMS needs 80 port to do that fallback.
Apache, on the other way, delivers html, css, ... and swf files, which are flash files used on client to connect the server.
From client side, you reach these files on port 80. FMS then proxies to Apache the HTTP requests it can't handle.
This way Apache doesn't need to be configured on port 80, thus avoiding port conflict on 80.
Everything is working great so far.
But recently, I had to add SQL functionnality to FMS. And FMS hasn't SQL connection built-in natively. It can barely do HTTP requests. So you have to handle SQL on another server-side technology. Since Apache is already in the house, PHP/MySQL comes to mind.
So I installed PHP and MySQL, and created a gateway .php script which acts as a very simple data access layer.
It works, FMS can request JSON data made from PHP/MySQL with json_encode, and since FMS langage is ActionScript, read Javascript, I did (new Function("return " + src))() and voilĂ , I had my js object straight from the database.
Very simple and avoids to build a J2EE server or bring back Zend Framework to speak AMF.
Now comes my security problem :
the .php gateway is accessible to everybody, which means anybody can come up with the .php URL with the right GET arguments and read from the database, or mess with it.
I'd like to allow only FMS to speak with the gateway. But I need clients to still be able to request for every other file (html, css, swf...).
