Hi Bill,
That's because it's not Apache reading the content in the directory.
Apache is running the CGI and the CGI is accessing the directory
directly. The CGI is already behind the access policy layer.
As the CGI is usually running as the Apache user, it has the same access
level as the Apache
Thanks for the help, everyone. Good advice, as usual, and I think I've
got it sorted out now.
___
mapserver-users mailing list
mapserver-users@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/mapserver-users
I have some questions about securing a MapServer WMS. From the googlits
I've gathered it seems that the easy way is to use Basic Authentication
if you have Apache. I do have that on my Linux-based server, so I sealed
off the directory in which I have my mapfile and web template. And so
far so
Bill Thoen wrote:
I have some questions about securing a MapServer WMS. From the googlits
I've gathered it seems that the easy way is to use Basic Authentication
if you have Apache. I do have that on my Linux-based server, so I sealed
off the directory in which I have my mapfile and web
MS_MAPFILE=/var/www/html/theDir/theFile.map
export MS_MAPFILE
QUERY_STRING=map=${MS_MAPFILE}zoomdir=0zoomsize=2layer=countieslayer=states...
/var/www/cgi-bin/mapserv
it accesses the
mapfile in /theDir/, and /theDir is supposed to be password protected
now by Apache.
Correct. But the
Others may have different ideas but it seems to me you'll need to secure the
wms binary
rather than a directory. (I wouldn't store mapfiles and templates in a web
accessible location
anyway.) There are probably many ways to do this. One idea might be to have
separate
WMS binaries, one for
Latest versions of MapServer allow you to set an env variable called
MS_MAPFILE_PATTERN
Holy cow!
SetEnv MS_MAP_NO_PATH 1
SetEnv WMS1_MAPFILE 'some path'
SetEnv WMS2_MAPFILE 'some other path'
Wow! Wow!
Super cool. I hadn't even heard of these. Thanks for the tip!
--
HostGIS, Open
Problem with MS_MAPFILE_PATTERN is that if using it for the path part of a
mapfile you
could use back references to get elsewhere. I imagine it's possible to craft a
regex that
wouldn't allow '..' but it's not trivial (examples welcome!). Not allowing
path'd mapfiles
at all is more restrictive