Configure URL rewriting

This how-to describes how to disable URL rewriting in security.manager for OGC and let the secured service generate correct URLs itself.

security.manager for OGC is, by default, configured to rewrite URLs in response documents of protected services with the corresponding URLs of security.manager for OGC. This simplifies the initial installation of security.manager for OGC but is not the best solution in all cases.

URL rewriting in security.manager for OGC cannot always adjust the URLs in response documents of protected services as expected because it has no knowledge of the internal configuration details of the protected service. Additionally, URLs in response documents can be encoded in such a way that security.manager for OGC does not recognize and therefore cannot replace them.

We therefore recommend disabling URL rewriting by security.manager for OGC via configuration and delegating URL generation to the protected server. If correctly configured, the protected server can generate correct URLs using the HTTP Forwarded headers that security.manager for OGC sends by default. This approach also improves performance.

The generation of URLs by the secured service offers you the following advantages:

  • Correct URLs: security.manager for OGC can generate correct URLs in most cases, but not all, because it uses a heuristic for this purpose. The secured service, however, always provides correct URLs in its response documents.

  • Performance: The performance of secured services is improved.

Prerequisites

Make sure the following prerequisites are met to allow URLs to be generated by the secured service:

  1. Protected services must only be accessible from the host of security.manager for OGC or other trusted sources.

  2. If the Tomcat server running security.manager for OGC is operated behind a reverse proxy, configure Tomcat to correctly evaluate the X-Forwarded-* HTTP headers from the upstream proxy. You can find a description in the Tomcat User Guide.

  3. Ensure that the Tomcat server only accepts headers from trusted sources.

Disable URL rewriting

Disable URL rewriting by security.manager for OGC by adding the following entry to the application.properties file in the configuration directory:

application.properties
proxy.response.rewriteUrls=false

Restart the Tomcat server to apply the settings.

Configure the secured server

security.manager for OGC calculates and sends the following headers to the protected service:

X-Forwarded-Proto

contains the protocol used by the client, e.g., http or https

X-Forwarded-Host

contains the external hostname and port under which the service is publicly accessible, e.g., secman.example.com

X-Forwarded-Path

contains the context path of security.manager for OGC

The secured server evaluates these headers to deliver appropriate URLs in its response documents. Depending on which server you secure with security.manager for OGC, apply the following settings so it uses the described headers to generate URLs:

GeoServer

  1. Enable the Use headers for Proxy URL option in the global settings.

  2. Set the Proxy Base URL property:

    • If GeoServer has a separate context: ${X-Forwarded-Proto}://${X-Forwarded-Host}${X-Forwarded-Path}/[GEOSERVER-CONTEXT]
      Replace [GEOSERVER-CONTEXT] with the name of the GeoServer context, e.g., geoserver.

    • If GeoServer has no separate context, set the entry to ${X-Forwarded-Proto}://${X-Forwarded-Host}${X-Forwarded-Path}.

ArcGIS Server

No additional configuration is required for ArcGIS Server.

Test the installation

Test the installation by calling the capabilities of the service in the browser: https://secman.example.com/secman-ogc/path/to/my-services/wms?service=WMS&request=GetCapabilities

Verify that the URLs in the response now all contain those of security.manager for OGC https://secman.example.com/secman-ogc instead of https://gisserver.example.com.