Google logo

Set up HTTPSΒΆ

If you have set up SSL/HTTPS configurations on your GEE server, you can also set up a secure Fusion server for your browser-based maps.

Warning

The following procedure is applicable only to release 4.x and previous versions of GEE. For GEE release 5.x, see Configure GEE Server 5.1.0 for SSL/HTTPS.

To set up an HTTPS virtual server for Fusion:

  1. Verify that you have already set up SSL/HTTPS configurations on your GEE server.

  2. Create an HTTPS-compatible virtual server:

    geserveradmin --stream_server_url http://myserver.org --server_type stream --addvs https_2d --vstype map --vscachelevel 1 --vsurl https://myserver.org/mymap

  3. Copy and save the Include statement from geserveradmin. Later, you will add that to the configuration file. It will look something like:

    Include conf.d/virtual_servers/runtime/mymap_runtime

  4. Copy a configuration file from the examples folder:

    cp /opt/google/share/gehttpd/examples/  /opt/google/gehttpd/conf.d/virtual_servers/https_mymap.location

  5. Edit the https_mymap.location file, insert the Include statement you copied and saved, and update the LOCATION tags to the real virtual server:
    r...@fusion.localhost.org:/opt/google/gehttpd/conf.d/virtual_servers
# cat https_2d.location # This is an example of a location-based map virtual server #
Substitute appropriate values in the following variables
# 1. <LOCATION> : The new location name.
# 2. <VS_NAME> : The virtual server name used to create the virtual
# server with geserveradmin

RewriteRule ^/mymap$ /mymap/ [R] RewriteRule ^/mymap/$ /maps/fusionmaps_local.html [PT] RewriteRule ^/mymap/mapfiles/(.*)$ /maps/mapfiles/$1 [PT]

<Location "/mymap/*">
SetHandler gedb-handler
Include conf.d/virtual_servers/runtime/https_2d_runtime
SSLRequireSSL
SSLVerifyClient none
</Location>
  6. Modify the /opt/google/gehttpd/conf/extra/httpd-ssl.conf file so that the /opt/google/gehttpd/conf.d/virtual_server/https_2d.location file and the virtual server are loaded by the HTTPS/443 virtual host and not the HTTP/80 virtual host:
    (vi /opt/google/gehttpd/conf/extra/httpd-ssl.conf...)
<snip>
... <VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/opt/google/gehttpd/htdocs"
ServerName myserver.org:443

ServerAdmin administra...@myserver.org
ErrorLog "/opt/google/gehttpd/logs/error_log"
TransferLog "/opt/google/gehttpd/logs/access_log"
Include conf.d/virtual_servers/https_2d.location
...
<snip>
  7. Edit the HTTP/port 80 virtual host to load only the HTTP-available virtual servers:

    (vi /opt/google/gehttpd/conf.d/gemodules.conf)

  8. Comment out the Include .. *.location line and manually list the included location files so that the https2d.location file is excluded:
    LoadModule gedb_module /opt/google/gehttpd/modules/mod_gedb.so

NameVirtualHost *:80
<VirtualHost *:80>
# You should specify a ServerName in each VirtualHost declaration
# to avoid unnecessary DNS lookups.
# For example, ServerName www.mycompany.com

# Redirect the home page to display the GE logo
Include conf.d/index_rewrite
Include conf.d/jkmount

# Include all location-based virtual servers
# Include conf.d/virtual_servers/*.location (Comment out this line.)
Include conf.d/virtual_servers/default_ge.location (Add this line.)
Include conf.d/virtual_servers/default_map.location (Add this line.)
Include conf.d/virtual_servers/default_search.location (Add this line.)
</VirtualHost>
  9. Save the file and restart the GEE Server software:

    /etc/init.d/ geserver restart

    This separates the HTTP and HTTPS virtual servers from the Apache software so that unencrypted and encrypted data can be hosted from both.

    Note

    The firewall blocks external port 80 / HTTP connections, but the Publisher tool must use the HTTP port to upload information, even if your system only allows this internally.

  10. Create a Fusion server association for the new https2d virtual server. Use http://myserver.org for the URL for both Stream and Search URLs, then press the Query button and select the correct https2d virtual server from the drop-down list.

  11. Save the new server association, then publish a 2D database to the virtual server.

Listing registered virtual stream servers

To avoid confusion or conflict between http:// and https:// addresses, you can use geserveradmin parameters like the -- stream_server_url http://myserver.org option that lists registered virtual stream servers. For example, instead of using the geserveradmin --listvss command alone, you can use geserveradmin --stream_server_url http://myserver.org --listvss.

Binding Apache to port 80

You need HTTP to facilitate all geserveradmin work, including publishes, so make sure that your gehttpd.conf configuration file lets Apache bind to port 80. You can allow internal access to HTTP even if you block external access to HTTP ports. This lets the Publisher tool maintain the GEE Server software while you disallow external unencrypted data communications.