[MS4W-Users] securing map services?

karsten karsten at terragis.net
Tue Feb 5 11:33:59 EST 2019 

Hi Mark,

I know that Apache has that authentication you mentioned below. I have not
used that one much but here is the idea:

1.) Securing e.g. a single WMS with basic HTTP authentication:
- Documentation at http://httpd.apache.org/docs/2.4/howto/auth.html
See my old write up below at the end of the email -> re 1.) ...

I can alternatively also offer the following suggestions (from projects
where I used those)

2.) Regarding map file 'lock down':
It is a good idea to exclude MapServer map files from files a web user can
browse or download (as there possibly is information about your server setup
inside possibly along with PostGIS passwords..
To do this you can add to your apache.config this line (relevant only if the
map file is in the web directory or linked ):
 # do not list certain files
     IndexIgnore *.sh *.map *.py *.pyc *.sql *.txt *.sql *.php
(or second best - use htaccess files which is an option if you are not the
admin of the entire server e.g. in a shared hosting environment)

3.) You can restrict access to your webpage to only be available to 'local'
users in the apache configuration. The site can then be accessed via a
log-in page where to check if a user is logged in (I did that for example
with a index.php file that checked if the user has a PHP session, and if NO
respond 'not logged in', and only if logged in to load the page using a
simple if ( else in PHP after the session check). This works because 'PHP'
is accepted to be a local user... 
The user name and pw (salted) can be also stored in a PostGIS database.
One example - a VirtualHost restricting the access  for the subnet
192.168.0.1/24 only with the Require setting

<VirtualHost *:80>
    DocumentRoot "/var/www/"
    ServerName www.example.com      

   <Directory "/var/www/">
      Options Indexes FollowSymLinks
      AllowOverride all
      Require 192.168.0.1/24
   </Directory>    
</VirtualHost>

4.) You can also secure any WMS/ WFS access individually when providing
access only via a proxy script - again could be a PHP script so the WMS is
only visible when a password is given ...
Aka these lines:

<?php
// put any sort of authentication code you want here: a CAPTCHA, a cookie or
$_SESSION check, etc.
// an array of defined servers to handle each possible value of LAYERS=
// This DOES have the limitation, that each LAYERS= possibility must be
unique, e.g. you can't have 2 layers named 'states'
$SERVERS = array(
   'DRW' => 'http://xy.net/map.ashx',
   'GRT' => 'http://terragis.net/map.asp,
   'global_mosaic' => 'http://wms.jpl.nasa.gov/wms.cgi',
);
$url = @$SERVERS[$_GET['layers']]; if (!$url) die("No such layer.");
// compose the URL and simply spit it out
$url = $url . '?' . $_SERVER['QUERY_STRING'];
$format = @$_GET['format']; if (!$format) $format = @$_GET['FORMAT']; if
(!$format) $format = 'image/png';
header("Content-type: $format");
readfile($url);
?>


-----------------------------------------------------------
re 1.) old write-up - (might still work like this)
-----------------------------------------------------------

A. Create .htaccess file:

$ cd /usr/lib/cgi-bin  <---- (This is the directory you want to limit access
to)
$ sudo vi .htaccess

--> Add:
AuthUserFile /var/www/passwds/.htpasswd  <--- (This is where Apache will
look for passwd authentication file)
AuthName "Authorization Required"
AuthType Basic
require user machineuser

B. Create passwd entry for Apache:
$ htpasswd -c /var/www/passwds/.htpasswd machineuser  <--- (This is where
the passwd file will be created)
New password: <nounou>
Re-type new password: <nounou>
Adding password for user machineuser

C. Edit Apache config:  (This example is on Ubuntu using Apache2 installed
from apt-get)
sudo vi /etc/apache2/sites-available/default
--> Check that "AllowOverride" is set to "All", not "None" in your cgi-bin
settings:
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride All  <---- (Note: "All" forces lookup of
.htaccess file.  "None" is normal)
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Require all granted
        </Directory>

D. Restart Apache:
$ sudo /etc/init.d/apache2 restart

E. Test:
 <http://localhost/cgi-bin/mapserv> http://localhost/cgi-bin/mapserv?

--> You should be prompted for authentication

Let me know any questions.

Cheers
Karsten

Karsten Vennemann
Principal


Deutschland - Germany
Terra GIS 
Zehntbergstraße 42
69198 Schriesheim – Altenbach
++49 (0) 6220 - 9143 605
++49 (0) 6220 - 9228 266

USA
Terra GIS LTD
7001 Seaview Ave. NW, Suite 160-561
Seattle, WA 98117
www.terragis.net <blocked::http://www.terragis.net/> 

Date: Tue, 5 Feb 2019 15:23:37 +0000
From: Mark Volz  <mailto:MarkVolz at co.lyon.mn.us> MarkVolz at co.lyon.mn.us
To: "ms4w-users at lists.ms4w.com"  <mailto:ms4w-users at lists.ms4w.com>
ms4w-users at lists.ms4w.com
Subject: [MS4W-Users] securing map services?

Hello,

I know it is possible to secure Apache websites using mod_auth_basic, which
requires users to have a username and password to access the site. Is there
any equivalent way to lock map files down as well so that the hidden
internal map files only respond if a user is signed into apache?

Thank You
Sincerely,

Mark Volz, GISP

Lyon County GIS Coordinator

 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ms4w.com/pipermail/ms4w-users/attachments/20190205/ec9ddb0e/attachment.html>

More information about the MS4W-Users mailing list