[Tilecache] Protecting a tilecache from outside

Stephen Woodbridge woodbri at swoodbridge.com
Thu Apr 17 11:32:10 EDT 2008 

Jacolin Yves wrote:
> Hi,
> 
> As you may know I succeed to use TC in mod_python successfully yesterday. One 
> of the last problem remains is that we would like to protect TC server from 
> people outside our website. That means only OpenLayers in your website 
> application can use it.
> 
> In cgi mode, we used a wrapper which retrieve a key parameter and compare it 
> with the key in the file then if ok send the request to TC. As you see it is 
> not really a "secure" process.
> 
> Here how we did with mod_python. First of all add this two line in the vhost 
> close your configuration parameter for TC:
> 
> <Directory "/var/www/../Carto/tilecache-1.9/">
>   AddHandler python-program .py
>   PythonHandler TileCache.Service
>   PythonOption TileCacheConfig /var/www/.../Carto/cgi/tilecache.cfg
>   SetEnvIf Referer www\.lpdipro\.dev\.local\.yves intra_site_referral
>   Deny from all
>   Allow from env=intra_site_referral
> </Directory>
> 
> Only request form our application will be successful. If you try to request TC 
> directly you will get a "no access" error page.
> 
> Hope it helps. If you think I am wrong, tell me ;)
> 
> Regards,
> 
> Y.

It is trivial to set the referer. Below is a man page from wget, it is 
also trivial to do this with a perl script that could proxy tile 
requests to your TC.

So, not any more secure than your key parameter, maybe a little more 
obscure, but security through obscurity is general not that good.

It might be more secure to have the user login and set a cookie that is 
time limited. then only serve the tile of the cookie is good. If the 
cookie has expired you would have to have the client login again. I 
would make the contents of each cookie unique and do some additional 
tests if you want to make sure the cookie is not request from multiple 
hosts.

-Steve


man wget

...

        --referer=url
            Include âReferer: urlâ header in HTTP request.  Useful for 
retrievâ
            ing documents with server-side processing that assume they are
            always being retrieved by interactive web browsers and only come
            out properly when Referer is set to one of the pages that 
point to
            them.

More information about the Tilecache mailing list