Security key between two servers

I'm writing an application with two layers, sitting on two separate servers:

Presentation Layer (where the user uploads/selects images)

Application Layer (where images are processed)

There may be multiple different presentation servers that speak to the application server.

What is the best way to ensure only these presentation servers can speak to the application servers. Firewall isn't really an option as the presentation layers can be setup on the fly.

Is there a best practice to create a key between the two servers so when I do a GET/POST request to the Application layer from the Presentation layer it knows it is a valid request from that server and not the outside world?

I guess I could do something as crude as

/request/?key=x开发者_如何学运维yz123

and check that key == xyz123 on the other server but that doesn't seem too secure to me.

If both servers were to have a encryption hash I could do something like

encrypt(time()); on the presentation layer and then decrypt(time()); on the other server and check it was within 20 seconds of the request or something.

Just wondering what the best practices for this were?

Thanks!

Set up HTTPS on your servers and have them authenticate to each other using SSL certificates that you created for this specific purpose. There's a reason everyone does it this way.

Run your application layer over SSL, and then just use a key. You should really consider locking your application layer down to an IP range though, if it's in any-way sensitive.

encrypt(time()); on the presentation layer and then decrypt(time()); on the other server and check it was within 20 seconds of the request or something.

As others have said, it would be preferable to secure the connection further down the network stack. If this is not possible, then consider using a hash based on sequential transaction ids (to prevent replay attacks) and also some part of the data payload (to prevent request forgeries).

Using just the request time you would have to use reversible encryption rather than just hashes, and you only reduce the window for attacks - you've not addressed MITM or request forgeries.

(SSL gives me headache :p so here is a simple method i think)

A simple way is to set a password that you choose for example : "myLongPasswordWitheWeirdChracters" then encrypte it based on this password and send it with the "Post" or "Get" data (with the other stuff), then in the other server, the first thing you do is decrypting it using the same long password, as only your two servers knows this password, they are the only ones who can decrypte messages encrypted with this password orkey.

Well let me give you real stuff , theory is boring :p )

Use this class to crype : http://www.phpclasses.org/browse/file/17234.html Like this :

//Create a key, very long one

$myKey = "a big key with weird charcters àçèàçè'("; 

//Give it to the class

$crypter = new(2, $myKey);

//Now with $crypter you can encrypte evrything

$cryptedData = $crypter->encrypt($aDataInDB);

$aDataInDB is a unique variable for each upload from the first server that you store in its database (choos it randomly each time, it's more secure, and store it).

Now when the data arrives on the second server, decrypt it with the same class (there is a method for that) and connect to the first server database to check if it exists, if so, you can be sure that this query is coming from your server because you was ab le to decrypte successfully and compare it with the original (then delete it immidiatlyto keep your crtypted keys "single-time use" ).

Hope it helps :)