I want to secure and/or verify a request coming from a PHP web server to a WCF service running on a localhost which executes commands on that PC. There could potentially be many WCF services running on several different PC's on their own localhost, but there will only ever be one PHP web server.
In this instance, the PHP web server is acting as the client, and is consuming the WCF service which is acting as the server.
At the moment, the PHP sends a POST request using curl to an IP address and port number (1.2.3.4:5 for example) and gets a reply. However, anyone could send the same message to that IP address and also get a reply. I need some way of verifying the POST request came from the PHP web server and not by anyone else. The actual message doesn't contain any sensitive information, so encryption isn't needed, although I do plan to add this in at some point.
I thought it would be possible to do this using SSL, as the web server has a certificate, and POST the data over https (https://1.2.3.4:5). From I've read on the interwebs though this only works if the localhost also has a trusted certificate. So I looked into generating one manually using MKCERT, but this won't work I believe as the certificate on the web server won't trust it.
I also thought about restricting incoming requests to the IP address of the web server, but I believe this can be spoofed.
The only other option I can think of is that once the WCF service receives a request, it checks with the PHP web server to see if that request came from there, but if there was another way which avoided a round trip back to the PHP web server that would be preferable for performance reasons.
As I mentioned, the actual message doesn't contain sensitive data, I just need to make sure that the message came from a particular web server.