This question has been asked before and was answered with (paraphrasing): "This is not a OSM specific matter. This is an Apache issue. Restrict access in the way you would normally do for Apache."

Fair enough, tried that. I can restrict access to files on the server but I can't restrict access to the map tiles (e.g. http://example.com/osm/10/503/344.png).

I have a dynamic tile server with mapnik, mod_tile and renderd.

I think this might be a mod_tile specific issue, hence asking here.

Initially I wanted to restrict access by only allowing requests where a referer was set and was from the site I have the map on. Using normal Apache allow/deny rules it didn't work. From a different site I could still access the tile server and display the tiles (these were freshly rendered tiles on areas and zooms on the map I hadn't been to before and confirmed this by running "top" in a SSH window and could see renderd and postgres running every time I went to a new area of the map).

For testing (and out of frustration) I simplified it and tried to block all access to the tile files. In /etc/apache2/sites-available/tileserver_site tried this:

<Directory /var/www/>
AllowOverride None
Order deny,allow
Deny from all
</Directory>

Worked great for any files that were in /var/www/ got "Forbidden" as expected, but was still able to access the tiles.

Okay, so the tiles aren't actually in /var/www/ they are in /var/lib/mod_tile/, so tried this:

<Directory /var/lib/mod_tile/>
AllowOverride None
Order deny,allow
Deny from all
</Directory>

...could still access the tiles.

Even tried:

<Directory />
AllowOverride None
Order deny,allow
Deny from all
</Directory>

...could still access the tiles! Apache and mod_tile apparently working away merrily, regardless of the access rules!

Anyone know how to restrict access to the tiles?

Thank you.

asked 31 May '14, 14:59

Charles%20Sweeney's gravatar image

Charles Sweeney
101339
accept rate: 0%


Fixed it.

To restrict access to your tile server from sites other than your own, put this in your Apache config file:

<Location />
SetEnvIf Referer example\.com localreferer
Order deny,allow
Deny from all
Allow from env=localreferer
</Location>

--

<Location> is the key. You can't use <Directory> because the directory where the tiles are kept (/var/lib/mod_tile/) is outside the document root for the virtualhost that is the tileserver so any rules in your Apache config won't apply there. <Location> on the other hand doesn't apply to the filesystem it applies to the URL. So in the above example <Location /> applies to any URL requested on the tile server.

Replace example\.com with the name of your website. Remember to escape dots with a backslash.

The above code will probably work in any of the many Apache config files used in Apache2. I tried it in the master /etc/apache2/apache2.conf and it worked sweetly there, so left it as it was. I put it in before any of the includes were called.

The code works by checking the referer of the request. If it matches your site, access is granted, otherwise it's denied. If a referer isn't set, access will be denied. Every browser by default sends the referer so in practice this shouldn't give any problems.

Remember to restart Apache after editing the config file:

/etc/init.d/apache2 restart

permanent link

answered 02 Jun '14, 00:32

Charles%20Sweeney's gravatar image

Charles Sweeney
101339
accept rate: 0%

You should really ask this question in a place with Apache experts; it really is not an OpenStreetMap specific question, and the solution might depend on a couple of factors like for example your Apache version.

I am a bit curious how you used allow/deny rules to restrict requests to a specific referer.

A common way to deal with the problem is to rewrite requests that do not match a condition, for example with rules like this:

RewriteCond %{HTTP_REFERER} !^http://mypage.com/myurl.html$
RewriteRule ^/.*png$ /somewhere/on/disk/notallowed.png

This will of course require mod_rewrite and RewriteEngine On.

I have seen setups where the order of loading modules actually had an impact on whether and how this worked. But really, even though mod_tile is involved, nothing about this is OSM specific; from Apache's view, mod_tile is just like any other content-serving module.

permanent link

answered 31 May '14, 15:26

Frederik%20Ramm's gravatar image

Frederik Ramm ♦
69.3k806291083
accept rate: 24%

2

Thanks Frederik.

I figured OSM people would know more about mod_tile/renderd than Apache people. If I ask Apache people the first thing they will ask is "What is mod_tile?", "What is renderd?". You would need to know how they worked and how they were set up to know why the normal Apache rules weren't applying to them.

I was going to post some code for restricting based on referer but I'm new to this board and can't preview it in the "comment" section and feared it might come out goofy as it does in the main text box unless I use HTML entities on it. Plus was limited on characters.

(31 May '14, 15:58) Charles Sweeney
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×154
×77
×70
×16

question asked: 31 May '14, 14:59

question was seen: 11,945 times

last updated: 02 Jun '14, 00:32

powered by OSQA