MapStore Secure Connection HTTPS
278 views
Skip to first unread message
Assigned to lorenzo...@geosolutionsgroup.com by me
osjam...@gmail.com
Aug 26, 2022, 5:54:08 AM8/26/22
to mapstore-developers
Hello,
We are about to launch MapStore and are working out the best way to configure HTTPS.
I have used Tomcat and the mapstore.war to deploy MapStore. So now we seem to have three options open to us:
- Use the ISAPI redirector for Microsoft IIS (https://tomcat.apache.org/connectors-doc/webserver_howto/iis.html)
- Use SSL/TLS Configuration for Tomcat (https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html)
- Use Microsoft IIS directly, by copying the whole MapStore deployment from the Tomcat file location to the default Microsoft IIS location
Our preference is to use Microsoft IIS and the ISAPI redirector.
I would be very interested to hear about the relative merits of each approach if anyone has already considered any of these options, and whether the third approach is in fact possible. It would also be good to hear of any issues encountered with any of these approaches.
Many thanks in anticipation.
Regards
Owen
Lorenzo Natali
Sep 2, 2022, 3:45:18 AM9/2/22
to mapstore-developers
Hi,
I have no experience with ISAPI and Micrsoft IIS. Anyway I see it uses AJP.
We usually use this protocol to proxy the server in and expose it to the internet.
We have some notes on it for Apache Http Server or nginx (regarding the print plugin in particular) here.
So it may work
osjam...@gmail.com
Sep 13, 2022, 10:59:37 AM9/13/22
to mapstore-developers
Hi Lorenzo,
Thank you for your reply, we have looked at the guidance for the printing module and would like some more information and advice.
Do you have a preferred method for exposing MapStore to the internet? The use of Tomcat (or other container) seems to be your advice to deploy MapStore.
Our technical team assume a web server or reverse proxy should be used in front of the Tomcat application server, as you have indicated above, would this be the preferred method and should MapStore and the web server or reverse proxy be on the same server?
More detailed guidance would be appreciated.
We have deployed MapStore on a server in our DMZ and data is served from GeoServer in the Council's internal network.
Many thanks
Lorenzo Natali
Sep 13, 2022, 12:35:58 PM9/13/22
to mapstore-...@googlegroups.com
Hi,
we usually put a web server or a reverse proxy in front of MapStore and GeoServer on separate VMs or docker images.
Generally speaking having different servers (or VMs, or dockers) for the web server and MapStore/GeoServer helps to:
- keep things separated
- better handle security (the applications are not directly exposed to the internet, if needed)
- manage HW resources
- switch services by replacing VMs
It is suggested in general but it is not mandatory to have them on separate servers.
Using a central web server / reverse proxy to expose both GeoServer and MapStore (e.g. on /geoserver/ and /mapstore/ ) allows to:
- use the same domain name, avoiding same origin policy restrictions issues
- handle SSL setup for HTTPS in a single point
anyway most of the things depend on your specific requirements
--
You received this message because you are subscribed to the Google Groups "mapstore-developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mapstore-develo...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/mapstore-developers/d285239e-365e-450b-ac14-5767d6313cb5n%40googlegroups.com.
osjam...@gmail.com
Sep 14, 2022, 5:22:55 AM9/14/22
to mapstore-developers
Hi Lorenzo,
Thanks for your quick response and advice.
I have passed this on to our IT team, so hopefully we can get something worked out soon and can get MapStore published.
You could have a UK local authority to add to your user list soon!
Lorenzo Natali
Sep 16, 2022, 3:33:30 AM9/16/22
to mapstore-developers
Great to know, thank you.
osjam...@gmail.com
Oct 6, 2022, 5:53:32 AM10/6/22
to mapstore-developers
Hi Lorenzo (or anyone in the group!),
Secondly, adding a new catalog created using the https connection to a GeoServer workspace. It is possible to use the catalog to load layers from GeoServer, but when the context is closed and re-opened, the catalog disappears. But, as before, the added layers remain visible on the map.
Would you, or anyone in the group, have any thoughts on why the changed URL to https returns to the original http URL or why a new https catalog disappears when re-opening a context?
We have made good progress, but have one final issue which is confusing us.
We have installed an NGINX web server/proxy on the MapStore server between the Tomcat server and user requests. NGINX has been configured to manage the translation between an incoming https request to a local request to the Tomcat server for both the MapStore server and the GeoServer server. This is working as required and manages the connection to the Tomcat servers on port 8080 to an https connection with a certificate over port 443.
However, problems occur when adding GeoServer layers into a MapStore context.
The main issue is that the http URL in a catalog (configured before the installation of NGINX) is used when MapStore makes multiple failed calls to GeoServer to load layers from GeoServer. We have tried to resolve this in two ways.
Firstly, changing an existing catalog. Using the catalog editor, the URL for an existing catalog is changed from the http connection to the https connection and saved with the ‘Success’ message appearing. But when the context is closed and re-opened, the change is lost and the original http URL is shown. But any layers added using the https connection remain visible on the map. For these layers, attribute information is returned when querying objects on the map (the https connection seems to be used for this), but the attribute tables don’t return any features.
However, problems occur when adding GeoServer layers into a MapStore context.
The main issue is that the http URL in a catalog (configured before the installation of NGINX) is used when MapStore makes multiple failed calls to GeoServer to load layers from GeoServer. We have tried to resolve this in two ways.
Firstly, changing an existing catalog. Using the catalog editor, the URL for an existing catalog is changed from the http connection to the https connection and saved with the ‘Success’ message appearing. But when the context is closed and re-opened, the change is lost and the original http URL is shown. But any layers added using the https connection remain visible on the map. For these layers, attribute information is returned when querying objects on the map (the https connection seems to be used for this), but the attribute tables don’t return any features.
Secondly, adding a new catalog created using the https connection to a GeoServer workspace. It is possible to use the catalog to load layers from GeoServer, but when the context is closed and re-opened, the catalog disappears. But, as before, the added layers remain visible on the map.
Would you, or anyone in the group, have any thoughts on why the changed URL to https returns to the original http URL or why a new https catalog disappears when re-opening a context?
Many thanks
Owen
osjam...@gmail.com
Oct 7, 2022, 4:37:27 AM10/7/22
to mapstore-developers
Just an additional note to this. I have tried to create a new catalog to another data source and the issue is replicated with this data source, so the issue seems to be specifically related to MapStore
Reply all
Reply to author
Forward
0 new messages