<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Chi, <br>
      <br>
      The rule changes look good to me.  Looks like restricted URLs are
      being properly forwarded to HTTPS and others are available over
      HTTP.  Tim, any feedback from your side?  <br>
      <br>
      Thanks for adding them,<br>
      Micah<br>
      <br>
      On 2/26/2015 11:58 AM, Chi Kang - NOAA Federal wrote:<br>
    </div>
    <blockquote
cite="mid:CAEEtbdpt_BftBXw_P99jVwzieQ8Pn5NBR2S7=zQmwSuUd3eTZw@mail.gmail.com"
      type="cite">
      <div dir="ltr">Gotcha.
        <div><br>
        </div>
        <div>Let me know how the changes look.</div>
        <div><br>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Tue, Feb 24, 2015 at 1:48 PM, Micah
          Wengren - NOAA Federal <span dir="ltr"><<a
              moz-do-not-send="true"
              href="mailto:micah.wengren@noaa.gov" target="_blank">micah.wengren@noaa.gov</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">Yes, would
            that rule also cover <br>
            <br>
            geoserver/wms and<br>
            geoserver/wfs<br>
            <br>
            there is also<br>
            geoserver/ows<br>
            <br>
            that should be public.<br>
            <br>
            Thanks!<span class="HOEnZb"><font color="#888888"><br>
                <br>
                Micah</font></span>
            <div class="HOEnZb">
              <div class="h5"><br>
                <br>
                <br>
                On Tuesday, February 24, 2015, Chi Kang - NOAA Federal
                <<a moz-do-not-send="true"
                  href="mailto:chi.y.kang@noaa.gov" target="_blank">chi.y.kang@noaa.gov</a>>
                wrote:<br>
                > Yeah, we can put a match statement in there.  So i
                just want to understand.<br>
                > You want to switch to pubic access for ?<br>
                > /geoserver/*/wms<br>
                > /geoserver/*/wfs<br>
                ><br>
                ><br>
                > On Fri, Jan 23, 2015 at 11:38 AM, Micah Wengren
                <<a moz-do-not-send="true"
                  href="mailto:micah.wengren@noaa.gov" target="_blank">micah.wengren@noaa.gov</a>>
                wrote:<br>
                >><br>
                >> Hi Chi,<br>
                >><br>
                >> Currently we have a couple of controls on the
                HTTPS service, one that checks an IP whitelist, and the
                second that uses the HTTP Basic auth, correct? <br>
                >><br>
                >> I think to make the service more usable for use
                cases like Tim's we should only apply those controls to
                URLs where the user is prompted for their internal
                password (like the GeoServer admin page, GeoExplorer,
                and REST API).  Those URLs should be:<br>
                >><br>
                >> /geoserver/web<br>
                >> /geoserver/rest<br>
                >> /geoexplorer<br>
                >><br>
                >> The rest shouldn't have any controls, so both
                the global WMS and WFS services:<br>
                >><br>
                >> /geoserver/wms<br>
                >> /geoserver/wfs<br>
                >> /geoserver/ows<br>
                >><br>
                >> and the workspace-specific ones:<br>
                >><br>
                >> /geoserver/nmfs_st/wms<br>
                >> /geoserver/nmfs_st/wfs<br>
                >> /geoserver/*/wms<br>
                >> /geoserver/*/wfs<br>
                >> etc....<br>
                >><br>
                >> should be open to all.  Is that possible?<br>
                >><br>
                >> Micah<br>
                >><br>
                >><br>
                >><br>
                >> On 1/22/2015 12:37 PM, Chi Kang - NOAA Federal
                wrote:<br>
                >><br>
                >> I am good with the idea of allowing
                authentication to be restricted by<br>
                >> a satfiy all statement.<br>
                >><br>
                >> But the URLs aren't just<br>
                >><br>
                >> /geoserver/web<br>
                >> /geoserver/rest<br>
                >> /geoexplorer<br>
                >> /geoserver/wms<br>
                >> /geoserver/wfs<br>
                >> /geoserver/ows<br>
                >><br>
                >> ?<br>
                >><br>
                >> Isn't it more like<br>
                >> /geoserver/*/wms ?<br>
                >><br>
                >> I just want to make sure we understand what
                URLs we are talking about here.<br>
                >><br>
                >><br>
                >> On Wed, Jan 21, 2015 at 12:19 PM, Micah Wengren
                <<a moz-do-not-send="true"
                  href="mailto:micah.wengren@noaa.gov" target="_blank">micah.wengren@noaa.gov</a>>
                wrote:<br>
                >><br>
                >> Hi Chi/WOC,<br>
                >><br>
                >> Do you guys think these type of rules can be
                implemented to improve the<br>
                >> public HTTPS access to the services? I don't
                think it's a priority or<br>
                >> urgent, but if you might be able to give an
                estimate for when they could be<br>
                >> added, that would probably help Tim in his
                planning.<br>
                >><br>
                >> Thanks,<br>
                >> Micah<br>
                >><br>
                >><br>
                >> On 1/7/2015 2:51 PM, Micah Wengren wrote:<br>
                >><br>
                >> I think the ideal situation would be for only
                the URLs that optionally allow<br>
                >> authentication to be restricted by the extra
                HTTP Basic authentication (or<br>
                >> NOAA IP address). Those should be:<br>
                >><br>
                >> /geoserver/web<br>
                >> /geoserver/rest<br>
                >> /geoexplorer<br>
                >><br>
                >> Everything else can be considered a map or data
                set request to the WMS or<br>
                >> WFS. Typically those are the URLs that Tim
                included but could also be to<br>
                >> the base WMS and WFS services:<br>
                >><br>
                >> /geoserver/wms<br>
                >> /geoserver/wfs<br>
                >> /geoserver/ows<br>
                >><br>
                >> Those should all be allowed from any IP
                address. I think this would help<br>
                >> out for use cases like what Tim's is.<br>
                >><br>
                >> Micah<br>
                >><br>
                >><br>
                >> On 1/7/2015 1:16 PM, Tim Haverland - NOAA
                Federal wrote:<br>
                >><br>
                >> I'm calling URLs such as:<br>
                >><br>
                >> //<a moz-do-not-send="true"
                  href="http://services.ogc.noaa.gov/geoserver/nmfs_st/wfs"
                  target="_blank">services.ogc.noaa.gov/geoserver/nmfs_st/wfs</a><br>
                >> //<a moz-do-not-send="true"
                  href="http://services.ogc.noaa.gov/geoserver/nmfs_st/wms"
                  target="_blank">services.ogc.noaa.gov/geoserver/nmfs_st/wms</a><br>
                >> //<a moz-do-not-send="true"
                  href="http://services.ogc.noaa.gov/geoserver/nmfs_st/ows"
                  target="_blank">services.ogc.noaa.gov/geoserver/nmfs_st/ows</a><br>
                >><br>
                >> After looking at these URLs I realize that I'm
                including our workspace name<br>
                >> (nmfs_st). I'm not sure if that's necessary.
                Micah, do you know?<br>
                >><br>
                >> Tim<br>
                >><br>
                >><br>
                >><br>
                >><br>
                >> On Wed, Jan 7, 2015 at 12:25 PM, Chi Kang -
                NOAA Federal<br>
                >> <<a moz-do-not-send="true"
                  href="mailto:chi.y.kang@noaa.gov" target="_blank">chi.y.kang@noaa.gov</a>>
                wrote:<br>
                >><br>
                >> Tim / Micah I don't think i have an issue
                getting more granular but I<br>
                >> want to understand all the URLs involved first.<br>
                >><br>
                >> Can someone outline them for me as an example?<br>
                >><br>
                >><br>
                >> On Fri, Jan 2, 2015 at 5:11 PM, Tim Haverland -
                NOAA Federal<br>
                >> <<a moz-do-not-send="true"
                  href="mailto:tim.haverland@noaa.gov" target="_blank">tim.haverland@noaa.gov</a>>
                wrote:<br>
                >><br>
                >> What you suggest would be very helpful and
                allow my calls to geoserver<br>
                >> to be<br>
                >> protocol relative.<br>
                >><br>
                >> I have redirected all https calls to my map to
                http at the moment.<br>
                >><br>
                >> Tim<br>
                >><br>
                >> On Fri, Jan 2, 2015 at 5:07 PM, Micah Wengren
                <<a moz-do-not-send="true"
                  href="mailto:micah.wengren@noaa.gov" target="_blank">micah.wengren@noaa.gov</a>><br>
                >> wrote:<br>
                >><br>
                >> Tim/WOC,<br>
                >><br>
                >> I think the reason for the extra authentication
                step for HTTPS was to<br>
                >> prevent public from being able to access
                /geoserver/web (with login<br>
                >> form<br>
                >> components) for preventing brute force password
                attacks and such.<br>
                >><br>
                >> I can't think of a reason to not allow HTTPS
                access to the<br>
                >> /geoserver/wms<br>
                >> and /geoserver/wfs paths though.<br>
                >><br>
                >> This might be something to look into
                potentially relaxing, if the WOC<br>
                >> is<br>
                >> willing to make that change and web server
                config allows it to that<br>
                >> level of<br>
                >> granularity.<br>
                >><br>
                >> Micah<br>
                >><br>
                >><br>
                >> On 12/4/2014 12:09 PM, Tim Haverland - NOAA
                Federal wrote:<br>
                >><br>
                >> Hi Micah,<br>
                >><br>
                >> Yes, I was trying to avoid the situation where
                someone loads our map<br>
                >> page<br>
                >> via https and our calls to services using http
                are blocked by the<br>
                >> browser.<br>
                >><br>
                >> I can have our sysadmin redirect all https
                requests to my page to http,<br>
                >> but was hoping to avoid that by simply making
                my service URLs protocol<br>
                >> relative.<br>
                >><br>
                >> Is there a reason why <a
                  moz-do-not-send="true"
                  href="http://services.ogc.noaa.gov" target="_blank">services.ogc.noaa.gov</a>
                requests a password for<br>
                >> ssl?<br>
                >> Are there services that I can't get to via HTTP
                but can with HTTPS?<br>
                >><br>
                >> Tim<br>
                >><br>
                >> On Thu, Dec 4, 2014 at 9:48 AM, Micah Wengren -
                NOAA Federal<br>
                >> <<a moz-do-not-send="true"
                  href="mailto:micah.wengren@noaa.gov" target="_blank">micah.wengren@noaa.gov</a>>
                wrote:<br>
                >><br>
                >> Tim,<br>
                >><br>
                >> Your goal is to have your web map SSL-enabled
                (to allow restricted<br>
                >> views<br>
                >> with a user login for example), or are you just
                trying to accommodate<br>
                >> users<br>
                >> who come in to the Fisheries website over
                HTTPS?<br>
                >><br>
                >> If it's the latter, I think you should be able
                to hard-code the web<br>
                >> map<br>
                >> requests to go over HTTP regardless of which
                protocol users come to<br>
                >> the site<br>
                >> through. This way they shouldn't get the login
                prompt from a non-NOAA<br>
                >> network to access <a moz-do-not-send="true"
                  href="http://services.ogc.noaa.gov" target="_blank">services.ogc.noaa.gov</a>.
                The drawback to that is that<br>
                >> the<br>
                >> browser will give a warning message because
                some content is coming<br>
                >> over<br>
                >> HTTP. That's the case for the NOAA Data
                Catalog, because the tile<br>
                >> provider<br>
                >> only supports HTTP not HTTPS: <a
                  moz-do-not-send="true"
                  href="https://data.noaa.gov/dataset" target="_blank">https://data.noaa.gov/dataset</a>
                (the<br>
                >> browser<br>
                >> will show a warning message rather than a
                secure connection message).<br>
                >><br>
                >> It might be more complicated in your case
                though because you're making<br>
                >> GetFeatureInfo requests to the service that
                return XML instead of map<br>
                >> tiles.<br>
                >> I don't know how that would differ.<br>
                >><br>
                >><br>
                >> Can you look into that before we investigate
                making any changes to the<br>
                >> HTTPS access policies?<br>
                >><br>
                >><br>
                >> Micah<br>
                >><br>
                >><br>
                >> On Wed, Dec 3, 2014 at 5:46 PM, Tim Haverland -
                NOAA Federal<br>
                >> <<a moz-do-not-send="true"
                  href="mailto:tim.haverland@noaa.gov" target="_blank">tim.haverland@noaa.gov</a>>
                wrote:<br>
                >><br>
                >> Hi all,<br>
                >><br>
                >> Recently I've been trying to enable an
                application that uses noaa ogc<br>
                >> services to run under https. When I do so, the
                application runs when<br>
                >> I'm at<br>
                >> work, but from home (and no VPN) it asks that I
                enter my noaa email<br>
                >> username/pwd.<br>
                >><br>
                >> This is fine for me but won't work for public
                users of my<br>
                >> application.<br>
                >><br>
                >> Is there a reason that ssl access to <a
                  moz-do-not-send="true"
                  href="http://services.ogc.noaa.gov" target="_blank">services.ogc.noaa.gov</a>
                requires<br>
                >> login for users that aren't on a noaa network
                (I assume).<br>
                >><br>
                >> Here's the app if anyone want to see this
                behavior in action:<br>
                >><br>
                >> Works anywhere:<br>
                >><br>
                >> <a moz-do-not-send="true"
href="http://www.st.nmfs.noaa.gov/humandimensions/social-indicators/map-copy"
                  target="_blank">http://www.st.nmfs.noaa.gov/humandimensions/social-indicators/map-copy</a><br>
                >><br>
                >> Requires password for I assume non-noaa network
                users:<br>
                >><br>
                >> <a moz-do-not-send="true"
href="https://www.st.nmfs.noaa.gov/humandimensions/social-indicators/map-copy"
                  target="_blank">https://www.st.nmfs.noaa.gov/humandimensions/social-indicators/map-copy</a><br>
                >><br>
                >> I suppose I could redirect users coming in on
                https to http, but that<br>
                >> causes other headaches on my end.<br>
                >><br>
                >> Any thoughts?<br>
                >><br>
                >> Tim<br>
                >><br>
                >> --<br>
                >> Tim Haverland<br>
                >> Acting Operations Branch Chief<br>
                >> NOAA Fisheries Office of Science and Technology<br>
                >> 1315 East-West Highway<br>
                >> SSMC3 Rm 12303<br>
                >> Silver Spring, MD 20910<br>
                >> <a moz-do-not-send="true"
                  href="tel:301-427-8137" value="+13014278137"
                  target="_blank">301-427-8137</a><br>
                >><br>
                >> _______________________________________________<br>
                >> Open.ogc mailing list<br>
                >> <a moz-do-not-send="true"
                  href="mailto:Open.ogc@list.woc.noaa.gov"
                  target="_blank">Open.ogc@list.woc.noaa.gov</a><br>
                >> <a moz-do-not-send="true"
                  href="https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc"
                  target="_blank">https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc</a><br>
                >><br>
                >><br>
                >> --<br>
                >> Tim Haverland<br>
                >> Acting Operations Branch Chief<br>
                >> NOAA Fisheries Office of Science and Technology<br>
                >> 1315 East-West Highway<br>
                >> SSMC3 Rm 12303<br>
                >> Silver Spring, MD 20910<br>
                >> <a moz-do-not-send="true"
                  href="tel:301-427-8137" value="+13014278137"
                  target="_blank">301-427-8137</a><br>
                >><br>
                >><br>
                >><br>
                >> --<br>
                >> Tim Haverland<br>
                >> Acting Operations Branch Chief<br>
                >> NOAA Fisheries Office of Science and Technology<br>
                >> 1315 East-West Highway<br>
                >> SSMC3 Rm 12303<br>
                >> Silver Spring, MD 20910<br>
                >> <a moz-do-not-send="true"
                  href="tel:301-427-8137" value="+13014278137"
                  target="_blank">301-427-8137</a><br>
                >><br>
                >> _______________________________________________<br>
                >> Open.ogc mailing list<br>
                >> <a moz-do-not-send="true"
                  href="mailto:Open.ogc@list.woc.noaa.gov"
                  target="_blank">Open.ogc@list.woc.noaa.gov</a><br>
                >> <a moz-do-not-send="true"
                  href="https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc"
                  target="_blank">https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc</a><br>
                >><br>
                >><br>
                >> --<br>
                >> Chi Y Kang<br>
                >> Principal Engineer<br>
                >> Phone: <a moz-do-not-send="true"
                  href="tel:301.628.5642" value="+13016285642"
                  target="_blank">301.628.5642</a><br>
                >> Cell: <a moz-do-not-send="true"
                  href="tel:240.338.1059" value="+12403381059"
                  target="_blank">240.338.1059</a><br>
                >><br>
                >><br>
                >> --<br>
                >> Tim Haverland<br>
                >> Acting Operations Branch Chief<br>
                >> NOAA Fisheries Office of Science and Technology<br>
                >> 1315 East-West Highway<br>
                >> SSMC3 Rm 12303<br>
                >> Silver Spring, MD 20910<br>
                >> <a moz-do-not-send="true"
                  href="tel:301-427-8137" value="+13014278137"
                  target="_blank">301-427-8137</a><br>
                >><br>
                >><br>
                >><br>
                >><br>
                >><br>
                ><br>
                ><br>
                ><br>
                > --<br>
                > Chi Y Kang<br>
                > Principal Engineer<br>
                > Phone: <a moz-do-not-send="true"
                  href="tel:301.628.5642" value="+13016285642"
                  target="_blank">301.628.5642</a><br>
                > Cell: <a moz-do-not-send="true"
                  href="tel:240.338.1059" value="+12403381059"
                  target="_blank">240.338.1059</a>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        <div class="gmail_signature">Chi Y Kang<br>
          Principal Engineer<br>
          Phone: 301.628.5642<br>
          Cell: 240.338.1059</div>
      </div>
    </blockquote>
    <br>
  </body>
</html>