[mapserver-dev] MS RFC 90: Enable/Disable Layers in OGC Web Services by IP Lists - Call for Comments

Tamas Szekeres szekerest at gmail.com
Tue Feb 19 11:50:34 PST 2013


2013/2/19 Daniel Morissette <dmorissette at mapgears.com>

>
> - It is not clear if setting ows_allowed_ip_list implicitly means that all
> addresses are blocked, and then only the specified addresses are enabled,
> and vice-versa that setting ows_denied_ip_list means that any address has
> access by default, except for those listed in the deny list. I believe this
> is the implied behavior, but if yes then I think that should be made clear,
> and perhaps some examples provided with explanation of the corresponding
> behavior.
>
> - Is it possible to set both ows_allowed_ip_list and ows_denied_ip_list
> and if yes in this case which one takes precedence? Or do they interact
> with each other (i.e. Could I block a range of IPs with the deny list and
> then open up specific workstation addresses with the allow list? or the
> reverse: open up a range of IP addresses with the allow list and block a
> subset with the deny list?)
>
>
Hi Daniel,

I noticed I did not explain these conditions well enough. I'd prefer add
the followings:

 - Setting ows_allowed_ip_list will deny all other IPs not specified in the
list.
 - Setting ows_denied_ip_list will allow all other IPs not specified in the
list.
 - When we both allow and deny a given IP the denial will take precedence.



>
> - With respect to the ms_disable_modes, I don't like a logic where we need
> to explicitly list what we block. I prefer the other way around where we
> list what we enable to reduce the risk of leaving open holes in your server
> configuration.
>
> Actually, perhaps one way to deal with this would be to switch to a
> "ms_enable_modes" and use the same kind of logic as ows_enable_requests,
> with "!*" meaning disable all, and "!MAP" meaning disable MAP mode, and
> then allowing the use of ms_enable_modes at the layer-level as well.
>
>
I've considered to keep backwards compatibility that means all CGI modes
are enabled by default. Your suggestion would imply that all CGI modes are
disabled by default, users must specify the desired CGI modes in the
mapfiles with the ms_enable_modes setting. While I'm not sure how mapserver
is used in most cases I suspect your suggestion would cause quite more
troubles when trying to upgrade existing mapfiles. We might however
consider to enable all modes if  ms_enable_modes parameter is not set.

You did mention about supporting the logic of ows_enable_requests. If I
understand correctly it would mean to support the preceding negation '!'
for each item in the list which should be easy enough.

Best regards,

Tamas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20130219/081ebd17/attachment.html>


More information about the mapserver-dev mailing list