jreyesr
commented
3 years ago Proposed solution: Forbid access to any /geoserver/... path on Traefik, except for:
/geoserver/geoserver/flight_ABC/wms, which is used by the flight map./geoserver/geoserver/project_ABC/wms, which is used by the code mentioned above to get Project information/geoserver/geoserver/project_ABC/ows, which provides the main ortho images, any additional orthomosaics and any vectors./geoserver/geoserver/styles/gradient.png, which is only used on multispectral flights.
Alternatively: use the reverse approach and blacklist geoserver/geoserver/web/wicket/bookmarkable/org.geoserver.web.demo.MapPreviewPage only, instead of whitelisting the pages listed above. This would still allow administration of Geoserver through the web admin, while only disabling the layer preview, which is not that helpful anyways, especially on multi-flight projects and multispectral images.
Per #115, nobody is supposed to see a list of all Geoserver layers, since the unguessability of UUIDs is the only thing protecting those images, much like an unlisted YT video. The REST API and the GetCapabilities document are all locked down. The web UI is not: not-logged-in sessions get a Layer Preview page which lists all layers, thereby negating all other measures. According to https://gis.stackexchange.com/a/97695, unchecking the Advertised box for all layers hides them from the Layer Preview list. However, this also breaks the API call on https://github.com/IS-AgroSmart/AgroSmart-Web/blob/b8e38c7e90738ffa7b96edb7a480f340dd28f9d0/templates/geoext/examples/tree/panel.js#L19-L30
When Advertised is not checked for the
mainortholayer on the Project, the Project never loads.This is the end of the response to the GetCapabilities request, when Advertised is checked
This is the end of the response to the GetCapabilities request, when Advertised is NOT checked. Note that the only information returned is a bounding box, which isn't even correct. In particular, there is no WMS_Capabilities/Capability/Layer/Dimension entry, which is what L25 above tries to access.