search

3liz / docker-qgis-server

Build docker qgis tornado server image
6 stars 1 forks source link

Restrict with user / password a webservice ? #6

Closed Doctor-Who closed 5 years ago

Doctor-Who commented 5 years ago

Hi David,

More a question about QGIS Server itself than Docker image. How could I restrict access to a webservice with user/pass ? In QGIS > Properties > QGIS Server I don't see any option for that

rldhont commented 5 years ago

You can't.

You need to develop a plugin to do so.

Doctor-Who commented 5 years ago

Send me a quotation ;) Add this feature + implementation in this Docker image please.

dmarteau commented 5 years ago

There is no such thing as password management since most of the time we expect the server used as a backend for reverse-proxy/load-balancer (like nginx), and authentification is delegated to the fron-end.

As @rldhont says, you have to use a qgis server plugin to manage authentification.

For information, as an experimental feature, qgis server implement some kind of profile management where you can restrict projects, services, parameters... It is url-based and can be used in conjunction with a reverse-proxy authentication.

Doctor-Who commented 5 years ago

There is no such thing as password management since most of the time we expect the server used as a backend for reverse-proxy/load-balancer (like nginx), and authentification is delegated to the fron-end.

So QGIS as client, is able to understand that reverse proxy is waiting ID/PASS and interact with credential filled by user ?

dmarteau commented 5 years ago

So QGIS as client, is able to understand that reverse proxy is waiting ID/PASS and interact with credential filled by user ?

If your refer to Qgis desktop, I would say yes, can you confirm @rldhont ?

dmarteau commented 5 years ago

Add this feature + implementation in this Docker image please.

AFAIK, we do not plan to implement this feature because we think that authentification may be handled more efficiently using appropriate tools adapted to your infrastructure.

Used with url rewrite and authorisation management in a reverse proxy, the 'profile' feature enable a fine-tuning of access rights/privileges authorisation management to webservices.

rldhont commented 5 years ago

I know that QGIS support Authorization provided in the HTTP header. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization

I don't know if proxy can do it.

rldhont commented 5 years ago

@Doctor-Who for your information https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/