[mapserver-dev] MS RFC 90: Enable/Disable Layers in OGC Web Services by IP Lists - Call for Comments

Daniel Morissette dmorissette at mapgears.com
Tue Feb 19 08:20:27 PST 2013 

On 13-02-15 12:43 PM, Tamas Szekeres wrote:
> Hi Devs,
>
> I've prepared an RFC including most of the suggestions received with
> regards to this addition.
> http://mapserver.org/development/rfc/ms-rfc-90.html
>
> Let me know if you have further things to be taken into account before
> calling a vote on it.
>
>

Hi Tamas,

A few questions/comments:

- It is not clear if setting ows_allowed_ip_list implicitly means that 
all addresses are blocked, and then only the specified addresses are 
enabled, and vice-versa that setting ows_denied_ip_list means that any 
address has access by default, except for those listed in the deny list. 
I believe this is the implied behavior, but if yes then I think that 
should be made clear, and perhaps some examples provided with 
explanation of the corresponding behavior.

- Is it possible to set both ows_allowed_ip_list and ows_denied_ip_list 
and if yes in this case which one takes precedence? Or do they interact 
with each other (i.e. Could I block a range of IPs with the deny list 
and then open up specific workstation addresses with the allow list? or 
the reverse: open up a range of IP addresses with the allow list and 
block a subset with the deny list?)


- With respect to the ms_disable_modes, I don't like a logic where we 
need to explicitly list what we block. I prefer the other way around 
where we list what we enable to reduce the risk of leaving open holes in 
your server configuration.

Actually, perhaps one way to deal with this would be to switch to a 
"ms_enable_modes" and use the same kind of logic as ows_enable_requests, 
with "!*" meaning disable all, and "!MAP" meaning disable MAP mode, and 
then allowing the use of ms_enable_modes at the layer-level as well.

e.g.

MAP
   WEB
     METADATA
       # Block all CGI modes except MAP and LEGEND
       "ms_enable_modes" "!* MAP LEGEND"
       ...
     END
     ...
   END
   ...
END

using inheritance one could then block all modes at the top-level and 
re-enable a given mode only for specific layers:

MAP
   WEB
     METADATA
       # Block all CGI modes by default for this mapfile
       "ms_enable_modes" "!*"
       ...
     END
     ...
   END

   LAYER
     METADATA
       # Enable MAP and LEGEND requests for this layer
       "ms_enable_modes" "MAP LEGEND"
     END
     ...
   END
END

or one could be more open by default and selectively disable some 
requests at the layer level:

MAP
   WEB
     METADATA
       # Open up ALL CGI modes by default for this mapfile
       "ms_enable_modes" "*"
       ...
     END
     ...
   END

   LAYER
     METADATA
       # But allow only MAP requests on this layer
       "ms_enable_modes" "!* MAP"
     END
     ...
   END
END


-- 
Daniel Morissette
http://www.mapgears.com/
Provider of Professional MapServer Support since 2000

More information about the mapserver-dev mailing list