[mapserver-users] Access control for wms served from mapserver cgi

Robert Sanson SansonR at asurequality.com
Mon Oct 20 15:39:11 EDT 2008 

Hi Marc
 
Where do you set this? Is it somewhere in httpd.conf?
 
Many thanks,
 
Robert Sanson

>>> "marc.monnerat at bluewin.ch" <marc.monnerat at bluewin.ch> 21/10/2008
4:21 a.m. >>>
Hello,

We are using this very basic setting:

# Demo WMS
Alias /wms-demo/usr/lib/cgi-bin/mapserver
<Location /wms-demo>
  Deny from all
   #   My network
   Allow from  10.133
   SetHandler cgi-script
   Options ExecCGI
   SetEnv MS_MAPFILE /var/www/wms/wms-demo/wms-demo.map
</Location>

Cheers

Marc Monnerat

----Message d'origine----
De: mgleahy at alumni.uwaterloo.ca 
Date: 20.10.2008 11:33
À: <mapserver-users at lists.osgeo.org>
Objet: Re: [mapserver-users] Access control for wms served from
mapserver cgi

Hello Rahkonen (and Stephan),

This is an idea that I could make work...I'd have to lock-down mapserv

itself from all connections (otherwise anyone could just replace 
wms*.exe in the URL with the original mapserv.exe), though I guess I 
should be doing that anyway.

In response to Stephan Holl: I recognize there are other strategies
that 
involve proxying the WMS requests.  I was just hoping for something 
quick and easy that could be done with Apache more or less 
out-of-the-box using basic config files and/or modules like
mod_rewrite. 
  There have been a few cases where I needed to use mapserver on one 
machine to serve data using WMS to another server running mapserver as
a 
WMS client.  I just want to be able to do that with as little work as 
possible (i.e., if I can do it in Apache's config, then I can do it 
anywhere).

Essentially, my ideal solution would be if I can get something like 
mod_rewrite to say "if a request to mapserv contains 
'map=/path/to/somefile.map' in the query string, and the client is not

equal to some IP address, return 403, otherwise allow the request".  I

just don't quite know how to get mod_rewrite to work like that for me
(I 
found some promising examples online, but couldn't get them working).

Thanks again,
Mike

Rahkonen Jukka wrote:
> Hi,
> 
> If it is easy to limit access to mapserv executable, then how about
making a few copies of the executable and tie 
each copy to its own mapfile in httpd.conf?
> 
> SetEnvIf Request_URI "/cgi-bin/wms1.exe?"
MS_MAPFILE=d:/ms4w/apps/wms1.map
> SetEnvIf Request_URI "/cgi-bin/wms2.exe?"
MS_MAPFILE=d:/ms4w/apps/wms2.map
> 
> Just thinking, I do not know if this is secure at all.  
> 
> -Jukka Rahkonen-
>  
> 
>> -----Alkuperäinen viesti-----
>> Lähettäjä: mapserver-users-bounces at lists.osgeo.org 
>> [mailto:mapserver-users-bounces at lists.osgeo.org] Puolesta Mike
Leahy
>> Lähetetty: 20. lokakuuta 2008 3:58
>> Vastaanottaja: mapserver-users at lists.osgeo.org 
>> Aihe: [mapserver-users] Access control for wms served from 
>> mapserver cgi
>>
>> Hello list,
>>
>> Does anyone on this list know of a simple strategy for 
>> configuring Apache to restrict access to specific mapfiles 
>> served as WMS through the cgi mapserv program?  I'd like to 
>> do is restrict access to specific IPs for URLs like the following: 
>> http://host/cgi-bin/mapserv?map=/path/to/file.map[&...].
>>
>> It's easy enough to limit access to the mapserv executable 
>> itself, but I'd rather do it on a per-mapfile basis.  I tried 
>> a couple things using mod_rewrite in apache, but anything 
>> I've tried so far doesn't seem to work.
>>
>> I know that this sort of question has been asked before, but 
>> after searching/tinkering for a while, I haven't found a 
>> solution that works for me yet.
>>
>> Thanks for any suggestions,
>> Mike
>> _______________________________________________
>> mapserver-users mailing list
>> mapserver-users at lists.osgeo.org 
>> http://lists.osgeo.org/mailman/listinfo/mapserver-users 
>>
> 
_______________________________________________
mapserver-users mailing list
mapserver-users at lists.osgeo.org 
http://lists.osgeo.org/mailman/listinfo/mapserver-users 



_______________________________________________
mapserver-users mailing list
mapserver-users at lists.osgeo.org 
http://lists.osgeo.org/mailman/listinfo/mapserver-users 

------------------------------------------------------------------
The contents of this email are confidential to AsureQuality. If you have received this communication in error please notify the sender immediately and delete the message and any attachments. The opinions expressed in this email are not necessarily those of AsureQuality. This message has been scanned for known viruses before delivery. AsureQuality supports the Unsolicited Electronic Messages Act 2007. If you do not wish to receive similar communications in future, please notify the sender of this message.
------------------------------------------------------------------


This message has been scanned for malware by SurfControl plc. www.surfcontrol.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.osgeo.org/pipermail/mapserver-users/attachments/20081021/828fe4e9/attachment.html

More information about the mapserver-users mailing list