[Geoserver-users] Query regarding WMS service

Hi Team,

As a temporary measure against WMS vulnerabilities, we using Nginx on the front end of geoserver to guard against requests other than the following patterns.
^/gis/geoserver/gwc/service/tms/1.0.0/

However, I am concerned about whether I can check all the URL patterns that call the WMS service in the GeoServer documentation to check if it is properly guarded.
(This is because it is described as a calling example in various places in the document, so it is not possible to determine whether all patterns are described.)

Therefore, I would like to confirm whether above nginx configurations prevents calls to the WMS service using URL patterns that we allow.

Thanks & regards,

Kajal

Hi Team,

We missed some content of our query please find below:

[Query]

Will this method of protection (nginx configuration shared in previous mail) make the WMS service unavailable?

Thanks & regards

Kajal

···

From: Kajal Shrawan Katoke
Sent: 12 December 2023 11:49
To: ‘geoserver-users@lists.sourceforge.net’ Geoserver-users@anonymised.coms.sourceforge.net
Cc: CHANDRADEEP KUMAR chandradeep.kumar@anonymised.com; Madhu madhu1@anonymised.com
Subject: Query regarding WMS service

Hi Team,

As a temporary measure against WMS vulnerabilities, we using Nginx on the front end of geoserver to guard against requests other than the following patterns.
^/gis/geoserver/gwc/service/tms/1.0.0/

However, I am concerned about whether I can check all the URL patterns that call the WMS service in the GeoServer documentation to check if it is properly guarded.
(This is because it is described as a calling example in various places in the document, so it is not possible to determine whether all patterns are described.)

Therefore, I would like to confirm whether above nginx configurations prevents calls to the WMS service using URL patterns that we allow.

Thanks & regards,

Kajal

Hi Team,

As a temporary measure against WMS vulnerabilities, we using Nginx on the front end of geoserver to guard against requests other than the following patterns.

Will this method of protection make the WMS service unavailable?
^/gis/geoserver/gwc/service/tms/1.0.0/

I am concerned about whether I can check all the URL patterns that call the WMS service in the GeoServer documentation to check if it is properly guarded.
(This is because it is described as a calling example in various places in the document, so it is not possible to determine whether all patterns are described.)

Therefore, I would like to confirm whether above nginx configurations prevents calls to the WMS service using URL patterns that we allow.

Thanks & regards,

Kajal

···

From: Kajal Shrawan Katoke
Sent: 12 December 2023 11:49
To: ‘geoserver-users@lists.sourceforge.net’ Geoserver-users@anonymised.coms.sourceforge.net
Cc: CHANDRADEEP KUMAR chandradeep.kumar@anonymised.com; Madhu madhu1@anonymised.com
Subject: Query regarding WMS service

Hi Team,

As a temporary measure against WMS vulnerabilities, we using Nginx on the front end of geoserver to guard against requests other than the following patterns.
^/gis/geoserver/gwc/service/tms/1.0.0/

However, I am concerned about whether I can check all the URL patterns that call the WMS service in the GeoServer documentation to check if it is properly guarded.
(This is because it is described as a calling example in various places in the document, so it is not possible to determine whether all patterns are described.)

Therefore, I would like to confirm whether above nginx configurations prevents calls to the WMS service using URL patterns that we allow.

Thanks & regards,

Kajal

Hi Team,

Gentle Reminder!

Please provide your response for below query.

As a temporary measure against WMS vulnerabilities, we using Nginx on the front end of geoserver to guard against requests other than the following patterns.
^/gis/geoserver/gwc/service/tms/1.0.0/

However, I am concerned about whether I can check all the URL patterns that call the WMS service in the GeoServer documentation to check if it is properly guarded.
(This is because it is described as a calling example in various places in the document, so it is not possible to determine whether all patterns are described.)

Therefore, I would like to confirm whether above nginx configurations prevents calls to the WMS service using URL patterns that we allow.

[Query]

Will this method of protection (nginx configuration shared in previous mail) make the WMS service unavailable?

Thanks & regards,

Kajal

···

From: Kajal Shrawan Katoke
Sent: 13 December 2023 09:07
To: ‘geoserver-users@lists.sourceforge.net’ Geoserver-users@anonymised.coms.sourceforge.net
Cc: CHANDRADEEP KUMAR chandradeep.kumar@anonymised.com; Madhu madhu1@anonymised.com
Subject: RE: Query regarding WMS service

Hi Team,

We missed some content of our query please find below:

[Query]

Will this method of protection (nginx configuration shared in previous mail) make the WMS service unavailable?

Thanks & regards

Kajal

From: Kajal Shrawan Katoke
Sent: 12 December 2023 11:49
To: ‘geoserver-users@lists.sourceforge.net’ <Geoserver-users@lists.sourceforge.net>
Cc: CHANDRADEEP KUMAR <chandradeep.kumar@anonymised.com>; Madhu <madhu1@anonymised.com>
Subject: Query regarding WMS service

Hi Team,

As a temporary measure against WMS vulnerabilities, we using Nginx on the front end of geoserver to guard against requests other than the following patterns.
^/gis/geoserver/gwc/service/tms/1.0.0/

However, I am concerned about whether I can check all the URL patterns that call the WMS service in the GeoServer documentation to check if it is properly guarded.
(This is because it is described as a calling example in various places in the document, so it is not possible to determine whether all patterns are described.)

Therefore, I would like to confirm whether above nginx configurations prevents calls to the WMS service using URL patterns that we allow.

Thanks & regards,

Kajal

Dear Kajal,

This is a list of volunteers, and I expect everyone like me is challenged to understand what you are doing. The words make sense but we do not know why :slightly_smiling_face:

Like if you just want a tile map service you can do that with an FTP site a set of static files why use GeoServer?

I guess we just do not know what WMS vulnerabilities you are concerned about, and this would not be the right place to discuss them (a public forum). Please see our security policy for more secure communication channels for such discussion, or reach out to one of our service providers for assistance.

As for your approach it will do something, but nobody is feel great offering you security advise without understanding your concerns and risk. GeoServer security access chains are very flexible and could be used to lock down services similar to what you are achieving with NginX. There is also environmental variables to turn of the Admin Console and so on.

···


Jody Garnett

Hi,

This is geoserver-users mailing list so you are a part of the team. I did see your mail but I did not quite understand what you were asking so I did not respond. I have never used nginx in front of Geoserver, but if your nginx requires that the URL begins like …/gis/geoserver/gwc/service/tms/1.0.0/, then WMS requests do not work. But I believe that you have tested that already

http://localhost:8080/geoserver/gwc/service/tms/1.0.0?service=WMS&version=1.3.0&request=GetCapabilities

-Jukka Rahkonen-

···

Lähettäjä: Kajal Shrawan Katoke via Geoserver-users geoserver-users@lists.sourceforge.net
Lähetetty: keskiviikko 10. tammikuuta 2024 7.51
Vastaanottaja: geoserver-users@lists.sourceforge.net
Kopio: CHANDRADEEP KUMAR <chandradeep.kumar@…10404…>; Madhu <madhu1@…10404…>
Aihe: Re: [Geoserver-users] Query regarding WMS service

Hi Team,

Gentle Reminder!

Please provide your response for below query.

As a temporary measure against WMS vulnerabilities, we using Nginx on the front end of geoserver to guard against requests other than the following patterns.
^/gis/geoserver/gwc/service/tms/1.0.0/

However, I am concerned about whether I can check all the URL patterns that call the WMS service in the GeoServer documentation to check if it is properly guarded.
(This is because it is described as a calling example in various places in the document, so it is not possible to determine whether all patterns are described.)

Therefore, I would like to confirm whether above nginx configurations prevents calls to the WMS service using URL patterns that we allow.

[Query]

Will this method of protection (nginx configuration shared in previous mail) make the WMS service unavailable?

Thanks & regards,

Kajal

From: Kajal Shrawan Katoke
Sent: 13 December 2023 09:07
To: ‘geoserver-users@lists.sourceforge.net’ <Geoserver-users@lists.sourceforge.net>
Cc: CHANDRADEEP KUMAR <chandradeep.kumar@…10404…>; Madhu <madhu1@…10404…>
Subject: RE: Query regarding WMS service

Hi Team,

We missed some content of our query please find below:

[Query]

Will this method of protection (nginx configuration shared in previous mail) make the WMS service unavailable?

Thanks & regards

Kajal

From: Kajal Shrawan Katoke
Sent: 12 December 2023 11:49
To: ‘geoserver-users@lists.sourceforge.net’ <Geoserver-users@lists.sourceforge.net>
Cc: CHANDRADEEP KUMAR <chandradeep.kumar@…10404…>; Madhu <madhu1@…10404…>
Subject: Query regarding WMS service

Hi Team,

As a temporary measure against WMS vulnerabilities, we using Nginx on the front end of geoserver to guard against requests other than the following patterns.
^/gis/geoserver/gwc/service/tms/1.0.0/

However, I am concerned about whether I can check all the URL patterns that call the WMS service in the GeoServer documentation to check if it is properly guarded.
(This is because it is described as a calling example in various places in the document, so it is not possible to determine whether all patterns are described.)

Therefore, I would like to confirm whether above nginx configurations prevents calls to the WMS service using URL patterns that we allow.

Thanks & regards,

Kajal

The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only.
It shall not attach any liability on the originator or NEC Corporation India Private Limited or its affiliates.
Any views or opinions presented in this email are solely those of the author and may not necessarily reflect the opinions of NEC Corporation India Private Limited or its affiliates.
Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of the author of this e-mail is strictly prohibited.
If you have received this email in error please delete it and notify the sender immediately.

Hi Jody Garnett,

Thanks for response and support.

Now issue is resolved.

Regards,

Kajal

···

From: Jody Garnett <jody.garnett@…84…>
Sent: 10 January 2024 12:41
To: Kajal Shrawan Katoke <kajal.katoke@…10404…>
Cc: CHANDRADEEP KUMAR <chandradeep.kumar@…10404…>; Madhu <madhu1@…10404…>; geoserver-users@lists.sourceforge.net
Subject: Re: [Geoserver-users] Query regarding WMS service




You don’t often get email from jody.garnett@…84…. Learn why this is important





External Message: Please be cautious when opening links or attachments in email


Dear Kajal,

This is a list of volunteers, and I expect everyone like me is challenged to understand what you are doing. The words make sense but we do not know why :slightly_smiling_face:

Like if you just want a tile map service you can do that with an FTP site a set of static files why use GeoServer?

I guess we just do not know what WMS vulnerabilities you are concerned about, and this would not be the right place to discuss them (a public forum). Please see our security policy for more secure communication channels for such discussion, or reach out to one of our service providers for assistance.

As for your approach it will do something, but nobody is feel great offering you security advise without understanding your concerns and risk. GeoServer security access chains are very flexible and could be used to lock down services similar to what you are achieving with NginX. There is also environmental variables to turn of the Admin Console and so on.

Jody Garnett

On Jan 9, 2024 at 9:51:02 PM, Kajal Shrawan Katoke via Geoserver-users <geoserver-users@lists.sourceforge.net> wrote:

Hi Team,

Gentle Reminder!

Please provide your response for below query.

As a temporary measure against WMS vulnerabilities, we using Nginx on the front end of geoserver to guard against requests other than the following patterns.
^/gis/geoserver/gwc/service/tms/1.0.0/

However, I am concerned about whether I can check all the URL patterns that call the WMS service in the GeoServer documentation to check if it is properly guarded.
(This is because it is described as a calling example in various places in the document, so it is not possible to determine whether all patterns are described.)

Therefore, I would like to confirm whether above nginx configurations prevents calls to the WMS service using URL patterns that we allow.

[Query]

Will this method of protection (nginx configuration shared in previous mail) make the WMS service unavailable?

Thanks & regards,

Kajal

From: Kajal Shrawan Katoke
Sent: 13 December 2023 09:07
To:geoserver-users@lists.sourceforge.net’ <Geoserver-users@lists.sourceforge.net>
Cc: CHANDRADEEP KUMAR <chandradeep.kumar@…10404…>; Madhu <madhu1@…10404…>
Subject: RE: Query regarding WMS service

Hi Team,

We missed some content of our query please find below:

[Query]

Will this method of protection (nginx configuration shared in previous mail) make the WMS service unavailable?

Thanks & regards

Kajal

From: Kajal Shrawan Katoke
Sent: 12 December 2023 11:49
To:geoserver-users@lists.sourceforge.net’ <Geoserver-users@lists.sourceforge.net>
Cc: CHANDRADEEP KUMAR <chandradeep.kumar@…10404…>; Madhu <madhu1@…10404…>
Subject: Query regarding WMS service

Hi Team,

As a temporary measure against WMS vulnerabilities, we using Nginx on the front end of geoserver to guard against requests other than the following patterns.
^/gis/geoserver/gwc/service/tms/1.0.0/

However, I am concerned about whether I can check all the URL patterns that call the WMS service in the GeoServer documentation to check if it is properly guarded.
(This is because it is described as a calling example in various places in the document, so it is not possible to determine whether all patterns are described.)

Therefore, I would like to confirm whether above nginx configurations prevents calls to the WMS service using URL patterns that we allow.

Thanks & regards,

Kajal

The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only.
It shall not attach any liability on the originator or NEC Corporation India Private Limited or its affiliates.
Any views or opinions presented in this email are solely those of the author and may not necessarily reflect the opinions of NEC Corporation India Private Limited or its affiliates.
Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of the author of this e-mail is strictly prohibited.
If you have received this email in error please delete it and notify the sender immediately.


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Hi Rahkonen Jukka,

Thanks for response and support.

Now issue is resolved.

Regards,

Kajal

···

From: Rahkonen Jukka <jukka.rahkonen@…6847…>
Sent: 10 January 2024 12:56
To: Kajal Shrawan Katoke <kajal.katoke@…10404…>; geoserver-users@lists.sourceforge.net
Cc: CHANDRADEEP KUMAR <chandradeep.kumar@…10404…>; Madhu <madhu1@…10404…>
Subject: Re: Query regarding WMS service




Et saa usein sähköpostia lähettäjältä jukka.rahkonen@…6847…. Lisätietoja siitä, miksi tämä on tärkeää





External Message: Please be cautious when opening links or attachments in email


Hi,

This is geoserver-users mailing list so you are a part of the team. I did see your mail but I did not quite understand what you were asking so I did not respond. I have never used nginx in front of Geoserver, but if your nginx requires that the URL begins like …/gis/geoserver/gwc/service/tms/1.0.0/, then WMS requests do not work. But I believe that you have tested that already

http://localhost:8080/geoserver/gwc/service/tms/1.0.0?service=WMS&version=1.3.0&request=GetCapabilities

-Jukka Rahkonen-

Lähettäjä: Kajal Shrawan Katoke via Geoserver-users <geoserver-users@lists.sourceforge.net>
Lähetetty: keskiviikko 10. tammikuuta 2024 7.51
Vastaanottaja: geoserver-users@lists.sourceforge.net
Kopio: CHANDRADEEP KUMAR <chandradeep.kumar@…10404…>; Madhu <madhu1@…10404…>
Aihe: Re: [Geoserver-users] Query regarding WMS service

Hi Team,

Gentle Reminder!

Please provide your response for below query.

As a temporary measure against WMS vulnerabilities, we using Nginx on the front end of geoserver to guard against requests other than the following patterns.
^/gis/geoserver/gwc/service/tms/1.0.0/

However, I am concerned about whether I can check all the URL patterns that call the WMS service in the GeoServer documentation to check if it is properly guarded.
(This is because it is described as a calling example in various places in the document, so it is not possible to determine whether all patterns are described.)

Therefore, I would like to confirm whether above nginx configurations prevents calls to the WMS service using URL patterns that we allow.

[Query]

Will this method of protection (nginx configuration shared in previous mail) make the WMS service unavailable?

Thanks & regards,

Kajal

From: Kajal Shrawan Katoke
Sent: 13 December 2023 09:07
To: ‘geoserver-users@lists.sourceforge.net’ <Geoserver-users@lists.sourceforge.net>
Cc: CHANDRADEEP KUMAR <chandradeep.kumar@…10404…>; Madhu <madhu1@…10404…>
Subject: RE: Query regarding WMS service

Hi Team,

We missed some content of our query please find below:

[Query]

Will this method of protection (nginx configuration shared in previous mail) make the WMS service unavailable?

Thanks & regards

Kajal

From: Kajal Shrawan Katoke
Sent: 12 December 2023 11:49
To: ‘geoserver-users@lists.sourceforge.net’ <Geoserver-users@lists.sourceforge.net>
Cc: CHANDRADEEP KUMAR <chandradeep.kumar@…10404…>; Madhu <madhu1@…10404…>
Subject: Query regarding WMS service

Hi Team,

As a temporary measure against WMS vulnerabilities, we using Nginx on the front end of geoserver to guard against requests other than the following patterns.
^/gis/geoserver/gwc/service/tms/1.0.0/

However, I am concerned about whether I can check all the URL patterns that call the WMS service in the GeoServer documentation to check if it is properly guarded.
(This is because it is described as a calling example in various places in the document, so it is not possible to determine whether all patterns are described.)

Therefore, I would like to confirm whether above nginx configurations prevents calls to the WMS service using URL patterns that we allow.

Thanks & regards,

Kajal

The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only.
It shall not attach any liability on the originator or NEC Corporation India Private Limited or its affiliates.
Any views or opinions presented in this email are solely those of the author and may not necessarily reflect the opinions of NEC Corporation India Private Limited or its affiliates.
Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of the author of this e-mail is strictly prohibited.
If you have received this email in error please delete it and notify the sender immediately.