Security ======== General ******* MapStore is a web application that is usually deployed on tomcat. For this reason you should follow the general security settings `suggested by tomcat `_. There are also other considerations valid for all the applications: - Always use HTTPS to create secure connections - Do not share sensible data like passwords (for users or database) - Always use strong and not trivial passwords (for user or database) HTTPS ***** The suggested configuration to use HTTPS for MapStore is to expose on port 80 using an HTTP server. For instance for Apache HTTP server you can then set the proxy configuration like this: .. code:: text # Example for Apache HTTP server ProxyPass /mapstore ajp://localhost:8010/mapstore ProxyPassReverse /mapstore ajp://localhost:8010/mapstore .. note: The suggested configuration is via `AJP connector `_. This allows to correctly proxy the effective paths and URL of the application to certain parts. See `this section of print module troubleshooting ` for more details. Proxy ***** MapStore is delivered with an internal proxy that allows to access data to remote servers directly, avoiding the `same origin policy `_ of the web browser. .. note:: If you know some servers, outside the domain of your application, that are accessible using `Cross-origin resource sharing (CORS) mechanism `_, you can configure them in ``localConfig.json``, in the section ``proxy-->useCors``. Adding a URL to this list makes MapStore call the service directly, without passing through the proxy server. .. code-block:: json { "proxyUrl": { "url": "proxy/?url=", "useCORS": [ "https://nominatim.openstreetmap.org", "https://otherdomain.org/geoserver/" ] } } MapStore will intercept automatically the cross-origin requests and will redirect them to the proxy. This proxy can be configured to restrict set of requests allowed, or to limit the connections to avoid some some types of attacks (e.g. DNS) This is the actual default configuration: .. code-block:: properties # ################## # CONNECTION MANAGER # ################## timeout = 30000 connection_timeout = 30000 max_total_connections = 60 default_max_connections_per_host = 6 # ################# # Stream Byte Size # ################# defaultStreamByteSize=1024 # ########### # WHITE LISTS # ########### #hostnameWhitelist = localhost,demo1.geo-solutions.it,demo.geo-solutions.it mimetypeWhitelist = application/force-download,text/html,text/plain,application/xml,text/xml,application/vnd.ogc.sld+xml,application/vnd.ogc.gml,application/json,application/vnd.ogc.wms_xml,application/x-www-form-urlencoded,image/png,application/pdf,text/csv,image/bil,application/bil16,application/zip,text/csv;charset=UTF-8 methodsWhitelist = GET,POST,PUT #hostsWhitelist = 127.0.0.1 #reqtypeWhitelist.capabilities = (([&]?([Rr][Ee][Qq][Uu][Ee][Ss][Tt]=[Gg]et[Cc]apabilities))|([&]?(version=1\\.1\\.1)))+ reqtypeWhitelist.capabilities = .*[Gg]et[Cc]apabilities.* reqtypeWhitelist.featureinfo = .*[Gg]et[Ff]eature[Ii]nfo.* reqtypeWhitelist.csw = .*csw.* reqtypeWhitelist.geostore = .*geostore.* reqtypeWhitelist.generic = (.*exist.*)|(.*pdf.*)|(.*map.*)|(.*wms.*)|(.*wmts.*)|(.*tms.*)|(.*wfs.*)|(.*ows.*)|(.*spatialreference.*)|(.*wps.*) This configuration is made to make MapStore work with **every** server, limiting the requests to the ones typical of MapStore. So by default you will find restrictions on - mime types (the ones supported by MapStore) - request types (forcing URL to contain strings typical of the OGC service requests). By default there is no restriction on Hosts, but you can configure this proxy with a white-list of allowed servers, setting a comma separated list of host names in ``hostnameWhitelist`` property. If you want to disable this proxy at all, you can simply set ``methodsWhitelist`` to a method that doesn't exists. (e.g. "NOT_EXIST").