[mapserver-users] Access control for wms served from mapserver cgi
marc.monnerat at bluewin.ch
marc.monnerat at bluewin.ch
Mon Oct 20 08:21:53 PDT 2008
Hello,
We are using this very basic setting:
# Demo WMS
Alias /wms-demo/usr/lib/cgi-bin/mapserver
<Location /wms-demo>
Deny from all
# My network
Allow from 10.133
SetHandler cgi-script
Options ExecCGI
SetEnv MS_MAPFILE /var/www/wms/wms-demo/wms-demo.map
</Location>
Cheers
Marc Monnerat
----Message d'origine----
De: mgleahy at alumni.uwaterloo.ca
Date: 20.10.2008 11:33
À: <mapserver-users at lists.osgeo.org>
Objet: Re: [mapserver-users] Access control for wms served from mapserver cgi
Hello Rahkonen (and Stephan),
This is an idea that I could make work...I'd have to lock-down mapserv
itself from all connections (otherwise anyone could just replace
wms*.exe in the URL with the original mapserv.exe), though I guess I
should be doing that anyway.
In response to Stephan Holl: I recognize there are other strategies that
involve proxying the WMS requests. I was just hoping for something
quick and easy that could be done with Apache more or less
out-of-the-box using basic config files and/or modules like mod_rewrite.
There have been a few cases where I needed to use mapserver on one
machine to serve data using WMS to another server running mapserver as a
WMS client. I just want to be able to do that with as little work as
possible (i.e., if I can do it in Apache's config, then I can do it
anywhere).
Essentially, my ideal solution would be if I can get something like
mod_rewrite to say "if a request to mapserv contains
'map=/path/to/somefile.map' in the query string, and the client is not
equal to some IP address, return 403, otherwise allow the request". I
just don't quite know how to get mod_rewrite to work like that for me (I
found some promising examples online, but couldn't get them working).
Thanks again,
Mike
Rahkonen Jukka wrote:
> Hi,
>
> If it is easy to limit access to mapserv executable, then how about making a few copies of the executable and tie
each copy to its own mapfile in httpd.conf?
>
> SetEnvIf Request_URI "/cgi-bin/wms1.exe?" MS_MAPFILE=d:/ms4w/apps/wms1.map
> SetEnvIf Request_URI "/cgi-bin/wms2.exe?" MS_MAPFILE=d:/ms4w/apps/wms2.map
>
> Just thinking, I do not know if this is secure at all.
>
> -Jukka Rahkonen-
>
>
>> -----Alkuperäinen viesti-----
>> Lähettäjä: mapserver-users-bounces at lists.osgeo.org
>> [mailto:mapserver-users-bounces at lists.osgeo.org] Puolesta Mike Leahy
>> Lähetetty: 20. lokakuuta 2008 3:58
>> Vastaanottaja: mapserver-users at lists.osgeo.org
>> Aihe: [mapserver-users] Access control for wms served from
>> mapserver cgi
>>
>> Hello list,
>>
>> Does anyone on this list know of a simple strategy for
>> configuring Apache to restrict access to specific mapfiles
>> served as WMS through the cgi mapserv program? I'd like to
>> do is restrict access to specific IPs for URLs like the following:
>> http://host/cgi-bin/mapserv?map=/path/to/file.map[&...].
>>
>> It's easy enough to limit access to the mapserv executable
>> itself, but I'd rather do it on a per-mapfile basis. I tried
>> a couple things using mod_rewrite in apache, but anything
>> I've tried so far doesn't seem to work.
>>
>> I know that this sort of question has been asked before, but
>> after searching/tinkering for a while, I haven't found a
>> solution that works for me yet.
>>
>> Thanks for any suggestions,
>> Mike
>> _______________________________________________
>> mapserver-users mailing list
>> mapserver-users at lists.osgeo.org
>> http://lists.osgeo.org/mailman/listinfo/mapserver-users
>>
>
_______________________________________________
mapserver-users mailing list
mapserver-users at lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/mapserver-users
More information about the MapServer-users
mailing list