[Tilecache] Protecting a tilecache from outside

Jacolin Yves yjacolin at free.fr
Thu Apr 17 10:43:07 EDT 2008 

Le Thursday 17 April 2008 17:32:10 Stephen Woodbridge, vous avez écrit :
> Jacolin Yves wrote:
> > Hi,
> >
> > As you may know I succeed to use TC in mod_python successfully yesterday.
> > One of the last problem remains is that we would like to protect TC
> > server from people outside our website. That means only OpenLayers in
> > your website application can use it.
> >
> > In cgi mode, we used a wrapper which retrieve a key parameter and compare
> > it with the key in the file then if ok send the request to TC. As you see
> > it is not really a "secure" process.
> >
> > Here how we did with mod_python. First of all add this two line in the
> > vhost close your configuration parameter for TC:
> >
> > <Directory "/var/www/../Carto/tilecache-1.9/">
> >   AddHandler python-program .py
> >   PythonHandler TileCache.Service
> >   PythonOption TileCacheConfig /var/www/.../Carto/cgi/tilecache.cfg
> >   SetEnvIf Referer www\.lpdipro\.dev\.local\.yves intra_site_referral
> >   Deny from all
> >   Allow from env=intra_site_referral
> > </Directory>
> >
> > Only request form our application will be successful. If you try to
> > request TC directly you will get a "no access" error page.
> >
> > Hope it helps. If you think I am wrong, tell me ;)
> >
> > Regards,
> >
> > Y.
>
> It is trivial to set the referer. Below is a man page from wget, it is
> also trivial to do this with a perl script that could proxy tile
> requests to your TC.
>
> So, not any more secure than your key parameter, maybe a little more
> obscure, but security through obscurity is general not that good.
>
> It might be more secure to have the user login and set a cookie that is
> time limited. then only serve the tile of the cookie is good. If the
> cookie has expired you would have to have the client login again. I
> would make the contents of each cookie unique and do some additional
> tests if you want to make sure the cookie is not request from multiple
> hosts.
>
> -Steve
>
>
> man wget
>
> ...
>
>         --referer=url
>             Include âReferer: urlâ header in HTTP request.  Useful for
> retrievâ
>             ing documents with server-side processing that assume they are
>             always being retrieved by interactive web browsers and only
> come out properly when Referer is set to one of the pages that point to
>             them.
Hi,

Indeed ! I think security is just get something acceptable between the server 
security and the development time. It could be ok for us, but I will check 
your way. And add some question:
* How can I use a cookie on the server side, is it possible?
* Hown can I manage this?

Thanks !

Y.
-- 
Yves Jacolin
---
http://softlibre.gloobe.org

More information about the Tilecache mailing list