[mapserver-users] Access control for wms served from mapserver cgi

marc.monnerat at bluewin.ch marc.monnerat at bluewin.ch
Mon Oct 20 08:21:53 PDT 2008


Hello,

We are using this very basic setting:

# Demo WMS
Alias /wms-demo/usr/lib/cgi-bin/mapserver
<Location /wms-demo>
  Deny from all
   #   My network
   Allow from  10.133
   SetHandler cgi-script
   Options ExecCGI
   SetEnv MS_MAPFILE /var/www/wms/wms-demo/wms-demo.map
</Location>

Cheers

Marc Monnerat

----Message d'origine----
De: mgleahy at alumni.uwaterloo.ca
Date: 20.10.2008 11:33
À: <mapserver-users at lists.osgeo.org>
Objet: Re: [mapserver-users] Access control for wms served from mapserver cgi

Hello Rahkonen (and Stephan),

This is an idea that I could make work...I'd have to lock-down mapserv 
itself from all connections (otherwise anyone could just replace 
wms*.exe in the URL with the original mapserv.exe), though I guess I 
should be doing that anyway.

In response to Stephan Holl: I recognize there are other strategies that 
involve proxying the WMS requests.  I was just hoping for something 
quick and easy that could be done with Apache more or less 
out-of-the-box using basic config files and/or modules like mod_rewrite. 
  There have been a few cases where I needed to use mapserver on one 
machine to serve data using WMS to another server running mapserver as a 
WMS client.  I just want to be able to do that with as little work as 
possible (i.e., if I can do it in Apache's config, then I can do it 
anywhere).

Essentially, my ideal solution would be if I can get something like 
mod_rewrite to say "if a request to mapserv contains 
'map=/path/to/somefile.map' in the query string, and the client is not 
equal to some IP address, return 403, otherwise allow the request".  I 
just don't quite know how to get mod_rewrite to work like that for me (I 
found some promising examples online, but couldn't get them working).

Thanks again,
Mike

Rahkonen Jukka wrote:
> Hi,
> 
> If it is easy to limit access to mapserv executable, then how about making a few copies of the executable and tie 
each copy to its own mapfile in httpd.conf?
> 
> SetEnvIf Request_URI "/cgi-bin/wms1.exe?" MS_MAPFILE=d:/ms4w/apps/wms1.map
> SetEnvIf Request_URI "/cgi-bin/wms2.exe?" MS_MAPFILE=d:/ms4w/apps/wms2.map
> 
> Just thinking, I do not know if this is secure at all.  
> 
> -Jukka Rahkonen-
>  
> 
>> -----Alkuperäinen viesti-----
>> Lähettäjä: mapserver-users-bounces at lists.osgeo.org 
>> [mailto:mapserver-users-bounces at lists.osgeo.org] Puolesta Mike Leahy
>> Lähetetty: 20. lokakuuta 2008 3:58
>> Vastaanottaja: mapserver-users at lists.osgeo.org
>> Aihe: [mapserver-users] Access control for wms served from 
>> mapserver cgi
>>
>> Hello list,
>>
>> Does anyone on this list know of a simple strategy for 
>> configuring Apache to restrict access to specific mapfiles 
>> served as WMS through the cgi mapserv program?  I'd like to 
>> do is restrict access to specific IPs for URLs like the following: 
>> http://host/cgi-bin/mapserv?map=/path/to/file.map[&...].
>>
>> It's easy enough to limit access to the mapserv executable 
>> itself, but I'd rather do it on a per-mapfile basis.  I tried 
>> a couple things using mod_rewrite in apache, but anything 
>> I've tried so far doesn't seem to work.
>>
>> I know that this sort of question has been asked before, but 
>> after searching/tinkering for a while, I haven't found a 
>> solution that works for me yet.
>>
>> Thanks for any suggestions,
>> Mike
>> _______________________________________________
>> mapserver-users mailing list
>> mapserver-users at lists.osgeo.org
>> http://lists.osgeo.org/mailman/listinfo/mapserver-users
>>
> 
_______________________________________________
mapserver-users mailing list
mapserver-users at lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/mapserver-users






More information about the MapServer-users mailing list