<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Chi, <br>
<br>
The rule changes look good to me. Looks like restricted URLs are
being properly forwarded to HTTPS and others are available over
HTTP. Tim, any feedback from your side? <br>
<br>
Thanks for adding them,<br>
Micah<br>
<br>
On 2/26/2015 11:58 AM, Chi Kang - NOAA Federal wrote:<br>
</div>
<blockquote
cite="mid:CAEEtbdpt_BftBXw_P99jVwzieQ8Pn5NBR2S7=zQmwSuUd3eTZw@mail.gmail.com"
type="cite">
<div dir="ltr">Gotcha.
<div><br>
</div>
<div>Let me know how the changes look.</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Feb 24, 2015 at 1:48 PM, Micah
Wengren - NOAA Federal <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:micah.wengren@noaa.gov" target="_blank">micah.wengren@noaa.gov</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Yes, would
that rule also cover <br>
<br>
geoserver/wms and<br>
geoserver/wfs<br>
<br>
there is also<br>
geoserver/ows<br>
<br>
that should be public.<br>
<br>
Thanks!<span class="HOEnZb"><font color="#888888"><br>
<br>
Micah</font></span>
<div class="HOEnZb">
<div class="h5"><br>
<br>
<br>
On Tuesday, February 24, 2015, Chi Kang - NOAA Federal
<<a moz-do-not-send="true"
href="mailto:chi.y.kang@noaa.gov" target="_blank">chi.y.kang@noaa.gov</a>>
wrote:<br>
> Yeah, we can put a match statement in there. So i
just want to understand.<br>
> You want to switch to pubic access for ?<br>
> /geoserver/*/wms<br>
> /geoserver/*/wfs<br>
><br>
><br>
> On Fri, Jan 23, 2015 at 11:38 AM, Micah Wengren
<<a moz-do-not-send="true"
href="mailto:micah.wengren@noaa.gov" target="_blank">micah.wengren@noaa.gov</a>>
wrote:<br>
>><br>
>> Hi Chi,<br>
>><br>
>> Currently we have a couple of controls on the
HTTPS service, one that checks an IP whitelist, and the
second that uses the HTTP Basic auth, correct? <br>
>><br>
>> I think to make the service more usable for use
cases like Tim's we should only apply those controls to
URLs where the user is prompted for their internal
password (like the GeoServer admin page, GeoExplorer,
and REST API). Those URLs should be:<br>
>><br>
>> /geoserver/web<br>
>> /geoserver/rest<br>
>> /geoexplorer<br>
>><br>
>> The rest shouldn't have any controls, so both
the global WMS and WFS services:<br>
>><br>
>> /geoserver/wms<br>
>> /geoserver/wfs<br>
>> /geoserver/ows<br>
>><br>
>> and the workspace-specific ones:<br>
>><br>
>> /geoserver/nmfs_st/wms<br>
>> /geoserver/nmfs_st/wfs<br>
>> /geoserver/*/wms<br>
>> /geoserver/*/wfs<br>
>> etc....<br>
>><br>
>> should be open to all. Is that possible?<br>
>><br>
>> Micah<br>
>><br>
>><br>
>><br>
>> On 1/22/2015 12:37 PM, Chi Kang - NOAA Federal
wrote:<br>
>><br>
>> I am good with the idea of allowing
authentication to be restricted by<br>
>> a satfiy all statement.<br>
>><br>
>> But the URLs aren't just<br>
>><br>
>> /geoserver/web<br>
>> /geoserver/rest<br>
>> /geoexplorer<br>
>> /geoserver/wms<br>
>> /geoserver/wfs<br>
>> /geoserver/ows<br>
>><br>
>> ?<br>
>><br>
>> Isn't it more like<br>
>> /geoserver/*/wms ?<br>
>><br>
>> I just want to make sure we understand what
URLs we are talking about here.<br>
>><br>
>><br>
>> On Wed, Jan 21, 2015 at 12:19 PM, Micah Wengren
<<a moz-do-not-send="true"
href="mailto:micah.wengren@noaa.gov" target="_blank">micah.wengren@noaa.gov</a>>
wrote:<br>
>><br>
>> Hi Chi/WOC,<br>
>><br>
>> Do you guys think these type of rules can be
implemented to improve the<br>
>> public HTTPS access to the services? I don't
think it's a priority or<br>
>> urgent, but if you might be able to give an
estimate for when they could be<br>
>> added, that would probably help Tim in his
planning.<br>
>><br>
>> Thanks,<br>
>> Micah<br>
>><br>
>><br>
>> On 1/7/2015 2:51 PM, Micah Wengren wrote:<br>
>><br>
>> I think the ideal situation would be for only
the URLs that optionally allow<br>
>> authentication to be restricted by the extra
HTTP Basic authentication (or<br>
>> NOAA IP address). Those should be:<br>
>><br>
>> /geoserver/web<br>
>> /geoserver/rest<br>
>> /geoexplorer<br>
>><br>
>> Everything else can be considered a map or data
set request to the WMS or<br>
>> WFS. Typically those are the URLs that Tim
included but could also be to<br>
>> the base WMS and WFS services:<br>
>><br>
>> /geoserver/wms<br>
>> /geoserver/wfs<br>
>> /geoserver/ows<br>
>><br>
>> Those should all be allowed from any IP
address. I think this would help<br>
>> out for use cases like what Tim's is.<br>
>><br>
>> Micah<br>
>><br>
>><br>
>> On 1/7/2015 1:16 PM, Tim Haverland - NOAA
Federal wrote:<br>
>><br>
>> I'm calling URLs such as:<br>
>><br>
>> //<a moz-do-not-send="true"
href="http://services.ogc.noaa.gov/geoserver/nmfs_st/wfs"
target="_blank">services.ogc.noaa.gov/geoserver/nmfs_st/wfs</a><br>
>> //<a moz-do-not-send="true"
href="http://services.ogc.noaa.gov/geoserver/nmfs_st/wms"
target="_blank">services.ogc.noaa.gov/geoserver/nmfs_st/wms</a><br>
>> //<a moz-do-not-send="true"
href="http://services.ogc.noaa.gov/geoserver/nmfs_st/ows"
target="_blank">services.ogc.noaa.gov/geoserver/nmfs_st/ows</a><br>
>><br>
>> After looking at these URLs I realize that I'm
including our workspace name<br>
>> (nmfs_st). I'm not sure if that's necessary.
Micah, do you know?<br>
>><br>
>> Tim<br>
>><br>
>><br>
>><br>
>><br>
>> On Wed, Jan 7, 2015 at 12:25 PM, Chi Kang -
NOAA Federal<br>
>> <<a moz-do-not-send="true"
href="mailto:chi.y.kang@noaa.gov" target="_blank">chi.y.kang@noaa.gov</a>>
wrote:<br>
>><br>
>> Tim / Micah I don't think i have an issue
getting more granular but I<br>
>> want to understand all the URLs involved first.<br>
>><br>
>> Can someone outline them for me as an example?<br>
>><br>
>><br>
>> On Fri, Jan 2, 2015 at 5:11 PM, Tim Haverland -
NOAA Federal<br>
>> <<a moz-do-not-send="true"
href="mailto:tim.haverland@noaa.gov" target="_blank">tim.haverland@noaa.gov</a>>
wrote:<br>
>><br>
>> What you suggest would be very helpful and
allow my calls to geoserver<br>
>> to be<br>
>> protocol relative.<br>
>><br>
>> I have redirected all https calls to my map to
http at the moment.<br>
>><br>
>> Tim<br>
>><br>
>> On Fri, Jan 2, 2015 at 5:07 PM, Micah Wengren
<<a moz-do-not-send="true"
href="mailto:micah.wengren@noaa.gov" target="_blank">micah.wengren@noaa.gov</a>><br>
>> wrote:<br>
>><br>
>> Tim/WOC,<br>
>><br>
>> I think the reason for the extra authentication
step for HTTPS was to<br>
>> prevent public from being able to access
/geoserver/web (with login<br>
>> form<br>
>> components) for preventing brute force password
attacks and such.<br>
>><br>
>> I can't think of a reason to not allow HTTPS
access to the<br>
>> /geoserver/wms<br>
>> and /geoserver/wfs paths though.<br>
>><br>
>> This might be something to look into
potentially relaxing, if the WOC<br>
>> is<br>
>> willing to make that change and web server
config allows it to that<br>
>> level of<br>
>> granularity.<br>
>><br>
>> Micah<br>
>><br>
>><br>
>> On 12/4/2014 12:09 PM, Tim Haverland - NOAA
Federal wrote:<br>
>><br>
>> Hi Micah,<br>
>><br>
>> Yes, I was trying to avoid the situation where
someone loads our map<br>
>> page<br>
>> via https and our calls to services using http
are blocked by the<br>
>> browser.<br>
>><br>
>> I can have our sysadmin redirect all https
requests to my page to http,<br>
>> but was hoping to avoid that by simply making
my service URLs protocol<br>
>> relative.<br>
>><br>
>> Is there a reason why <a
moz-do-not-send="true"
href="http://services.ogc.noaa.gov" target="_blank">services.ogc.noaa.gov</a>
requests a password for<br>
>> ssl?<br>
>> Are there services that I can't get to via HTTP
but can with HTTPS?<br>
>><br>
>> Tim<br>
>><br>
>> On Thu, Dec 4, 2014 at 9:48 AM, Micah Wengren -
NOAA Federal<br>
>> <<a moz-do-not-send="true"
href="mailto:micah.wengren@noaa.gov" target="_blank">micah.wengren@noaa.gov</a>>
wrote:<br>
>><br>
>> Tim,<br>
>><br>
>> Your goal is to have your web map SSL-enabled
(to allow restricted<br>
>> views<br>
>> with a user login for example), or are you just
trying to accommodate<br>
>> users<br>
>> who come in to the Fisheries website over
HTTPS?<br>
>><br>
>> If it's the latter, I think you should be able
to hard-code the web<br>
>> map<br>
>> requests to go over HTTP regardless of which
protocol users come to<br>
>> the site<br>
>> through. This way they shouldn't get the login
prompt from a non-NOAA<br>
>> network to access <a moz-do-not-send="true"
href="http://services.ogc.noaa.gov" target="_blank">services.ogc.noaa.gov</a>.
The drawback to that is that<br>
>> the<br>
>> browser will give a warning message because
some content is coming<br>
>> over<br>
>> HTTP. That's the case for the NOAA Data
Catalog, because the tile<br>
>> provider<br>
>> only supports HTTP not HTTPS: <a
moz-do-not-send="true"
href="https://data.noaa.gov/dataset" target="_blank">https://data.noaa.gov/dataset</a>
(the<br>
>> browser<br>
>> will show a warning message rather than a
secure connection message).<br>
>><br>
>> It might be more complicated in your case
though because you're making<br>
>> GetFeatureInfo requests to the service that
return XML instead of map<br>
>> tiles.<br>
>> I don't know how that would differ.<br>
>><br>
>><br>
>> Can you look into that before we investigate
making any changes to the<br>
>> HTTPS access policies?<br>
>><br>
>><br>
>> Micah<br>
>><br>
>><br>
>> On Wed, Dec 3, 2014 at 5:46 PM, Tim Haverland -
NOAA Federal<br>
>> <<a moz-do-not-send="true"
href="mailto:tim.haverland@noaa.gov" target="_blank">tim.haverland@noaa.gov</a>>
wrote:<br>
>><br>
>> Hi all,<br>
>><br>
>> Recently I've been trying to enable an
application that uses noaa ogc<br>
>> services to run under https. When I do so, the
application runs when<br>
>> I'm at<br>
>> work, but from home (and no VPN) it asks that I
enter my noaa email<br>
>> username/pwd.<br>
>><br>
>> This is fine for me but won't work for public
users of my<br>
>> application.<br>
>><br>
>> Is there a reason that ssl access to <a
moz-do-not-send="true"
href="http://services.ogc.noaa.gov" target="_blank">services.ogc.noaa.gov</a>
requires<br>
>> login for users that aren't on a noaa network
(I assume).<br>
>><br>
>> Here's the app if anyone want to see this
behavior in action:<br>
>><br>
>> Works anywhere:<br>
>><br>
>> <a moz-do-not-send="true"
href="http://www.st.nmfs.noaa.gov/humandimensions/social-indicators/map-copy"
target="_blank">http://www.st.nmfs.noaa.gov/humandimensions/social-indicators/map-copy</a><br>
>><br>
>> Requires password for I assume non-noaa network
users:<br>
>><br>
>> <a moz-do-not-send="true"
href="https://www.st.nmfs.noaa.gov/humandimensions/social-indicators/map-copy"
target="_blank">https://www.st.nmfs.noaa.gov/humandimensions/social-indicators/map-copy</a><br>
>><br>
>> I suppose I could redirect users coming in on
https to http, but that<br>
>> causes other headaches on my end.<br>
>><br>
>> Any thoughts?<br>
>><br>
>> Tim<br>
>><br>
>> --<br>
>> Tim Haverland<br>
>> Acting Operations Branch Chief<br>
>> NOAA Fisheries Office of Science and Technology<br>
>> 1315 East-West Highway<br>
>> SSMC3 Rm 12303<br>
>> Silver Spring, MD 20910<br>
>> <a moz-do-not-send="true"
href="tel:301-427-8137" value="+13014278137"
target="_blank">301-427-8137</a><br>
>><br>
>> _______________________________________________<br>
>> Open.ogc mailing list<br>
>> <a moz-do-not-send="true"
href="mailto:Open.ogc@list.woc.noaa.gov"
target="_blank">Open.ogc@list.woc.noaa.gov</a><br>
>> <a moz-do-not-send="true"
href="https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc"
target="_blank">https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc</a><br>
>><br>
>><br>
>> --<br>
>> Tim Haverland<br>
>> Acting Operations Branch Chief<br>
>> NOAA Fisheries Office of Science and Technology<br>
>> 1315 East-West Highway<br>
>> SSMC3 Rm 12303<br>
>> Silver Spring, MD 20910<br>
>> <a moz-do-not-send="true"
href="tel:301-427-8137" value="+13014278137"
target="_blank">301-427-8137</a><br>
>><br>
>><br>
>><br>
>> --<br>
>> Tim Haverland<br>
>> Acting Operations Branch Chief<br>
>> NOAA Fisheries Office of Science and Technology<br>
>> 1315 East-West Highway<br>
>> SSMC3 Rm 12303<br>
>> Silver Spring, MD 20910<br>
>> <a moz-do-not-send="true"
href="tel:301-427-8137" value="+13014278137"
target="_blank">301-427-8137</a><br>
>><br>
>> _______________________________________________<br>
>> Open.ogc mailing list<br>
>> <a moz-do-not-send="true"
href="mailto:Open.ogc@list.woc.noaa.gov"
target="_blank">Open.ogc@list.woc.noaa.gov</a><br>
>> <a moz-do-not-send="true"
href="https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc"
target="_blank">https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc</a><br>
>><br>
>><br>
>> --<br>
>> Chi Y Kang<br>
>> Principal Engineer<br>
>> Phone: <a moz-do-not-send="true"
href="tel:301.628.5642" value="+13016285642"
target="_blank">301.628.5642</a><br>
>> Cell: <a moz-do-not-send="true"
href="tel:240.338.1059" value="+12403381059"
target="_blank">240.338.1059</a><br>
>><br>
>><br>
>> --<br>
>> Tim Haverland<br>
>> Acting Operations Branch Chief<br>
>> NOAA Fisheries Office of Science and Technology<br>
>> 1315 East-West Highway<br>
>> SSMC3 Rm 12303<br>
>> Silver Spring, MD 20910<br>
>> <a moz-do-not-send="true"
href="tel:301-427-8137" value="+13014278137"
target="_blank">301-427-8137</a><br>
>><br>
>><br>
>><br>
>><br>
>><br>
><br>
><br>
><br>
> --<br>
> Chi Y Kang<br>
> Principal Engineer<br>
> Phone: <a moz-do-not-send="true"
href="tel:301.628.5642" value="+13016285642"
target="_blank">301.628.5642</a><br>
> Cell: <a moz-do-not-send="true"
href="tel:240.338.1059" value="+12403381059"
target="_blank">240.338.1059</a>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature">Chi Y Kang<br>
Principal Engineer<br>
Phone: 301.628.5642<br>
Cell: 240.338.1059</div>
</div>
</blockquote>
<br>
</body>
</html>