I have two systems that need to talk. The following functions are configured on the systems:
System A , launching Django (Python 2.5) on the Google App Engine (GAE)
System B , running Django (Python 2.6) on Ubuntu / Linux on top of Lighttpd (possibly nginx, later)
System A will periodically make requests ("applications") for System B using Url Fetch .
On system B, there is a Django application setup to listen for these requests using urls.py with something like:
urlpatterns = patterns('producer.views', url(r'^requisition$', 'requisition', name='requisition'), )
And the corresponding views.py with something like:
import json from django.http import HttpResponse def requisition(request): " do something " response = HttpResponse() response['Content-type'] = 'application/json' response.write(json.dumps(...)) return response
This would be a valuable addition to system security if system B only responded to requests from system A.
I would like to know what options are available for System B to verify that requests come from System A. I reviewed the following:
- Make sure the IP address is GAE (however, I don’t know the GAE IP addresses, they can change and they can be tampered with).
- Make sure that the reverse DNS IP is from GAE (however, I don’t know which GAE DNS records, if they are changed, and they can be tampered with)
- Use a TLS client certificate from System A, but I don’t know how to do it using GAE
- Make a call / response based on something in common, like salt, with pycrypto
Ideally, I want to get views.py with something like:
... from django.http import HttpResponseForbidden def requisition(request): " do something " if not verify_request_origin(): return HttpResponseForbidden("Denied.") response = HttpResponse() ...
Where verify_request_origin () returns true when the request made in System B was from System A to GAE.
Thank you and I look forward to hearing from you.