Mapserver with proxies (or BUG #571)

Yewondwossen Assefa assefa at DMSOLUTIONS.CA
Tue Dec 20 16:12:39 EST 2005 

Hi There,

 Is it possible to add your e-mail to the bug 571 and add youself in cc 
to the bug so that all this changes are discussed through the bug.

Thanks.

José Luis Campanello wrote:

>Hi all!
>
>Well, i'm new to mapserver, and all my internet traffic goes thru a proxy...
>
>Searching the lists, i've found bug #571 (proxy server related).
>
>Well, i needed to be able to use NASA's WMS so i made some changes to allow mapserver to go via proxy.
>
>If anyone is interested in these, please send me an e-mail, but be aware that i have not made extensive tests, yet the changes are simple and there should be no problems...
>
>I've tried to comply with the coding standards and general structure of the software (i.e: it should be easy to include these changes in the main distribution if the development team decide it's worth doing so).
>
>With respect to the comments about bug #571, i disagree about some of them (i think some deployments will likely be more complex than what is assumed).
>
>So this mail has two parts:
>
>1) what i've changed (i.e: the implementation)
>2) rationale for the changes...
>
>===========================================================
>WHAT I'VE CHANGED =========================================
>===========================================================
>I started with version 4.6.2.
>
>Only 7 files were modified: map.h, mapfile.h, mapows.h, mapdraw.c, mapfile.c, maphttp.c and maplexer.l.
>NOTE: except for maplexer.l, all the other files have comments to show the exact changes made.
>
>To configure all this, a layer will seem something like:
>
>LAYER
>    NAME modis
>    TYPE RASTER
>    OFFSITE 0 0 0
>    STATUS OFF
>    CONNECTIONTYPE WMS
>    CONNECTION "http://wms.jpl.nasa.gov/wms.cgi?"
>
>    METADATA
>        "wms_srs"                 "EPSG:4326"
>        "wms_name"                "modis"
>        "wms_server_version"      "1.1.1"
>        "wms_format"              "image/jpeg"
>        "wms_style"               "default"
>    END
>
>    PROXY                                       # ******** ONLY IF YOU ARE BEHIND A PROXY
>        HOST "10.200.0.2"                       # ***REQUIRED***
>        PORT 3128                               # optional if host specified as "<host>:<port>"
>        TYPE http|socks5                        # optional (default http)
>        AUTHDATA "user:password"                # optional
>        AUTHTYPE "<see comment below>"          # optional
>    END
>
>    AUTH                                        # ******** ONLY IF THE WMS/WFS REQUIRES AUTHENTICATION
>        UNRESTRICTED ON|OFF                     # optional (default OFF)
>        AUTHDATA "user:password"                # ***REQUIRED***
>        AUTHTYPE "<see comment below>"          # optional
>    END
>END
>
>The AUTHTYPE is a string of options separated by ':', because in curl, the associated option is a bitmask. If not present, basic is assumed. The possible values are: basic, digest, ntlm, gss|negotiate|gssnegotiate, any, safe|anysafe.
>
>Regarding the UNRESTRICTED option, it is related to the option CURLOPT_FOLLOWLOCATION. If the next location requires authentication this option set to on will ***ALSO*** use the same user/password to authenticate.
>This may cause a SECURITY LEAK if not used carefully.
>
>Also, for what i've seen in the code there is some "merge" of requests if several go to the same destination (this being done in functions msPrepareWMSLayerRequest and msPrepareWFSLayerRequest).
>
>It remains a mistery to me why/how this is done and if some special cases will arise from these changes (for example: what if it is the same destination but http authentication is required?).
>
>Both WMS and WFS services are supported (the added logic is global to the layer draw).
>
>===========================================================
>RATIONALE FOR THE CHANGES =================================
>===========================================================
>First, not only proxies may require user/password to grant access, but http servers too. Probably some of you have seen an ugly dialog box requiring user/password poping up when you try to enter an URL. That dialog box is shown by the browser because the http server requires authentication.
>
>Well, it turns out that many paid services use this method to check if that who is accessing the resource is a "customer" or not. I can imagine some company (or even government organization) providing a basic public service (for example: current weather image with little detail) and a more advanced paid service to others (for example: forecast for next days to tv companies).
>
>It is also reasonable to think that a company with some mission critical application will have:
>
>- different proxy servers for different types of information or
>- a vpn link to some other company (with a different proxy for this vpn)
>- etc
>
>Imagine a truck company accessing some (public) mapserver thru it's http proxy to get basic geography. On top of that, this company will show the position of it's trucks. This last layer being provided by a private mapserver owned by a vehicle tracking security company. These two companies are connected with a VPN and a dedicated (diffenent) proxy to mantain security requirements.
>
>As someone commented, depending on the configuration of the proxy, it may not be able to resolve queries for the local network (intranet). For that purpose, most browsers have the "Bypass proxy server for local addresses" option. Proxies can also be chained on top of each other because most proxies also provide caching services.
>
>Also, it must be considered that there are several types of proxies, the two most commonly used are http proxy (for example: squid) and socks5. They can be mixed in the same network and each one may provide access to different networks/domains.
>
>With all this in mind, it is my opinion that the solution should operate on a per-layer basis and should support both:
>
>- proxies (with authentication) and
>- http authentication.
>
>NOTE: Curl supports both independent on each other.
>
>Greetings!
>
>Jose Luis
>  
>


-- 
----------------------------------------------------------------
Assefa Yewondwossen           
Software Analyst   

Email: assefa at dmsolutions.ca    
http://www.dmsolutions.ca/

Phone: (613) 565-5056 (ext 14)
Fax:   (613) 565-0925
----------------------------------------------------------------

More information about the mapserver-dev mailing list