Hi All,
We have GeoServers (AWS) available to web applications via external URLs. We want to hide the GeoServer web UI from the public internet, but at the same time we need to have the web UI to be accessible to authenticated users, and anonymous access should remain for some layers used by web applications. I have found several discussions on this topic, but they are all outdated.
Hello,
I am not sure if it is possible. What do you want to hide from public access if the web admin is protected by password?
Regards
Alexandre
Hi 9Val
Q1: Why? To hide the fact that it’s GeoServer running? That’s unlikely to help much.
Q2: So, if a valid user is not yet authenticated, should it be hidden from them?
A3: Presumably you mean WMS/WFS/etc access and that authentication remains separate from the GUI authentication.
Can your valid users maybe configure via another linked GUI that is only available “internally”?
Peter
Q: What discussion did you find?
There is a global setting to turn off the entire Admin Console: GEOSERVER_CONSOLE_DISABLED. You can use this setting for the public internet on AWS; leaving only the web services available.
The challenge then becomes how to edit your data directory:
Use the REST API and scripts (this is a common and recommended approach). There are also tools like qgis bridge that can be used to publish.
Provide your administrator users a separate GeoServer with Admin Console to manage.
And then share the configuration with the public GeoServer from step 1:
The key insight is that the data directory does not change that often.
And then some alternatives which are a bit more focused on scalability:
This is the requirement we have: “Restrict public access to the GeoServer admin console (i.e., move behind authentication or IP filtering).”
Thank you for your advices @jive!
Option #2 might be a good workaround for us.
[Geoserver-users] Disable / alter Geoserver web admin interface for external users - GeoServer / GeoServer User - OSGeo Discourse
[Geoserver-users] restrict access to the web administration interface - GeoServer / GeoServer User - OSGeo Discourse
security - Restrict access to geoserver’s web administration interface - Geographic Information Systems Stack Exchange
I am trying to disable the web admin interface following the official documentation.
Disable the GeoServer web administration interface
(Configuration Considerations — GeoServer 2.27.x User Manual)
In some circumstances, you might want to completely disable the web administration interface. There are two ways of doing this:
- Set the Java system property
GEOSERVER_CONSOLE_DISABLEDto true by adding-DGEOSERVER_CONSOLE_DISABLED=trueto your container’s JVM options- Remove all of the
gs-web*-.jarfiles fromWEB-INF/lib
The first method didn’t work. Regarding the second method: when I delete all of the gs-web-.jar* files from …\Apache Software Foundation\Tomcat 9.0\webapps\geoserver\WEB-INF\lib, GeoServer fails to start. Tested with GeoServer v2.26.2 and v2.23.2 (no additional extensions installed).
Could you please advise?
Why not use the environmental variable to disable the admin console? This is what is recommended on the use manual.
Maybe, but where? Not here Configuration Considerations — GeoServer 2.27.x User Manual and on that page there is a link to Application Properties — GeoServer 2.27.x User Manual with a table that show only system property alternative for GEOSERVER_CONSOLE_DISABLED.
-Jukka Rahkonen-
You are right, only a system property is available, I had assumed this setting would also be available as an environmental variable. Perhaps that is a change we can introduce.
Thanks @jive, please let us know if you and the team decide to implement the change. But is it possible to somehow disable the web admin interface at the moment? I tried both methods described in the documentation, but they didn’t work.
What did you try exactly?
Context: When testing the setting just now I used:
mvn jetty:run -DGEOSERVER_CONSOLE_DISABLED=true
If running tomcat I personally make a file tomcat bin/setenv.sh but you may have a different way of managing system properties:
#!/bin/sh
# Prepend JVM Options
CATALINA_OPTS="-XX:SoftRefLRUPolicyMSPerMB=36000 -XX:-UsePerfData ${CATALINA_OPTS}"
# Append system properties
CATALINA_OPTS="${CATALINA_OPTS} -Dorg.geotools.referencing.forceXY=true"
CATALINA_OPTS="${CATALINA_OPTS} -DGEOSERVER_CONSOLE_DISABLED=true"
Could you please advise how to set this up properly on Windows? I think It would be very helpful for the GeoServer community. I created a setenv.bat file in …\Apache Software Foundation\Tomcat 9.0\bin with the configuration you shared, but it didn’t work (and I don’t think there’s much point in sharing what I tried previously, as it was incorrect).
I am a bit hesitant to reply as I do not have access to a windows enviornment.
Checking my notes from running FOSS4G workshop …
- From the Windows Start menu select Apache Tomcat ‣ Configure Tomcat to open Tomcat Properties.
- Change to Logon tab, select Local System account, and check Allow service to interact with desktop.
- Change to the Java tab, append the lines below to Java Options
-XX:SoftRefLRUPolicyMSPerMB=36000 -XX:-UsePerfData -Dorg.geotools.referencing.forceXY=true
So my guess is add -DGEOSERVER_CONSOLE_DISABLED=true to the Java Options also.
Please test and report back? We really need a windows person for this question.
Discussion:
setup.bat would work if you were running tomcat on the command line? But since you usually install tomcat as a windows service this tomcat 9 properties app has its own way to manage the resulting windows service.Thank you @jive. I tested the solution you provided, and it turns out that adding -DGEOSERVER_CONSOLE_DISABLED=true to Tomcat’s Java Options is sufficient.
Result:
(ChatGPT confused me with some non-working solutions for the first method… 
)
