本文提供了一系列关于MapGuide公开部署的安全建议,包括更改管理员密码、移除测试页面、禁用HTTP作者角色命令等措施,确保网站在面对公众时具备安全性。
After days or months hard work, are you ready to publish your MapGuide application to the public world? If your answer is yes and you don't want your MapGuide site exposed to the hackers for their entertainment, please wait a minute and read this blog first J
Maybe you have known that we have very convenient test page to test most functionalities of MapGuide Enterprise/OpenSource. I mean the MapAgent, you can access it from http://servername/mapguideopensource/mapagent/index.html. But it is also very dangious for a public MapGuide site, even the "Anonymous" user account has access to the HTTP test pages with the default security setup. Server Admin allows someone to take the MG server offline without having to enter any credentials. Is it terrible? To disable the HTTP test pages, you can remove it from the public website, just delete the HTTP test pages (www/mapagent/*.html, *.js, *.php).
Here are a few another suggestions for hardening the security on a production MapGuide site:
Of cause, the first thing is to change the Admin password in MapGuide Site Administrator (http://servername/mapguideopensource/mapadmin/login.php ), see the screenshot below:
And then, if you are sure that you will not using the Site Administrator, you can remove it from the website. All of these pages require authentication but they do give a lot of information to anyone who can figure out the credentials. To disable the web administrator, delete the <webdir>\www\mapadmin folder.
You can also disable all of the HTTP "author role" commands by adding the following to www/webconfig.ini
[AgentProperties]
DisableAuthoring = 1
Please note that disabling authoring kills Maestro and Autodesk MapGuide Studio. You can set up secure connections for Administrations and authoring. The way this is set up, you end up with a URL of the form https://servername/mapguideopensource or http://servername/mapguide2010/ , which can be used in Autodesk MapGuide Studio or Maestro to do the authoring work.
If the administration and authoring do not need to be made publicly available, an alternative installation can be like this:
You can do that on both Apache and IIS, we have a document to show you how to do the configuration step by step, you can download it from here: http://images.autodesk.com/adsk/files/secure_autodesk_mapguide_enterprise_site.pdf
Finally, if you are not using WMS or WFS, you can also disable serving of these protocols with
[AgentProperties]
DisableWfs = 1
DisableWms = 1
Now, it is time to take action, go and make your MapGuide Site publicly and strong! Cheers! J
扫一扫
152
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
