|
13 | 13 | * QGIS_SERVER_USERNAME (default ="username")
|
14 | 14 | * QGIS_SERVER_PASSWORD (default ="password")
|
15 | 15 |
|
| 16 | +PKI authentication with HTTPS can be enabled with: |
| 17 | +
|
| 18 | + * QGIS_SERVER_PKI_CERTIFICATE (server certificate) |
| 19 | + * QGIS_SERVER_PKI_KEY (server private key) |
| 20 | + * QGIS_SERVER_PKI_AUTHORITY (root CA) |
| 21 | + * QGIS_SERVER_PKI_USERNAME (valid username) |
| 22 | +
|
| 23 | + Sample run: |
| 24 | +
|
| 25 | + QGIS_SERVER_PKI_USERNAME=Gerardus QGIS_SERVER_PORT=47547 QGIS_SERVER_HOST=localhost \ |
| 26 | + QGIS_SERVER_PKI_KEY=/home/dev/QGIS/tests/testdata/auth_system/certs_keys/localhost_ssl_key.pem \ |
| 27 | + QGIS_SERVER_PKI_CERTIFICATE=/home/dev/QGIS/tests/testdata/auth_system/certs_keys/localhost_ssl_cert.pem \ |
| 28 | + QGIS_SERVER_PKI_AUTHORITY=/home/dev/QGIS/tests/testdata/auth_system/certs_keys/chains_subissuer-issuer-root_issuer2-root2.pem \ |
| 29 | + python /home/dev/QGIS/tests/src/python/qgis_wrapped_server.py |
| 30 | +
|
16 | 31 | .. note:: This program is free software; you can redistribute it and/or modify
|
17 | 32 | it under the terms of the GNU General Public License as published by
|
18 | 33 | the Free Software Foundation; either version 2 of the License, or
|
|
31 | 46 |
|
32 | 47 | import os
|
33 | 48 | import sys
|
| 49 | +import ssl |
34 | 50 | import urllib.parse
|
35 | 51 | from http.server import BaseHTTPRequestHandler, HTTPServer
|
36 | 52 | from qgis.server import QgsServer, QgsServerFilter
|
37 | 53 |
|
38 | 54 | QGIS_SERVER_PORT = int(os.environ.get('QGIS_SERVER_PORT', '8081'))
|
39 | 55 | QGIS_SERVER_HOST = os.environ.get('QGIS_SERVER_HOST', '127.0.0.1')
|
| 56 | +# PKI authentication |
| 57 | +QGIS_SERVER_PKI_CERTIFICATE = os.environ.get('QGIS_SERVER_PKI_CERTIFICATE') |
| 58 | +QGIS_SERVER_PKI_KEY = os.environ.get('QGIS_SERVER_PKI_KEY') |
| 59 | +QGIS_SERVER_PKI_AUTHORITY = os.environ.get('QGIS_SERVER_PKI_AUTHORITY') |
| 60 | +QGIS_SERVER_PKI_USERNAME = os.environ.get('QGIS_SERVER_PKI_USERNAME') |
| 61 | + |
| 62 | +# Check if PKI - https is enabled |
| 63 | +https = (QGIS_SERVER_PKI_CERTIFICATE is not None and |
| 64 | + os.path.isfile(QGIS_SERVER_PKI_CERTIFICATE) and |
| 65 | + QGIS_SERVER_PKI_KEY is not None and |
| 66 | + os.path.isfile(QGIS_SERVER_PKI_KEY) and |
| 67 | + QGIS_SERVER_PKI_AUTHORITY is not None and |
| 68 | + os.path.isfile(QGIS_SERVER_PKI_AUTHORITY) and |
| 69 | + QGIS_SERVER_PKI_USERNAME) |
40 | 70 |
|
41 | 71 | qgs_server = QgsServer()
|
42 | 72 |
|
@@ -66,8 +96,20 @@ def responseComplete(self):
|
66 | 96 | class Handler(BaseHTTPRequestHandler):
|
67 | 97 |
|
68 | 98 | def do_GET(self):
|
| 99 | + # For PKI: check the username from client certificate |
| 100 | + if https: |
| 101 | + try: |
| 102 | + ssl.match_hostname(self.connection.getpeercert(), QGIS_SERVER_PKI_USERNAME) |
| 103 | + except Exception as ex: |
| 104 | + print("SSL Exception %s" % ex) |
| 105 | + self.send_response(401) |
| 106 | + self.end_headers() |
| 107 | + self.wfile.write('UNAUTHORIZED') |
| 108 | + return |
69 | 109 | # CGI vars:
|
70 | 110 | for k, v in self.headers.items():
|
| 111 | + # Uncomment to print debug info about env vars passed into QGIS Server env |
| 112 | + #print('Setting ENV var %s to %s' % ('HTTP_%s' % k.replace(' ', '-').replace('-', '_').replace(' ', '-').upper(), v)) |
71 | 113 | qgs_server.putenv('HTTP_%s' % k.replace(' ', '-').replace('-', '_').replace(' ', '-').upper(), v)
|
72 | 114 | qgs_server.putenv('SERVER_PORT', str(self.server.server_port))
|
73 | 115 | qgs_server.putenv('SERVER_NAME', self.server.server_name)
|
@@ -96,7 +138,19 @@ def do_POST(self):
|
96 | 138 |
|
97 | 139 | if __name__ == '__main__':
|
98 | 140 | server = HTTPServer((QGIS_SERVER_HOST, QGIS_SERVER_PORT), Handler)
|
99 |
| - print('Starting server on %s:%s, use <Ctrl-C> to stop' % |
100 |
| - (QGIS_SERVER_HOST, server.server_port)) |
101 |
| - sys.stdout.flush() |
| 141 | + if https: |
| 142 | + server.socket = ssl.wrap_socket(server.socket, |
| 143 | + certfile=QGIS_SERVER_PKI_CERTIFICATE, |
| 144 | + keyfile=QGIS_SERVER_PKI_KEY, |
| 145 | + ca_certs=QGIS_SERVER_PKI_AUTHORITY, |
| 146 | + cert_reqs=ssl.CERT_REQUIRED, |
| 147 | + server_side=True, |
| 148 | + ssl_version=ssl.PROTOCOL_TLSv1) |
| 149 | + message = 'Starting server on %s://%s:%s, use <Ctrl-C> to stop' % \ |
| 150 | + ('https' if https else 'http', QGIS_SERVER_HOST, server.server_port) |
| 151 | + try: |
| 152 | + print(message, flush=True) |
| 153 | + except: |
| 154 | + print(message) |
| 155 | + sys.stdout.flush() |
102 | 156 | server.serve_forever()
|
0 commit comments