[Geoserver-users] https with GeoServer

I would like to configure GeoServer to work with https instead of http. IS
configuring tomcat as in here
http://tkurek.blogspot.com/2013/07/how-to-secure-tomcat-7-with-ssl-tls.html
would do that?

--
View this message in context: http://osgeo-org.1560.x6.nabble.com/https-with-GeoServer-tp5140586.html
Sent from the GeoServer - User mailing list archive at Nabble.com.

Another approach is to use tomcat behind an apache AJP proxy, and have apache do all the SSL. Apache is very fast, very configurable, and this approach allows mixing of different technologies such as mod_python and mod_php with Java servlets on the same host. I expect that you can do the same thing with nginx.

Kind regards,
Ben.

On 16/05/14 03:16, Diego M. wrote:

I would like to configure GeoServer to work with https instead of http. IS
configuring tomcat as in here
http://tkurek.blogspot.com/2013/07/how-to-secure-tomcat-7-with-ssl-tls.html
would do that?

--
View this message in context: http://osgeo-org.1560.x6.nabble.com/https-with-GeoServer-tp5140586.html
Sent from the GeoServer - User mailing list archive at Nabble.com.

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

--
Ben Caradoc-Davies <Ben.Caradoc-Davies@anonymised.com>
Software Engineer
CSIRO Earth Science and Resource Engineering
Australian Resources Research Centre

GeoServer is running on tomcat and my website is running on apache on the
same server. SSL is already configured on apache but i get the message that
says i have insecure content which i thought they were GeoServer layers. so
now I'm trying to enable SSL for GeoServer but still not sure what's the
best approach to do that.

--
View this message in context: http://osgeo-org.1560.x6.nabble.com/https-with-GeoServer-tp5140586p5140633.html
Sent from the GeoServer - User mailing list archive at Nabble.com.

Diego,

is apache connected to tomcat using AJP? That is do you have some apache setting like this?:

ProxyPreserveHost On
ProxyRequests Off
ProxyPass /geoserver ajp://localhost:8009/geoserver
ProxyPassReverse /geoserver https://example.org/geoserver

Have you told GeoServer what its externally visible address is by setting its Proxy Base URL to, for example:
https://example.org/geoserver
?

If not, some content like openlayers will be at http://example.org:8080/geoserver and thus insecure (they are being accessed directly through tomcat). Please block port 8080 in your server firewall to be sure.

What are the insecure pages? In Firefox, Ctrl-I will show you page information and the media tab may help you to locate insecure resources.

Kind regards,
Ben.

On 16/05/14 13:39, Diego M. wrote:

GeoServer is running on tomcat and my website is running on apache on the
same server. SSL is already configured on apache but i get the message that
says i have insecure content which i thought they were GeoServer layers. so
now I'm trying to enable SSL for GeoServer but still not sure what's the
best approach to do that.

--
View this message in context: http://osgeo-org.1560.x6.nabble.com/https-with-GeoServer-tp5140586p5140633.html
Sent from the GeoServer - User mailing list archive at Nabble.com.

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

--
Ben Caradoc-Davies <Ben.Caradoc-Davies@anonymised.com>
Software Engineer
CSIRO Earth Science and Resource Engineering
Australian Resources Research Centre

apache httpd and tomcat are not connected, and yes, these content are not
secure http://example.org:8080/geoserver

so, do you have a clear instructions on how i can do that? Thanks a lot.

--
View this message in context: http://osgeo-org.1560.x6.nabble.com/https-with-GeoServer-tp5140586p5140678.html
Sent from the GeoServer - User mailing list archive at Nabble.com.

would this do what i need ?
http://docs.geoserver.org/latest/en/user/security/tutorials/cert/index.html

--
View this message in context: http://osgeo-org.1560.x6.nabble.com/https-with-GeoServer-tp5140586p5140727.html
Sent from the GeoServer - User mailing list archive at Nabble.com.

Diego,

this page describes how a user can authenticate themselves using a certificate (a client certificate) in addition to a tomcat server certificate. A typical secure website is the other way around: a server uses a certificate to identify itself and establish a secure connection.

Which do you want? Best practice is to have your HTTPS services on port 443 as 80 and 443 are likely to be open in firewalls. Do this with apache.

Kind regards,
Ben.

On 16/05/14 19:48, Diego M. wrote:

would this do what i need ?
http://docs.geoserver.org/latest/en/user/security/tutorials/cert/index.html

--
Ben Caradoc-Davies <Ben.Caradoc-Davies@anonymised.com>
Software Engineer
CSIRO Earth Science and Resource Engineering
Australian Resources Research Centre

Diego,

first a few questions:

(1) Is this a test or are you making a production service?

(2) Do you want to use the official HTTPS port 443?

Please tell us a bit more about what you are trying to do.

For example, to make a production service using apache in front of tomcat on port 443:

- obtain an SSL certificate for your host: for a production service buy one for a provider, for test you can make a self-signed certificate

- install your SSL certificate bundle in apache

- configure an apache virtual host for SSL on port 443

- enable AJP from apache for this virtual host
ProxyPreserveHost On
ProxyRequests Off
ProxyPass /geoserver ajp://localhost:8009/geoserver
ProxyPassReverse /geoserver https://example.org/geoserver

- turn on ajp in tomcat (often just uncomment that section in server.xml)

- restart all services

Kind regards,
Ben.

On 16/05/14 16:17, Diego M. wrote:

apache httpd and tomcat are not connected, and yes, these content are not
secure http://example.org:8080/geoserver

so, do you have a clear instructions on how i can do that? Thanks a lot.

--
View this message in context: http://osgeo-org.1560.x6.nabble.com/https-with-GeoServer-tp5140586p5140678.html
Sent from the GeoServer - User mailing list archive at Nabble.com.

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

--
Ben Caradoc-Davies <Ben.Caradoc-Davies@anonymised.com>
Software Engineer
CSIRO Earth Science and Resource Engineering
Australian Resources Research Centre

And none of those steps are particular to geoserver. They are standard configuration steps for setting up apache ssl and connecting to tomcat. There are many guides.

Kind regards,
Ben.

On 19/05/14 13:30, Ben Caradoc-Davies wrote:

Diego,

first a few questions:

(1) Is this a test or are you making a production service?

(2) Do you want to use the official HTTPS port 443?

Please tell us a bit more about what you are trying to do.

For example, to make a production service using apache in front of
tomcat on port 443:

- obtain an SSL certificate for your host: for a production service buy
one for a provider, for test you can make a self-signed certificate

- install your SSL certificate bundle in apache

- configure an apache virtual host for SSL on port 443

- enable AJP from apache for this virtual host
ProxyPreserveHost On
ProxyRequests Off
ProxyPass /geoserver ajp://localhost:8009/geoserver
ProxyPassReverse /geoserver https://example.org/geoserver

- turn on ajp in tomcat (often just uncomment that section in server.xml)

- restart all services

Kind regards,
Ben.

On 16/05/14 16:17, Diego M. wrote:

apache httpd and tomcat are not connected, and yes, these content are not
secure http://example.org:8080/geoserver

so, do you have a clear instructions on how i can do that? Thanks a lot.

--
View this message in context:
http://osgeo-org.1560.x6.nabble.com/https-with-GeoServer-tp5140586p5140678.html

Sent from the GeoServer - User mailing list archive at Nabble.com.

------------------------------------------------------------------------------

"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform
available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

--
Ben Caradoc-Davies <Ben.Caradoc-Davies@anonymised.com>
Software Engineer
CSIRO Earth Science and Resource Engineering
Australian Resources Research Centre