[Geoserver-users] HTTPS to GeoServer Docker

I am exploring options for a relatively low-usage service requiring low levels of infrastructure setup and maintenance (the data is related to a local history society).

GeoServer docker image appears to be perfect except that I observe it serves unencrypted data. This is not acceptable in 2023 on the grounds of security and privacy. I have not been able to find how to start the container such that HTTPS is the exclusive means of access.

Is this possible? (I think it really should be!)

Thanks in advance, Adam

It is a good feature request; I wonder how it can be accommodated.

On Tue, Sep 19, 2023 at 11:58 AM Adam Cooper <arc@…11834…> wrote:

I am exploring options for a relatively low-usage service requiring low
levels of infrastructure setup and maintenance (the data is related to a
local history society).

GeoServer docker image appears to be perfect except that I observe it
serves unencrypted data. This is not acceptable in 2023 on the grounds
of security and privacy. I have not been able to find how to start the
container such that HTTPS is the exclusive means of access.

Is this possible? (I think it really should be!)

Thanks in advance, Adam


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

I set up a reverse proxy (currently I use Varnish/Hitch) and it supports the certificates and all that, and then I don't have to worry about it in the services such as GeoServer. There's the additional
benefit that Varnish is a cache, too. (Really it's designed to be a cache,
and the reverse proxy is an add on)

It keeps the functions of managing certificates and encryption separated from the sundry various HTTP services I use. Using the proxy means you can do things like write little Python Flask or Node services and still have them behind HTTPS. It means you can use pretty much any Docker HTTP service and run it behind HTTPS without having to change the Docker image. Varnish is sort of what the ArcGIS "Web Adaptor" does but in an open source well-documented and effective and flexible way.

My repository for Varnish and Hitch is here https://github.com/Wildsong/docker-varnish
I think the notes are reasonably good but I wrote them for myself. If you want support with it, write to me.

Brian Wilson
Astoria Oregon

another option is https://github.com/nginx-proxy/nginx-proxy in connection with https://github.com/nginx-proxy/acme-companion. This is also a proxy that is easy to install and supports free certificates via LetsEncrypt. The Docker containers are well documented.

···

Am 20.09.2023 um 02:00 schrieb brian— via Geoserver-users:

I set up a reverse proxy (currently I use Varnish/Hitch) and it supports the certificates and all that, and then I don’t have to worry about it in the services such as GeoServer. There’s the additional
benefit that Varnish is a cache, too. (Really it’s designed to be a cache,
and the reverse proxy is an add on)

It keeps the functions of managing certificates and encryption separated from the sundry various HTTP services I use. Using the proxy means you can do things like write little Python Flask or Node services and still have them behind HTTPS. It means you can use pretty much any Docker HTTP service and run it behind HTTPS without having to change the Docker image. Varnish is sort of what the ArcGIS “Web Adaptor” does but in an open source well-documented and effective and flexible way.

My repository for Varnish and Hitch is here https://github.com/Wildsong/docker-varnish
I think the notes are reasonably good but I wrote them for myself. If you want support with it, write to me.

Brian Wilson
Astoria Oregon


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Op 19-09-2023 om 20:38 schreef Adam Cooper:

I am exploring options for a relatively low-usage service requiring low levels of infrastructure setup and maintenance (the data is related to a local history society).

GeoServer docker image appears to be perfect except that I observe it serves unencrypted data. This is not acceptable in 2023 on the grounds of security and privacy.

Why? if it's public data...

I have not been able to find how to start the container such that HTTPS is the exclusive means of access.

Is this possible? (I think it really should be!)

It's not and it would be a total pain to set up and maintain/manage;

Various solutions using reverse proxy have passed; I would like to add Traefik (https://traefik.io/) to that which will do automatic certificate management eg. using Let's Encrypt cerificates.

Mark

In my experience HTTPS is managed in a proxy in front of GeoServer, which can be set up
using a docker-compose with the proxy being another docker image.

Here is an example of a compose with a proxy from the GeoSolutions docker image repository:
https://github.com/geosolutions-it/docker-geoserver/blob/master/docker-compose.yml

Slap on top of it an example of how to set up SSL certificates for nginx (a much more command find) and you’re in business.
E.g. first link returned by a Google search: https://faun.pub/setting-up-ssl-certificates-for-nginx-in-docker-environ-e7eec5ebb418?gi=ca3c5d6589f0

Cheers
Andrea

···

Regards,

Andrea Aime

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail

Thanks for comments. The direction seems clear now!

FWIW, I expect to use Azure, for which this resource describes the use of a "sidecar" container with Nginx doing reverse proxy to enforce HTTPS: https://learn.microsoft.com/en-us/azure/container-instances/container-instances-container-group-ssl

Cheers, Adam

On 20/09/2023 14:21, Andrea Aime wrote:

In my experience HTTPS is managed in a proxy in front of GeoServer, which can be set up
using a docker-compose with the proxy being another docker image.

Here is an example of a compose with a proxy from the GeoSolutions docker image repository:
https://github.com/geosolutions-it/docker-geoserver/blob/master/docker-compose.yml

Slap on top of it an example of how to set up SSL certificates for nginx (a much more command find) and you're in business.
E.g. first link returned by a Google search: https://faun.pub/setting-up-ssl-certificates-for-nginx-in-docker-environ-e7eec5ebb418?gi=ca3c5d6589f0

Cheers
Andrea

On Tue, Sep 19, 2023 at 8:57 PM Adam Cooper <arc@anonymised.com> wrote:

    I am exploring options for a relatively low-usage service
    requiring low
    levels of infrastructure setup and maintenance (the data is
    related to a
    local history society).

    GeoServer docker image appears to be perfect except that I observe it
    serves unencrypted data. This is not acceptable in 2023 on the
    grounds
    of security and privacy. I have not been able to find how to start
    the
    container such that HTTPS is the exclusive means of access.

    Is this possible? (I think it really should be!)

    Thanks in advance, Adam

    _______________________________________________
    Geoserver-users mailing list

    Please make sure you read the following two resources before
    posting to this list:
    - Earning your support instead of buying it, but Ian Turton:
    http://www.ianturton.com/talks/foss4g.html#/
    - The GeoServer user list posting guidelines:
    http://geoserver.org/comm/userlist-guidelines.html

    If you want to request a feature or an improvement, also see this:
    https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

    Geoserver-users@lists.sourceforge.net
    https://lists.sourceforge.net/lists/listinfo/geoserver-users

--

Regards,

Andrea Aime

==GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-usfor more information.==Ing. Andrea Aime @geowolfTechnical Lead

GeoSolutions Groupphone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it

-------------------------------------------------------

Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail

I used nginx for several years as my reverse proxy, it was fine but the setup required making changes to the compose files for the services.
Same with a caddy based solution. My varnish setup requires varnish
to know about the services, but the services don't require any changes.

Whatever you do, don't make the mistake I made, I tried to use the nginx reverse-proxy to do static content delivery too. It's better to run two
completely separate containers, one for the proxy and one for content. It's more manageable.

This nginx setup works great, I like how it automatically interfaces to Let's Encrypt: http://jasonwilder.com/blog/2014/03/25/automated-nginx-reverse-proxy-for-docker/

I have not tried Traefik, but there appears to be a paywall ("get pricing") in front of it, is there a free version?

Brian

Why? if it's public data...

My Esri server has HTTPS turned on, and it won't touch servers that are not HTTPS, so I can't use my own services unless they are encrypted.

Brian

Hi Brian

You should be looking for Traefik proxy: https://github.com/traefik/traefik/releases

Peter

On Wed, 20 Sept 2023 at 17:48, brian— via Geoserver-users <geoserver-users@lists.sourceforge.net> wrote:

I used nginx for several years as my reverse proxy, it was fine but the
setup required making changes to the compose files for the services.
Same with a caddy based solution. My varnish setup requires varnish
to know about the services, but the services don’t require any changes.

Whatever you do, don’t make the mistake I made, I tried to use the nginx
reverse-proxy to do static content delivery too. It’s better to run two
completely separate containers, one for the proxy and one for content.
It’s more manageable.

This nginx setup works great, I like how it automatically interfaces to
Let’s Encrypt: http://jasonwilder.com/blog/2014/03/25/automated-nginx-reverse-proxy-for-docker/

I have not tried Traefik, but there appears to be a paywall (“get
pricing”) in front of it, is there a free version?

Brian


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users