[MS4W-Users] securing map services?

karsten karsten at terragis.net
Tue Feb 5 12:50:53 EST 2019 

Hi Mark,
 
 >>>>  Although the web application is blocked with basic HTTP
authentication my concern is that someone could change the request on the
Mapserver CGI itself.  For example could an external user change the map
file from an external map to an internal map?  Such as:  >>> 
 
<https://mywebserver.com/cgi-bin/mapserv.exe?FORMAT=image/png&MAP=/Externalm
ap>
https://mywebserver.com/cgi-bin/mapserv.exe?FORMAT=image/png&MAP=/Externalma
p... 
 
<https://mywebserver.com/cgi-bin/mapserv.exe?FORMAT=image/png&MAP=/Internalm
ap>
https://mywebserver.com/cgi-bin/mapserv.exe?FORMAT=image/png&MAP=/Internalma
p... >>>
Yes that could be possible. So in that case you could make the map file only
readable by a local user (aka PHP and no other users via the file system and
also in apache.conf) 

 

>>> P.S.  I don’t know if it is possible to use a php proxy script in the
older GeoMOOSE applications. 

I think that should be possible when you  add the WMS as a proxy script link

so instead of

 
<https://mywebserver.com/cgi-bin/mapserv.exe?FORMAT=image/png&MAP=/Internalm
ap>
https://mywebserver.com/cgi-bin/mapserv.exe?FORMAT=image/png&MAP=/Internalma
p... >>>

that would become something like 
https://mywebserver.com/map.php

Cheers

Karsten

 

 

 

From: karsten [mailto:karsten at terragis.net] 
Sent: Tuesday, February 5, 2019 10:34 AM
To: ms4w-users at lists.ms4w.com
Cc: Mark Volz <MarkVolz at co.lyon.mn.us>
Subject: Re: [MS4W-Users] securing map services?

 

SWHHS/LYON/LINCOLN COUNTY SECURITY NOTICE: 

This email originated from an external sender. Exercise caution before
clicking on any links or attachments and consider whether you know the
sender. For more information please contact IT support.

  _____  

Hi Mark,

I know that Apache has that authentication you mentioned below. I have not
used that one much but here is the idea:

1.) Securing e.g. a single WMS with basic HTTP authentication:
- Documentation at  <http://httpd.apache.org/docs/2.4/howto/auth.html>
http://httpd.apache.org/docs/2.4/howto/auth.html
See my old write up below at the end of the email -> re 1.) ...

I can alternatively also offer the following suggestions (from projects
where I used those)

2.) Regarding map file 'lock down':
It is a good idea to exclude MapServer map files from files a web user can
browse or download (as there possibly is information about your server setup
inside possibly along with PostGIS passwords..
To do this you can add to your apache.config this line (relevant only if the
map file is in the web directory or linked ):
 # do not list certain files
     IndexIgnore *.sh *.map *.py *.pyc *.sql *.txt *.sql *.php
(or second best - use htaccess files which is an option if you are not the
admin of the entire server e.g. in a shared hosting environment)

3.) You can restrict access to your webpage to only be available to 'local'
users in the apache configuration. The site can then be accessed via a
log-in page where to check if a user is logged in (I did that for example
with a index.php file that checked if the user has a PHP session, and if NO
respond 'not logged in', and only if logged in to load the page using a
simple if ( else in PHP after the session check). This works because 'PHP'
is accepted to be a local user... 
The user name and pw (salted) can be also stored in a PostGIS database.
One example - a VirtualHost restricting the access  for the subnet
192.168.0.1/24 only with the Require setting

<VirtualHost *:80>
    DocumentRoot "/var/www/"
    ServerName  <http://www.example.com> www.example.com      

   <Directory "/var/www/">
      Options Indexes FollowSymLinks
      AllowOverride all
      Require 192.168.0.1/24
   </Directory>    
</VirtualHost>

4.) You can also secure any WMS/ WFS access individually when providing
access only via a proxy script - again could be a PHP script so the WMS is
only visible when a password is given ...
Aka these lines:

<?php
// put any sort of authentication code you want here: a CAPTCHA, a cookie or
$_SESSION check, etc.
// an array of defined servers to handle each possible value of LAYERS=
// This DOES have the limitation, that each LAYERS= possibility must be
unique, e.g. you can't have 2 layers named 'states'
$SERVERS = array(
   'DRW' => '
<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fxy.net%2fmap.ashx&c=E,1,
kjYBUIZLHvb_52V6J3NIb5Sqbjhf36actrTdRWNIRkU-PmjEj989QvVr6QsDsMBp4kA4jdYhcxNG
IKeqlLSMizWd2JKkkBGUaKjL6CBS1Jyi_pX-&typo=1> http://xy.net/map.ashx',
   'GRT' => '
<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fterragis.net%2fmap.asp%2
c&c=E,1,cHJYtuA5iQjwpTgF32kefMLxhAiGFobuYlFOX7zDQR9Y81qQwJSETciZVZfOSkr2Exqd
gapF-dUltkEKLyOrF6nhKjWlSJnmbazownuiSJTI2Nw9zI5t1GGltk8,&typo=1>
http://terragis.net/map.asp,
   'global_mosaic' => 'http://wms.jpl.nasa.gov/wms.cgi',
);
$url = @$SERVERS[$_GET['layers']]; if (!$url) die("No such layer.");
// compose the URL and simply spit it out
$url = $url . '?' . $_SERVER['QUERY_STRING'];
$format = @$_GET['format']; if (!$format) $format = @$_GET['FORMAT']; if
(!$format) $format = 'image/png';
header("Content-type: $format");
readfile($url);
?>


-----------------------------------------------------------
re 1.) old write-up - (might still work like this)
-----------------------------------------------------------

A. Create .htaccess file:

$ cd /usr/lib/cgi-bin  <---- (This is the directory you want to limit access
to)
$ sudo vi .htaccess

--> Add:
AuthUserFile /var/www/passwds/.htpasswd  <--- (This is where Apache will
look for passwd authentication file)
AuthName "Authorization Required"
AuthType Basic
require user machineuser

B. Create passwd entry for Apache:
$ htpasswd -c /var/www/passwds/.htpasswd machineuser  <--- (This is where
the passwd file will be created)
New password: <nounou>
Re-type new password: <nounou>
Adding password for user machineuser

C. Edit Apache config:  (This example is on Ubuntu using Apache2 installed
from apt-get)
sudo vi /etc/apache2/sites-available/default
--> Check that "AllowOverride" is set to "All", not "None" in your cgi-bin
settings:
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride All  <---- (Note: "All" forces lookup of
.htaccess file.  "None" is normal)
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Require all granted
        </Directory>

D. Restart Apache:
$ sudo /etc/init.d/apache2 restart

E. Test:
 <http://localhost/cgi-bin/mapserv> http://localhost/cgi-bin/mapserv?

--> You should be prompted for authentication

Let me know any questions.

Cheers
Karsten

Karsten Vennemann
Principal

Deutschland - Germany
Terra GIS 
Zehntbergstraße 42
69198 Schriesheim – Altenbach
++49 (0) 6220 - 9143 605
++49 (0) 6220 - 9228 266

USA
Terra GIS LTD
7001 Seaview Ave. NW, Suite 160-561
Seattle, WA 98117
 
<https://linkprotect.cudasvc.com/url?a=blocked%3a%3ahttp%3a%2f%2fwww.terragi
s.net%2f&c=E,1,mTMDiob-7OmxtkqOWtb3iYj2pP4l1HV5FxWi0WC6dK9aXPvsx6sMpH1ngsKJL
xvJI9CJfk5TbTZWuIeMNuDlTGJgHaCbdp-rxzggtbRGL1DiLg,,&typo=1> www.terragis.net

Date: Tue, 5 Feb 2019 15:23:37 +0000
From: Mark Volz  <mailto:MarkVolz at co.lyon.mn.us> MarkVolz at co.lyon.mn.us
To: " <mailto:ms4w-users at lists.ms4w.com> ms4w-users at lists.ms4w.com"
<mailto:ms4w-users at lists.ms4w.com> ms4w-users at lists.ms4w.com
Subject: [MS4W-Users] securing map services?

Hello,

I know it is possible to secure Apache websites using mod_auth_basic, which
requires users to have a username and password to access the site. Is there
any equivalent way to lock map files down as well so that the hidden
internal map files only respond if a user is signed into apache?

Thank You
Sincerely,

Mark Volz, GISP

Lyon County GIS Coordinator

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ms4w.com/pipermail/ms4w-users/attachments/20190205/4e34f867/attachment-0001.html>

More information about the MS4W-Users mailing list