Re: [mapserver-users] Access control for wms served from mapserver cgi
Hi Marc Where do you set this? Is it somewhere in httpd.conf? Many thanks, Robert Sanson >>> "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> 21/10/2008 4:21 a.m. >>> Hello, We are using this very basic setting: # Demo WMS Alias /wms-demo/usr/lib/cgi-bin/mapserver Deny from all # My network Allow from 10.133 SetHandler cgi-script Options ExecCGI SetEnv MS_MAPFILE /var/www/wms/wms-demo/wms-demo.map Cheers Marc Monnerat Message d'origine De: [EMAIL PROTECTED] Date: 20.10.2008 11:33 À: Objet: Re: [mapserver-users] Access control for wms served from mapserver cgi Hello Rahkonen (and Stephan), This is an idea that I could make work...I'd have to lock-down mapserv itself from all connections (otherwise anyone could just replace wms*.exe in the URL with the original mapserv.exe), though I guess I should be doing that anyway. In response to Stephan Holl: I recognize there are other strategies that involve proxying the WMS requests. I was just hoping for something quick and easy that could be done with Apache more or less out-of-the-box using basic config files and/or modules like mod_rewrite. There have been a few cases where I needed to use mapserver on one machine to serve data using WMS to another server running mapserver as a WMS client. I just want to be able to do that with as little work as possible (i.e., if I can do it in Apache's config, then I can do it anywhere). Essentially, my ideal solution would be if I can get something like mod_rewrite to say "if a request to mapserv contains 'map=/path/to/somefile.map' in the query string, and the client is not equal to some IP address, return 403, otherwise allow the request". I just don't quite know how to get mod_rewrite to work like that for me (I found some promising examples online, but couldn't get them working). Thanks again, Mike Rahkonen Jukka wrote: > Hi, > > If it is easy to limit access to mapserv executable, then how about making a few copies of the executable and tie each copy to its own mapfile in httpd.conf? > > SetEnvIf Request_URI "/cgi-bin/wms1.exe?" MS_MAPFILE=d:/ms4w/apps/wms1.map > SetEnvIf Request_URI "/cgi-bin/wms2.exe?" MS_MAPFILE=d:/ms4w/apps/wms2.map > > Just thinking, I do not know if this is secure at all. > > -Jukka Rahkonen- > > >> -Alkuperäinen viesti- >> Lähettäjä: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] Puolesta Mike Leahy >> Lähetetty: 20. lokakuuta 2008 3:58 >> Vastaanottaja: mapserver-users@lists.osgeo.org >> Aihe: [mapserver-users] Access control for wms served from >> mapserver cgi >> >> Hello list, >> >> Does anyone on this list know of a simple strategy for >> configuring Apache to restrict access to specific mapfiles >> served as WMS through the cgi mapserv program? I'd like to >> do is restrict access to specific IPs for URLs like the following: >> http://host/cgi-bin/mapserv?map=/path/to/file.map[&;...]. >> >> It's easy enough to limit access to the mapserv executable >> itself, but I'd rather do it on a per-mapfile basis. I tried >> a couple things using mod_rewrite in apache, but anything >> I've tried so far doesn't seem to work. >> >> I know that this sort of question has been asked before, but >> after searching/tinkering for a while, I haven't found a >> solution that works for me yet. >> >> Thanks for any suggestions, >> Mike >> ___ >> mapserver-users mailing list >> mapserver-users@lists.osgeo.org >> http://lists.osgeo.org/mailman/listinfo/mapserver-users >> > ___ mapserver-users mailing list mapserver-users@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/mapserver-users ___ mapserver-users mailing list mapserver-users@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/mapserver-users -- The contents of this email are confidential to AsureQuality. If you have received this communication in error please notify the sender immediately and delete the message and any attachments. The opinions expressed in this email are not necessarily those of AsureQuality. This message has been scanned for known viruses before delivery. AsureQuality supports the Unsolicited Electronic Messages Act 2007. If you do not wish to receive similar communications in future, please notify the sender of this message. -- This message has been scanned for malware by SurfControl plc. www.surfcontrol.com ___ mapserver-users mailing list mapserver-users@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/mapserver-users
Re: [mapserver-users] Access control for wms served from mapserver cgi
Hello, We are using this very basic setting: # Demo WMS Alias /wms-demo/usr/lib/cgi-bin/mapserver Deny from all # My network Allow from 10.133 SetHandler cgi-script Options ExecCGI SetEnv MS_MAPFILE /var/www/wms/wms-demo/wms-demo.map Cheers Marc Monnerat Message d'origine De: [EMAIL PROTECTED] Date: 20.10.2008 11:33 À: Objet: Re: [mapserver-users] Access control for wms served from mapserver cgi Hello Rahkonen (and Stephan), This is an idea that I could make work...I'd have to lock-down mapserv itself from all connections (otherwise anyone could just replace wms*.exe in the URL with the original mapserv.exe), though I guess I should be doing that anyway. In response to Stephan Holl: I recognize there are other strategies that involve proxying the WMS requests. I was just hoping for something quick and easy that could be done with Apache more or less out-of-the-box using basic config files and/or modules like mod_rewrite. There have been a few cases where I needed to use mapserver on one machine to serve data using WMS to another server running mapserver as a WMS client. I just want to be able to do that with as little work as possible (i.e., if I can do it in Apache's config, then I can do it anywhere). Essentially, my ideal solution would be if I can get something like mod_rewrite to say "if a request to mapserv contains 'map=/path/to/somefile.map' in the query string, and the client is not equal to some IP address, return 403, otherwise allow the request". I just don't quite know how to get mod_rewrite to work like that for me (I found some promising examples online, but couldn't get them working). Thanks again, Mike Rahkonen Jukka wrote: > Hi, > > If it is easy to limit access to mapserv executable, then how about making a > few copies of the executable and tie each copy to its own mapfile in httpd.conf? > > SetEnvIf Request_URI "/cgi-bin/wms1.exe?" MS_MAPFILE=d:/ms4w/apps/wms1.map > SetEnvIf Request_URI "/cgi-bin/wms2.exe?" MS_MAPFILE=d:/ms4w/apps/wms2.map > > Just thinking, I do not know if this is secure at all. > > -Jukka Rahkonen- > > >> -Alkuperäinen viesti- >> Lähettäjä: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] Puolesta Mike Leahy >> Lähetetty: 20. lokakuuta 2008 3:58 >> Vastaanottaja: mapserver-users@lists.osgeo.org >> Aihe: [mapserver-users] Access control for wms served from >> mapserver cgi >> >> Hello list, >> >> Does anyone on this list know of a simple strategy for >> configuring Apache to restrict access to specific mapfiles >> served as WMS through the cgi mapserv program? I'd like to >> do is restrict access to specific IPs for URLs like the following: >> http://host/cgi-bin/mapserv?map=/path/to/file.map[&;...]. >> >> It's easy enough to limit access to the mapserv executable >> itself, but I'd rather do it on a per-mapfile basis. I tried >> a couple things using mod_rewrite in apache, but anything >> I've tried so far doesn't seem to work. >> >> I know that this sort of question has been asked before, but >> after searching/tinkering for a while, I haven't found a >> solution that works for me yet. >> >> Thanks for any suggestions, >> Mike >> ___ >> mapserver-users mailing list >> mapserver-users@lists.osgeo.org >> http://lists.osgeo.org/mailman/listinfo/mapserver-users >> > ___ mapserver-users mailing list mapserver-users@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/mapserver-users ___ mapserver-users mailing list mapserver-users@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/mapserver-users
Re: [mapserver-users] Access control for wms served from mapserver cgi
Hello Rahkonen (and Stephan), This is an idea that I could make work...I'd have to lock-down mapserv itself from all connections (otherwise anyone could just replace wms*.exe in the URL with the original mapserv.exe), though I guess I should be doing that anyway. In response to Stephan Holl: I recognize there are other strategies that involve proxying the WMS requests. I was just hoping for something quick and easy that could be done with Apache more or less out-of-the-box using basic config files and/or modules like mod_rewrite. There have been a few cases where I needed to use mapserver on one machine to serve data using WMS to another server running mapserver as a WMS client. I just want to be able to do that with as little work as possible (i.e., if I can do it in Apache's config, then I can do it anywhere). Essentially, my ideal solution would be if I can get something like mod_rewrite to say "if a request to mapserv contains 'map=/path/to/somefile.map' in the query string, and the client is not equal to some IP address, return 403, otherwise allow the request". I just don't quite know how to get mod_rewrite to work like that for me (I found some promising examples online, but couldn't get them working). Thanks again, Mike Rahkonen Jukka wrote: Hi, If it is easy to limit access to mapserv executable, then how about making a few copies of the executable and tie each copy to its own mapfile in httpd.conf? SetEnvIf Request_URI "/cgi-bin/wms1.exe?" MS_MAPFILE=d:/ms4w/apps/wms1.map SetEnvIf Request_URI "/cgi-bin/wms2.exe?" MS_MAPFILE=d:/ms4w/apps/wms2.map Just thinking, I do not know if this is secure at all. -Jukka Rahkonen- -Alkuperäinen viesti- Lähettäjä: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Puolesta Mike Leahy Lähetetty: 20. lokakuuta 2008 3:58 Vastaanottaja: mapserver-users@lists.osgeo.org Aihe: [mapserver-users] Access control for wms served from mapserver cgi Hello list, Does anyone on this list know of a simple strategy for configuring Apache to restrict access to specific mapfiles served as WMS through the cgi mapserv program? I'd like to do is restrict access to specific IPs for URLs like the following: http://host/cgi-bin/mapserv?map=/path/to/file.map[&;...]. It's easy enough to limit access to the mapserv executable itself, but I'd rather do it on a per-mapfile basis. I tried a couple things using mod_rewrite in apache, but anything I've tried so far doesn't seem to work. I know that this sort of question has been asked before, but after searching/tinkering for a while, I haven't found a solution that works for me yet. Thanks for any suggestions, Mike ___ mapserver-users mailing list mapserver-users@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/mapserver-users ___ mapserver-users mailing list mapserver-users@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/mapserver-users
Re: [mapserver-users] Access control for wms served from mapserver cgi
Hi, If it is easy to limit access to mapserv executable, then how about making a few copies of the executable and tie each copy to its own mapfile in httpd.conf? SetEnvIf Request_URI "/cgi-bin/wms1.exe?" MS_MAPFILE=d:/ms4w/apps/wms1.map SetEnvIf Request_URI "/cgi-bin/wms2.exe?" MS_MAPFILE=d:/ms4w/apps/wms2.map Just thinking, I do not know if this is secure at all. -Jukka Rahkonen- > -Alkuperäinen viesti- > Lähettäjä: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Puolesta Mike Leahy > Lähetetty: 20. lokakuuta 2008 3:58 > Vastaanottaja: mapserver-users@lists.osgeo.org > Aihe: [mapserver-users] Access control for wms served from > mapserver cgi > > Hello list, > > Does anyone on this list know of a simple strategy for > configuring Apache to restrict access to specific mapfiles > served as WMS through the cgi mapserv program? I'd like to > do is restrict access to specific IPs for URLs like the following: > http://host/cgi-bin/mapserv?map=/path/to/file.map[&;...]. > > It's easy enough to limit access to the mapserv executable > itself, but I'd rather do it on a per-mapfile basis. I tried > a couple things using mod_rewrite in apache, but anything > I've tried so far doesn't seem to work. > > I know that this sort of question has been asked before, but > after searching/tinkering for a while, I haven't found a > solution that works for me yet. > > Thanks for any suggestions, > Mike > ___ > mapserver-users mailing list > mapserver-users@lists.osgeo.org > http://lists.osgeo.org/mailman/listinfo/mapserver-users > ___ mapserver-users mailing list mapserver-users@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/mapserver-users
Re: [mapserver-users] Access control for wms served from mapserver cgi
Hello Mike, Mike Leahy <[EMAIL PROTECTED]>, [20081020 - 13:58:06] > Hello list, > > Does anyone on this list know of a simple strategy for configuring > Apache to restrict access to specific mapfiles served as WMS through > the cgi mapserv program? I'd like to do is restrict access to > specific IPs for URLs like the following: > http://host/cgi-bin/mapserv?map=/path/to/file.map[&;...]. > > It's easy enough to limit access to the mapserv executable itself, > but I'd rather do it on a per-mapfile basis. I tried a couple things > using mod_rewrite in apache, but anything I've tried so far doesn't > seem to work. > > I know that this sort of question has been asked before, but after > searching/tinkering for a while, I haven't found a solution that > works for me yet. I am not sure if this is what you need, but we use a simple security proxy inbetween[1] which filters the mapfile based on a given username who is doing WMS/WFS requests. Desktop-GIS can be used with InteProxy[2], if they do not have the ability to aquire user/pwd by itself. But perhaps this is too much for you?! Best Stephan [1] http://wald.intevation.org/plugins/scmsvn/viewcvs.php/docs/documentation/igeosecurity/deegree_owsproxy_documentation_en.pdf?rev=14255&root=deegree&view=log [2] http://inteproxy.wald.intevation.org -- Stephan Holl <[EMAIL PROTECTED]> | Tel.: +49 (0)541-33 50 8 32 Intevation GmbH, Neuer Graben 17, 49074 OS | AG Osnabrück - HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: PGP signature ___ mapserver-users mailing list mapserver-users@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/mapserver-users
[mapserver-users] Access control for wms served from mapserver cgi
Hello list, Does anyone on this list know of a simple strategy for configuring Apache to restrict access to specific mapfiles served as WMS through the cgi mapserv program? I'd like to do is restrict access to specific IPs for URLs like the following: http://host/cgi-bin/mapserv?map=/path/to/file.map[&;...]. It's easy enough to limit access to the mapserv executable itself, but I'd rather do it on a per-mapfile basis. I tried a couple things using mod_rewrite in apache, but anything I've tried so far doesn't seem to work. I know that this sort of question has been asked before, but after searching/tinkering for a while, I haven't found a solution that works for me yet. Thanks for any suggestions, Mike ___ mapserver-users mailing list mapserver-users@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/mapserver-users