[mapserver-dev] MS RFC 90: Enable/Disable Layers in OGC Web Services by IP Lists - Call for Comments
Daniel Morissette
dmorissette at mapgears.com
Tue Feb 19 08:31:26 PST 2013
Hello again,
I just realized that my suggestion to implement full support for
ms_enable_modes with all the flexibility provided by ows_enable_requests
might be quite a bit more work that you have available in your budget,
so perhaps a compromise would be to simply implement the following at
the map-level:
"ms_enable_modes" "*" # Enable all CGI modes
or
"ms_enable_modes" "!*" # Block all CGI modes
This would be sufficient to allow someone using
ows_allowed/denied_ip_list to disable use of the CGI modes, and would
leave open the possibility to implement full support for the same logic
as ows_enable_requests down the road when one has time/funding to do it.
Daniel
On 13-02-19 11:20 AM, Daniel Morissette wrote:
> On 13-02-15 12:43 PM, Tamas Szekeres wrote:
>> Hi Devs,
>>
>> I've prepared an RFC including most of the suggestions received with
>> regards to this addition.
>> http://mapserver.org/development/rfc/ms-rfc-90.html
>>
>> Let me know if you have further things to be taken into account before
>> calling a vote on it.
>>
>>
>
> Hi Tamas,
>
> A few questions/comments:
>
> - It is not clear if setting ows_allowed_ip_list implicitly means that
> all addresses are blocked, and then only the specified addresses are
> enabled, and vice-versa that setting ows_denied_ip_list means that any
> address has access by default, except for those listed in the deny list.
> I believe this is the implied behavior, but if yes then I think that
> should be made clear, and perhaps some examples provided with
> explanation of the corresponding behavior.
>
> - Is it possible to set both ows_allowed_ip_list and ows_denied_ip_list
> and if yes in this case which one takes precedence? Or do they interact
> with each other (i.e. Could I block a range of IPs with the deny list
> and then open up specific workstation addresses with the allow list? or
> the reverse: open up a range of IP addresses with the allow list and
> block a subset with the deny list?)
>
>
> - With respect to the ms_disable_modes, I don't like a logic where we
> need to explicitly list what we block. I prefer the other way around
> where we list what we enable to reduce the risk of leaving open holes in
> your server configuration.
>
> Actually, perhaps one way to deal with this would be to switch to a
> "ms_enable_modes" and use the same kind of logic as ows_enable_requests,
> with "!*" meaning disable all, and "!MAP" meaning disable MAP mode, and
> then allowing the use of ms_enable_modes at the layer-level as well.
>
> e.g.
>
> MAP
> WEB
> METADATA
> # Block all CGI modes except MAP and LEGEND
> "ms_enable_modes" "!* MAP LEGEND"
> ...
> END
> ...
> END
> ...
> END
>
> using inheritance one could then block all modes at the top-level and
> re-enable a given mode only for specific layers:
>
> MAP
> WEB
> METADATA
> # Block all CGI modes by default for this mapfile
> "ms_enable_modes" "!*"
> ...
> END
> ...
> END
>
> LAYER
> METADATA
> # Enable MAP and LEGEND requests for this layer
> "ms_enable_modes" "MAP LEGEND"
> END
> ...
> END
> END
>
> or one could be more open by default and selectively disable some
> requests at the layer level:
>
> MAP
> WEB
> METADATA
> # Open up ALL CGI modes by default for this mapfile
> "ms_enable_modes" "*"
> ...
> END
> ...
> END
>
> LAYER
> METADATA
> # But allow only MAP requests on this layer
> "ms_enable_modes" "!* MAP"
> END
> ...
> END
> END
>
>
--
Daniel Morissette
http://www.mapgears.com/
Provider of Professional MapServer Support since 2000
More information about the mapserver-dev
mailing list