[MS4W-Users] securing map services?

Mark Volz MarkVolz at co.lyon.mn.us
Tue Feb 5 12:43:06 EST 2019 

Karsten,

Thank you for your reply.  On the web application side I am using basic authentication and I disabled directory browsing to lock down the application.  I cannot use require a local IP address  as we are hosting internal and external maps for organizations outside of our network.  I don't know if I can use #4 with our older version of GeoMOOSE since it interacts with mapserver CGI.

Although the web application is blocked with basic HTTP authentication my concern is that someone could change the request on the Mapserver CGI itself.  For example could an external user change the map file from an external map to an internal map?  Such as:
https://mywebserver.com/cgi-bin/mapserv.exe?FORMAT=image/png&MAP=/Externalmap...
https://mywebserver.com/cgi-bin/mapserv.exe?FORMAT=image/png&MAP=/Internalmap...

On a mixed system (that has public and private applications) a public application user could theoretically access the maps from a separate private map if they knew the name of the map file.  In my case it is not a huge deal.  The private data really is not that private and it would be a waste of time to try to access the site, but I just wanted to see if I could button up security at the mapserver CGI level.

P.S.  I don't know if it is possible to use a php proxy script in the older GeoMOOSE applications.

Thanks

Sincerely,
Mark Volz, GISP
Lyon County GIS Coordinator

From: karsten [mailto:karsten at terragis.net]
Sent: Tuesday, February 5, 2019 10:34 AM
To: ms4w-users at lists.ms4w.com
Cc: Mark Volz <MarkVolz at co.lyon.mn.us>
Subject: Re: [MS4W-Users] securing map services?

SWHHS/LYON/LINCOLN COUNTY SECURITY NOTICE:
This email originated from an external sender. Exercise caution before clicking on any links or attachments and consider whether you know the sender. For more information please contact IT support.
________________________________

Hi Mark,

I know that Apache has that authentication you mentioned below. I have not used that one much but here is the idea:

1.) Securing e.g. a single WMS with basic HTTP authentication:
- Documentation at http://httpd.apache.org/docs/2.4/howto/auth.html
See my old write up below at the end of the email -> re 1.) ...

I can alternatively also offer the following suggestions (from projects where I used those)

2.) Regarding map file 'lock down':
It is a good idea to exclude MapServer map files from files a web user can browse or download (as there possibly is information about your server setup inside possibly along with PostGIS passwords..
To do this you can add to your apache.config this line (relevant only if the map file is in the web directory or linked ):
 # do not list certain files
     IndexIgnore *.sh *.map *.py *.pyc *.sql *.txt *.sql *.php
(or second best - use htaccess files which is an option if you are not the admin of the entire server e.g. in a shared hosting environment)

3.) You can restrict access to your webpage to only be available to 'local' users in the apache configuration. The site can then be accessed via a log-in page where to check if a user is logged in (I did that for example with a index.php file that checked if the user has a PHP session, and if NO respond 'not logged in', and only if logged in to load the page using a simple if ( else in PHP after the session check). This works because 'PHP' is accepted to be a local user...
The user name and pw (salted) can be also stored in a PostGIS database.
One example - a VirtualHost restricting the access  for the subnet 192.168.0.1/24 only with the Require setting

<VirtualHost *:80>
    DocumentRoot "/var/www/"
    ServerName www.example.com<http://www.example.com>

   <Directory "/var/www/">
      Options Indexes FollowSymLinks
      AllowOverride all
      Require 192.168.0.1/24
   </Directory>
</VirtualHost>

4.) You can also secure any WMS/ WFS access individually when providing access only via a proxy script - again could be a PHP script so the WMS is only visible when a password is given ...
Aka these lines:

<?php
// put any sort of authentication code you want here: a CAPTCHA, a cookie or $_SESSION check, etc.
// an array of defined servers to handle each possible value of LAYERS=
// This DOES have the limitation, that each LAYERS= possibility must be unique, e.g. you can't have 2 layers named 'states'
$SERVERS = array(
   'DRW' => 'http://xy.net/map.ashx<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fxy.net%2fmap.ashx&c=E,1,kjYBUIZLHvb_52V6J3NIb5Sqbjhf36actrTdRWNIRkU-PmjEj989QvVr6QsDsMBp4kA4jdYhcxNGIKeqlLSMizWd2JKkkBGUaKjL6CBS1Jyi_pX-&typo=1>',
   'GRT' => 'http://terragis.net/map.asp,<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fterragis.net%2fmap.asp%2c&c=E,1,cHJYtuA5iQjwpTgF32kefMLxhAiGFobuYlFOX7zDQR9Y81qQwJSETciZVZfOSkr2ExqdgapF-dUltkEKLyOrF6nhKjWlSJnmbazownuiSJTI2Nw9zI5t1GGltk8,&typo=1>
   'global_mosaic' => 'http://wms.jpl.nasa.gov/wms.cgi',
);
$url = @$SERVERS[$_GET['layers']]; if (!$url) die("No such layer.");
// compose the URL and simply spit it out
$url = $url . '?' . $_SERVER['QUERY_STRING'];
$format = @$_GET['format']; if (!$format) $format = @$_GET['FORMAT']; if (!$format) $format = 'image/png';
header("Content-type: $format");
readfile($url);
?>

-----------------------------------------------------------
re 1.) old write-up - (might still work like this)
-----------------------------------------------------------

A. Create .htaccess file:

$ cd /usr/lib/cgi-bin  <---- (This is the directory you want to limit access to)
$ sudo vi .htaccess

--> Add:
AuthUserFile /var/www/passwds/.htpasswd  <--- (This is where Apache will look for passwd authentication file)
AuthName "Authorization Required"
AuthType Basic
require user machineuser

B. Create passwd entry for Apache:
$ htpasswd -c /var/www/passwds/.htpasswd machineuser  <--- (This is where the passwd file will be created)
New password: <nounou>
Re-type new password: <nounou>
Adding password for user machineuser

C. Edit Apache config:  (This example is on Ubuntu using Apache2 installed from apt-get)
sudo vi /etc/apache2/sites-available/default
--> Check that "AllowOverride" is set to "All", not "None" in your cgi-bin settings:
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride All  <---- (Note: "All" forces lookup of .htaccess file.  "None" is normal)
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Require all granted
        </Directory>

D. Restart Apache:
$ sudo /etc/init.d/apache2 restart

E. Test:
http://localhost/cgi-bin/mapserv?

--> You should be prompted for authentication

Let me know any questions.

Cheers
Karsten
Karsten Vennemann
Principal

Deutschland - Germany
Terra GIS
Zehntbergstraße 42
69198 Schriesheim - Altenbach
++49 (0) 6220 - 9143 605
++49 (0) 6220 - 9228 266

USA
Terra GIS LTD
7001 Seaview Ave. NW, Suite 160-561
Seattle, WA 98117
www.terragis.net<https://linkprotect.cudasvc.com/url?a=blocked%3a%3ahttp%3a%2f%2fwww.terragis.net%2f&c=E,1,mTMDiob-7OmxtkqOWtb3iYj2pP4l1HV5FxWi0WC6dK9aXPvsx6sMpH1ngsKJLxvJI9CJfk5TbTZWuIeMNuDlTGJgHaCbdp-rxzggtbRGL1DiLg,,&typo=1>

Date: Tue, 5 Feb 2019 15:23:37 +0000
From: Mark Volz MarkVolz at co.lyon.mn.us<mailto:MarkVolz at co.lyon.mn.us>
To: "ms4w-users at lists.ms4w.com<mailto:ms4w-users at lists.ms4w.com>" ms4w-users at lists.ms4w.com<mailto:ms4w-users at lists.ms4w.com>
Subject: [MS4W-Users] securing map services?

Hello,

I know it is possible to secure Apache websites using mod_auth_basic, which requires users to have a username and password to access the site. Is there any equivalent way to lock map files down as well so that the hidden internal map files only respond if a user is signed into apache?

Thank You
Sincerely,

Mark Volz, GISP

Lyon County GIS Coordinator


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ms4w.com/pipermail/ms4w-users/attachments/20190205/26382d11/attachment-0001.html>

More information about the MS4W-Users mailing list