startweb: access control (via QUERY_STRING and/or HTTP_REFERER)

zavpyj · May 10, 2017 · 1405b07 · 1405b07
1 parent 88c51a4
commit 1405b07
Show file tree

Hide file tree

Showing 7 changed files with 111 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -209,6 +209,10 @@ RUN chown postgres:postgres /var/run/postgresql/9.5-main.pg_stat_tmp -R
 COPY ./build/render_list_geo.pl /opt/
 RUN chmod +x /opt/render_list_geo.pl
 
+# Configure mod_rewrite
+COPY ./build/rewrite.conf /etc/apache2/mods-available/
+COPY ./build/000-default.conf /etc/apache2/sites-available/
+
 # Add the entrypoint
 COPY ./build/run.sh /usr/local/sbin/run
 RUN chmod +x /usr/local/sbin/run /etc/sv/renderd/run /etc/sv/apache2/run /etc/sv/postgresql/check /etc/sv/postgresql/run

diff --git a/build/000-default.conf b/build/000-default.conf
@@ -0,0 +1,33 @@
+<VirtualHost *:80>
+  # The ServerName directive sets the request scheme, hostname and port that
+  # the server uses to identify itself. This is used when creating
+  # redirection URLs. In the context of virtual hosts, the ServerName
+  # specifies what hostname must appear in the request's Host: header to
+  # match this virtual host. For the default virtual host (this file) this
+  # value is not decisive as it is used as a last resort host regardless.
+  # However, you must set it for any further virtual host explicitly.
+  #ServerName www.example.com
+
+  ServerAdmin webmaster@localhost
+  DocumentRoot /var/www/html
+
+  # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+  # error, crit, alert, emerg.
+  # It is also possible to configure the loglevel for particular
+  # modules, e.g.
+  #LogLevel info ssl:warn
+  #LogLevel alert rewrite:trace8
+
+  ErrorLog ${APACHE_LOG_DIR}/error.log
+  CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+  ErrorDocument 403 "Forbidden!"
+
+  # For most configuration files from conf-available/, which are
+  # enabled or disabled at a global level, it is possible to
+  # include a line for only one particular virtual host. For example the
+  # following line enables the CGI configuration for this host only
+  # after it has been globally disabled with "a2disconf".
+  #Include conf-available/serve-cgi-bin.conf
+  #Include mods-available/rewrite.conf
+</VirtualHost>
diff --git a/build/help.txt b/build/help.txt
@@ -100,6 +100,14 @@ Start the webserver:
 
   docker run -d -P --name osmwebserver -v nvtiles:/var/lib/mod_tile zavpyj/osm-tiles startweb
 
+  To restrict use of this server based on a query string like '?keyId=authorized_access_id', use the `OSM_WEB_AUTHORIZED_IDS` environment variable, like this:
+
+  docker run -d -P --name osmwebserver --env OSM_WEB_AUTHORIZED_IDS=authorized_access_id -v nvtiles:/var/lib/mod_tile zavpyj/osm-tiles startweb
+
+  To restrict use of this server based on an HTTP_REFERER like 'www.example.com', use the `OSM_WEB_AUTHORIZED_REFERERS` environment variable, like this:
+
+  docker run -d -P --name osmwebserver --env OSM_WEB_AUTHORIZED_REFERERS=www.example.com -v nvtiles:/var/lib/mod_tile zavpyj/osm-tiles startweb
+
 For further information look at /usr/local/share/doc/README.md and run the cli:
 
   docker run --rm -it -p 80:80 -v nvpostgisdata:/var/lib/postgresql -v nvtiles:/var/lib/mod_tile zavpyj/osm-tiles cli

diff --git a/build/rewrite.conf b/build/rewrite.conf
@@ -0,0 +1,8 @@
+RewriteEngine On
+RewriteCond %{REQUEST_URI} ^/(index.html)?$
+RewriteRule ^.*$ - [L]
+RewriteCond %{REQUEST_URI} ^/osm_tiles
+#Authorized key ids: RewriteCond %{QUERY_STRING} keyId=({{KEY_ID}})
+#Authorized referers: RewriteCond "%{HTTP_REFERER}" "(^$|{{AUTHORIZED_REFERERS}})"
+RewriteRule ^.*$ - [L]
+RewriteRule ^.*$ - [F,L]
diff --git a/build/run.sh b/build/run.sh
@@ -148,10 +148,25 @@ cli () {
 startservices () {
     startdb
     _startservice renderd
-    _startservice apache2
+    startweb
 }
 
 startweb () {
+    if [ -n "$OSM_WEB_AUTHORIZED_IDS" ] || [ -n "$OSM_WEB_AUTHORIZED_REFERERS" ]
+    then
+        if [ -n "$OSM_WEB_AUTHORIZED_IDS" ]
+        then
+            sed -i -e "s/#Authorized key ids: //" /etc/apache2/mods-available/rewrite.conf
+            sed -i -e "s/{{KEY_ID}}/$OSM_WEB_AUTHORIZED_IDS/" /etc/apache2/mods-available/rewrite.conf
+        fi
+        if [ -n "$OSM_WEB_AUTHORIZED_REFERERS" ]
+        then
+            sed -i -e "s/#Authorized referers: //" /etc/apache2/mods-available/rewrite.conf
+            sed -i -e "s/{{AUTHORIZED_REFERERS}}/$OSM_WEB_AUTHORIZED_REFERERS/" /etc/apache2/mods-available/rewrite.conf
+        fi
+        sed -i -e "s/#Include mods-available\/rewrite.conf/Include mods-available\/rewrite.conf/" /etc/apache2/sites-available/000-default.conf
+        a2enmod rewrite
+    fi
     _startservice apache2
 }
 

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -41,6 +41,12 @@ services:
       OSM_RENDER_X_MAX: -1.56313
       OSM_RENDER_Y_MIN: 48.07221
       OSM_RENDER_Y_MAX: 48.14671
+      # To restrict acces according to specific keys in QUERY_STRING
+      #  (in URLs like http://osmserver_hostname:osmserver_port/osm_tiles/{z}/{x}/{y}.png?keyId=abcdefghijklmnopqrstuvwxyz1234567890 - see sample file "test_with_keyId.html"),
+      #  use OSM_WEB_AUTHORIZED_IDS (multiple values must be pipe ('|') separated):
+      #OSM_WEB_AUTHORIZED_IDS: 'abcdefghijklmnopqrstuvwxyz1234567890|another_id'
+      # To restrict acces according to specific HTTP REFERERS, use OSM_WEB_AUTHORIZED_REFERERS (multiple values must be pipe ('|') separated):
+      #OSM_WEB_AUTHORIZED_REFERERS: 'www.example.com|www.example2.com'
     ports:
       - '80:80'
     command: 'startservices'

diff --git a/test_with_keyId.html b/test_with_keyId.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <title>Leaflet Test of Zavpyj OSM Tile Server</title>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <link rel="stylesheet" href="http://cdn.leafletjs.com/leaflet/v1.0.2/leaflet.css" />
+</head>
+
+<body>
+    <div id="mapid" style="width: 1600px; height: 800px"></div>
+    <script src="http://cdn.leafletjs.com/leaflet/v1.0.2/leaflet.js"></script>
+    <script>
+    var osmLayer = L.tileLayer('http://localhost/osm_tiles/{z}/{x}/{y}.png?keyId={keyId}', {
+        attribution: '&copy; <a href="http://osm.org/copyright">OpenStreetMap</a> contributors',
+        maxZoom: 19,
+        id: 'osm.map',
+        keyId: 'abcdefghijklmnopqrstuvwxyz1234567890'
+    });
+
+    var mymap = L.map('mapid', {
+        center: [48.1329646, -1.6371024],
+        zoom: 10,
+        layers: [osmLayer]
+    });
+
+    osmLayer.addTo(mymap);
+
+    L.marker([48.1329646, -1.6371024]).addTo(mymap)
+        .bindPopup('Micropole Rennes')
+        .openPopup();
+    </script>
+</body>
+
+</html>