So I want to secure my API based on the website host server.
[client] ------> [website] -------> [Slim API]
what i need to do is to get the website ip/domain, not the client Ip neither the API Ip ^^
I try $request->getIp() but it return me the client Ip
I also try the $request->getUrl() but it return me the API Url
I’m working with PHP and using middleware. but this middleware condition need to be based on the website host server ip. Why? cause our product is a whitelable website. so we can have multiple domain name, so my guess would be to allow all the request but only those made from our website.
If $request->getIp() is giving you the client IP, then the client is making the request directly to the API and thus would have no knowledge of the website as it is not the client nor the server. In that case, you might need to pass the website in question as a parameter to the request which the API could then parse. However it could be easily faked or spoofed by the client.
An appropriate solution will depend on what data you might be able to use as well as the level of risk you may be willing to take. The webserver needs some sort of data that it can pass to the client, that would be meaningless to the client and then passed along and be meaningful to the API.
While maybe not a speedy option, the webserver could ask for a random token with expiration date from the API which it then gives to the client which then gives it back to the API. The API could ensure the token is valid, hasn’t expired, then delete it.
You could also have the client make the request to the webserver first, which in turn makes a request to the API, returns a result to the webserver, which returns the result to the client.
There are likely better ways, this isn’t a scenario I’ve worked with before, and you may be willing to work with a higher risk.