[MapServer-users] Redirecting to s3 via apache2 redirect/alias/proxy

Mon Oct 24 02:34:26 PDT 2022

Hi,

I am not sure how well redirect plays together with MS_MAP_PATTERN https://www.mapserver.org/optimization/limit_mapfile_access.html#limit-mapfile-access but maybe you could test it by redirecting locally and trying to access a mapfile from a directory that does not match with MS_MAP_PATTERN. If that requires Apache admin rights then maybe it does not bring back https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32062.

If having mapfiles in s3 feels like an option that Mapserver should support then perhaps RFC 56 https://www.mapserver.org/development/rfc/ms-rfc-56.html#rfc56 should be reviewed.

-Jukka Rahkonen-

Lähettäjä: MapServer-users <mapserver-users-bounces at lists.osgeo.org> Puolesta Marcin Niemyjski via MapServer-users
Lähetetty: maanantai 24. lokakuuta 2022 12.13
Vastaanottaja: Marcin Niemyjski via MapServer-users <mapserver-users at lists.osgeo.org>
Aihe: [MapServer-users] Redirecting to s3 via apache2 redirect/alias/proxy

Hello,

coming back to you with one more question about s3, namely:

As I wrote before - I want to keep my mapfiles on buckets but I also want to access them without need to mount buckets to VMs, so I've came up with this:

https://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_p<https://eur06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhttpd.apache.org%2Fdocs%2F2.4%2Frewrite%2Fflags.html%23flag_p&data=05%7C01%7Cjukka.rahkonen%40maanmittauslaitos.fi%7Ca7ec15f2a9c3426f8cfb08dab59ff396%7Cc4f8a63255804a1c92371d5a571b71fa%7C0%7C0%7C638021995838914540%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=hGkMIdjG9pqN7fHVr%2FM9iJLLB%2F4ooFHD2trkQO8v5RI%3D&reserved=0>
https://mapserver.org/ogc/wms_server.html#changing-the-online-resource-url<https://eur06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmapserver.org%2Fogc%2Fwms_server.html%23changing-the-online-resource-url&data=05%7C01%7Cjukka.rahkonen%40maanmittauslaitos.fi%7Ca7ec15f2a9c3426f8cfb08dab59ff396%7Cc4f8a63255804a1c92371d5a571b71fa%7C0%7C0%7C638021995839070775%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=0F26wO0I%2FjPGEPRMNuXY82PtHZ3a7M7TWfF0YBQmKCI%3D&reserved=0>

generaly I want to do this:

ProxyPass        /martest/ https://s3.amazon.com/Bucket/Key
ProxyPassReverse /martest/ https://s3.amazon.com/Bucket/Key<https://eur06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fs3.amazon.com%2FBucket%2FKey&data=05%7C01%7Cjukka.rahkonen%40maanmittauslaitos.fi%7Ca7ec15f2a9c3426f8cfb08dab59ff396%7Cc4f8a63255804a1c92371d5a571b71fa%7C0%7C0%7C638021995839070775%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=502pTFvV%2FC4MeUvGacEINJb%2FlJac89yQg%2BJDAiyjyu8%3D&reserved=0>

or

RewriteEngine on
RewriteRule /martest/ https://s3.amazon.com/Bucket/<https://eur06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fs3.amazon.com%2FBucket%2F&data=05%7C01%7Cjukka.rahkonen%40maanmittauslaitos.fi%7Ca7ec15f2a9c3426f8cfb08dab59ff396%7Cc4f8a63255804a1c92371d5a571b71fa%7C0%7C0%7C638021995839070775%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=geyuNsQ57Xtcd%2BLw2idANpGsSQDtEgEij%2BaIDSk79B0%3D&reserved=0>

so, while using WMS online resource url https://www.lpis.pl/cgi-bin/mapserv?map=/martest/jrc.map<https://eur06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.lpis.pl%2Fcgi-bin%2Fmapserv%3Fmap%3D%2Fmartest%2Fjrc.map&data=05%7C01%7Cjukka.rahkonen%40maanmittauslaitos.fi%7Ca7ec15f2a9c3426f8cfb08dab59ff396%7Cc4f8a63255804a1c92371d5a571b71fa%7C0%7C0%7C638021995839070775%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EEUrf970Gf96ulDORIHKbBvjLRJjDilHvo6gi%2BL7LDI%3D&reserved=0> i would connect to mapfile on s3.

But it doesn't seem to be working. Is this even possible to connect mapserver and s3 this way?

As always thank you for your help and time,
Marcin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-users/attachments/20221024/45b0a042/attachment-0001.htm>