http & Restfulapi encryption，如何确保获取的数据没有被篡改。

由于部署和性能如果不能采用 https， 可以使用 hybrid encryption 保证数据不被串改(不能防中间人攻击，也不能防止数据的泄漏——除非采用白名单)。
hybrid encryption:

1. client—> send RSA 非对称的公钥给 server
2. server 随机生成 AES 对称密钥用于加密数据，并用 client 的公钥加密 AES 对称密钥
3. server 将 AES加密过的数据和 用非对称加密的 AES 密钥一起发送给 client.

Https:

1. The ‘client hello’ message: The client initiates the handshake by sending a “hello” message to the server. The message will include which TLS version the client supports, the cipher suites supported, and a string of random bytes known as the “client random.”
2. The ‘server hello’ message: In reply to the client hello message, the server sends a message containing the server’s SSL certificate, the server’s chosen cipher suite, and the “server random,” another random string of bytes that’s generated by the server.
3. Authentication: The client verifies the server’s SSL certificate with the certificate authority that issued it. This confirms that the server is who it says it is, and that the client is interacting with the actual owner of the domain.
4. The premaster secret: The client sends one more random string of bytes, the “premaster secret.” The premaster secret is encrypted with the public key and can only be decrypted with the private key by the server. (The client gets the public key from the server’s SSL certificate.)
5. Private key used: The server decrypts the premaster secret.
6. Session keys created: Both client and server generate session keys from the client random, the server random, and the premaster secret. They should arrive at the same results.
7. Client is ready: The client sends a “finished” message that is encrypted with a session key.
8. Server is ready: The server sends a “finished” message encrypted with a session key.
9. Secure symmetric encryption achieved: The handshake is completed, and communication continues using the session keys.

感觉还是采用如下方案比较简单通用：

• Nignx + Https 传输 + HTTP Basic Authentication 验证

例如 nginx 配置：

events {}
http {
    # https session cache
    ssl_session_cache   shared:SSL:10m;
    #配置会话超时时间
    ssl_session_timeout 10m;

    upstream myapp1 {
        server 127.0.0.1:12510;
        server 127.0.0.1:12511;
        server 127.0.0.1:12512;
    }

    server {
        listen 7777 ssl;

        location / {
            proxy_pass https://myapp1;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            auth_basic "Administrator’s Area";
            auth_basic_user_file /repo/.htpasswd;
        }
        # ssl on;
        ssl_certificate /repo/xxx.pem;
        ssl_certificate_key /repo/xxx.key;
    }
}

其中 /repo/.htpasswd 可以保存多条 user:password 的记录：

sudo htpasswd -c .htpasswd user1   # Create the passwdfile. If passwdfile already exists, it is rewritten and truncated.
sudo htpasswd .htpasswd user2
...

check link: https://httpd.apache.org/docs/current/programs/htpasswd.html

http 请求：

POST https://127.0.0.1:7777/xxx/yyy/zzz HTTP/1.1
User-Agent: rest-client
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6,zh-CN;q=0.4
Content-Type: application/json
Authorization: Basic dXNlcjE6MTIzNDU=

{}