This repository implements the GeoXACML 1.0 standard and is no longer actively maintained as the Open Geospatial Consortium has released the GeoXACML 3.0 and the GeoXACML JSON Profile 1.0 standards.
Dockerized apache2 reverse proxy service including 'mod_authz_geopep'.
This project enables you to build a docker container that acts as an Apache2 reverse proxy that includes the access control module 'mod_authz_geopep' (geoPEP) available from Secure Dimensions.
Once you've created and launched the 'geopep-apache2-reverse-proxy' container, it intercepts all HTTP (or HTTPS) based on the Apache2 reverse proxy configuration that you configure (details below) and applies standardized authorization decisions received from the 'geoPDP' module based on a GeoXACML policy. How to build and run a docker container for the 'geoPDP' is described here.
The following figure illustrates the co-play:
Make sure you have 'ansible' installed!
Change directory to where you like to clone this repository. For the ease of description, let's assume that this is '/opt'.
Now, clone this repository with
git clone https://github.com/securedimensions/geopep-apache2-reverse-proxy.git
Next go into the directory 'ansible' ('cd /opt/geopep-apache2-reverse-proxy/ansible') and get the content of ansible directory by running:
git clone https://github.com/jmferrer/ansible-apache2-reverse-proxy.git
Then, 'cd ..' and build the docker image with (you should be in directory '/opt/geopep-apache2-reverse-proxy'):
docker build -t apache2-reverse-proxy:debian8 .
After creating your Apache2 virtualhosts configuration file in '/opt/geopep-apache2-reverse-proxy/apache2/config' create the docker container with:
docker create --name geopep --hostname apache2-reverse-proxy -p 80:80 -v /opt/geopep-apache2-reverse-proxy/apache2/config:/etc/apache2/sites-enabled apache2-reverse-proxy:debian8
The above command exposes the HTTP port 80. You can change the listen port of your machine via the first number. So for example -p88:80 exposes the geopep on port 88.
To setup an Apache2 that is able to listen to HTTP (typically on port 443) you need to configure SSL options in you virtualhosts configuration file. For the ease of the setup, you can put the required files into this directory '/opt/geopep-apache2-reverse-proxy/apache2/certs' and map the directory when creating the docker container:
docker create --name geopep --hostname apache2-reverse-proxy -p 443:443 -v /opt/geopep-apache2-reverse-proxy/apache2/config:/etc/apache2/sites-enabled /opt/geopep-apache2-reverse-proxy/apache2/certs:/etc/apache2/certs apache2-reverse-proxy:debian8
Please use these linking as requird:
-v /opt/geopep-apache2-reverse-proxy/apache2/logs:/var/log/apache2
-v /opt/geopep-apache2-reverse-proxy/apache2/certs:/etc/apache2/certs
-v /opt/geopep-apache2-reverse-proxy/apache2/config:/etc/apache2/sites-enabled
You can simply start the geopep with:
docker container start geopep
You can determine a successful startup using the 'netstat' command.
You can simply stop the geopep with:
docker container stop geopep
The following configuration example exposes the geopep on and HTTP port and use as a backend a default geoserver deployment on a Secure Dimension server: 'http://demo.secure-dimensions.de/geoserver'
<VirtualHost *:80>
ServerName <put the full qualified hostname here>
<Location /geoserver>
Require all granted
GeoPEP.WMS on
GeoPDP.Host <put the IP address of the machine that runs the geoPDP here>
#don't change this if you are using the geoPDP default configuration
GeoPDP.Port 8080
GeoPDP.Path /authzforce-ce/domains/A0bdIbmGEeWhFwcKrC9gSQ/pdp #don't change this
#don't change this if you are using the geoPDP default configuration
GeoPDP.Scheme http
#You can change this to map your backend WMS
ProxyPass http://demo.secure-dimensions.de/geoserver
#You can change this to map your backend WMS
ProxyPassReverse http://demo.secure-dimensions.de/geoserver
</Location>
LogLevel error
ErrorLog /var/log/apache2/geopep-error.log
CustomLog /var/log/apache2/geopep-access.log combined
</VirtualHost>
You can test the geoPEP deployment after you have the geoPDP running using the following example URLs. Using the example configuration for the Apache2 reverse proxy, these requests will be served by the Geoserver on http://demo.secure-dimensions.de
This WMS request will cause the geoPEP not to process the image (see uloaded image 1):
http://<THE IP OF YOUR MACHINE>/geoserver/topp/wms?SERVICE=WMS&VERSION=1.3.0&REQUEST=GetMap&FORMAT=image%2Fpng&TRANSPARENT=true&LAYERS=topp%3Astates&TILED=true&access_token=200fcaad3e27d4387172ea93daea8686c706f0c9&WIDTH=320&HEIGHT=320&CRS=EPSG%3A3857&STYLES=&FORMAT_OPTIONS=dpi%3A113&BBOX=-7514065.628545966%2C5009377.085697312%2C-5009377.08569731%2C7514065.628545968
This WMS request will cause the geoPEP to redact the image (see uploaded image 2):
http://<THE IP OF YOUR MACHINE>/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp:states&styles=&bbox=-124.73142200000001,24.955967,-66.969849,49.371735&width=768&height=330&srs=EPSG:4326&format=image%2Fpng
You can use the OpenLayers based simple viewer to see the geoPEP working by opening your Web Browser using this URL:
http://<THE IP OF YOUR MACHINE>:<THE PORT THE geoPEP IS EXPOSED>/index.html
You must add the mount the apache2/html directory to the docker container when creating it!
-v /opt/geopep-apache2-reverse-proxy/apache2/html:/var/www/html
This example project uses a precompiled 'mod_authz_geopep' module for Debian Jessie (8.11). If you are interested in other deployment options or a build for another platform, please contact us at support