Zero to Geoserver
How to setup geoserver on AWS
- EC2 considerations
- Install geoserver
- Reverse Proxy, SSL/HTTPS
- Geoserver Settings
- Security/Production settings
- Not allowing unauthorized requests to geoserver
- Plugins
- Allow CORS
EC2 considerations
We generally seem to be able run the geoserver on a t.micro instance, but run into crashes under load. Either the geoserver java container runs out of memory, or the whole machine. t2.medium runs the geoserver very stable. But we might get away with t2.small.
- While creating, we can already allow for HTTP and HTTPS traffic.
- Here a short list of things I do when setting up a VPS.
Install geoserver
sudo apt install openjdk-17-jre unzip
VERSION=2.23.2
USERNAME=griessbaum
wget https://sourceforge.net/projects/geoserver/files/GeoServer/$VERSION/geoserver-$VERSION-bin.zip
sudo mkdir /usr/share/geoserver
sudo mv geoserver-$VERSION-bin.zip /usr/share/geoserver/
cd /usr/share/geoserver/
sudo unzip geoserver-$VERSION-bin.zip
sudo rm geoserver-$VERSION-bin.zip
echo "export GEOSERVER_HOME=/usr/share/geoserver" >> ~/.profile
. ~/.profile
sudo chown -R $USERNAME /usr/share/geoserver/Adapting to Java 17
https://docs.geoserver.org/latest/en/user/production/java.html#running-on-java-17
rm /usr/share/geoserver/webapps/geoserver/WEB-INF/lib/marlin-0.9.3.jarStartup
/usr/share/geoserver/bin/startup.sh
/usr/share/geoserver/bin/shutdown.shBy default, starts up at localhost:8080 with http://localhost:8080/geoserver/
- user: admin
- pwd: geoserver
Autostart / Run as Service
https://docs.geoserver.org/latest/en/user/production/linuxscript.html
wget https://docs.geoserver.org/latest/en/user/_downloads/5c56ec58bc153d3a7dd6ef198f9eeaf7/geoserver_deb
mv geoserver_deb geoserver
sudo mv geoserver /etc/init.d/
chmod +x /etc/init.d/geoserverNow we should be able to e.g.:
sudo /etc/init.d/geoserver start
sudo service geoserver statusWe can either edit the /etc/init.d/geoserver, or create /etc/default/geoserver.
sudo nano /etc/init.d/geoserverGEOSERVER_HOME=/usr/share/geoserverGEOSERVER_DATA_DIR=/usr/share/geoserver/data_dirUSER=griessbaum(that’s probably not a good idea)JAVA_HOME=''(this is the prefix; keeping it empty will point it to/bin/java)
sudo systemctl daemon-reload
sudo service geoserver restartTo make the service start at startup:
sudo systemctl enable geoserverPerformance settings
We might also want to consider changing some performance parameters in /etc/init.d/geoserver as described in container considerations, e.g. set the min and max heap size with -Xmx1024M and -Xms128m. GisExchange discussion on the topic.
-XX:+UseParallelGC-Xmx256M-Xmx384M
Then reload the units and restart the server
sudo systemctl daemon-reload
sudo service geoserver restartOpen Firewall
If we are in production, we probably only need 80, 443 and 22.
sudo ufw enable
sudo ufw allow 443
sudo ufw allow 22
sudo ufw statusWipe the demo data
- data_dir/workspaces : wipe the dir
rm -rf /usr/share/geoserver/data_dir/workspaces && mkdir /usr/share/geoserver/data_dir/workspaces
sudo chown ubuntu /usr/share/geoserver/data_dir/workspaces/- data_dir/layergroups : wipe the dir
rm -rf /usr/share/geoserver/data_dir/layergroups/*- while not stritcly necessary, wipe the data directory too:
rm -rf /usr/share/geoserver/data_dir/data/*Reverse Proxy, SSL/HTTPS
Install nginx
ADDRESS='geoserver.co.ck'
sudo apt install nginxGet SSL certificate
sudo apt install python3-certbot-nginx
sudo certbot --nginx certonly- Certificate is saved at:
/etc/letsencrypt/live/$ADDRESS/fullchain.pem - Key is saved at:
/etc/letsencrypt/live/$ADDRESS.duckdns.org/privkey.pem
Have the cert renewed once a week.
sudo crontab -e
17 7 * * * certbot renew --post-hook "systemctl reload nginx"Configure nginx
Create a config file:
sudo nano /etc/nginx/sites-available/geoserverserver {
listen 80;
server_name geoserver.co.ck www.geoserver.co.ck;
# Redirect http requests to https
return 301 https://geoserver.co.ck$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/geoserver.co.ck/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/geoserver.co.ck/privkey.pem;
server_name geoserver.co.ck;
location /geoserver/ {
proxy_pass http://127.0.0.1:8080/geoserver/;
proxy_pass_header Set-Cookie;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}Enable site and reload
sudo ln -s /etc/nginx/sites-available/geoserver /etc/nginx/sites-enabled
sudo nginx -t
sudo service nginx reload
sudo service nginx restartSite should now be available at https://geoserver.co.ck/ and you should either get to the geoserver (if it is running), or get a 502 bad gateway if it is off.
Geoserver Settings
settings are in /usr/share/geoserver/data_dir/global.xml
Set proxy settings
We won’t be able to log in via port 443. We have to change the server’s proxy settings first. Kind of a hen-and-egg problem ..
Two solutions. Either:
- temporarily open port 8080 (aws and local firewall). Not very elegant.
- port forwarding; e.g.
ssh -N -L 1234:127.0.0.1:8080 geoserver.co.ckThen navigate to localhost:1234.
Once logged into the webinterface (admin/geoserver), go to Global (under Settings)
- Set
Proxy Base URLto your address (geoserver.co.ck). In previous versions, this might have been calledadmin site. - Tick/set
Use headers for Proxy URL= True.
Allow cross-site referencing
- https://dev.to/iamtekson/using-nginx-to-put-geoserver-https-4204
- https://docs.geoserver.org/stable/en/user/security/webadmin/csrf.html
sudo nano /usr/share/geoserver/webapps/geoserver/WEB-INF/web.xmlAdd the following
<context-param>
<param-name>GEOSERVER_CSRF_WHITELIST</param-name>
<param-value>geoserver.co.ck</param-value>
</context-param> and edit the following
<context-param>
<param-name>PROXY_BASE_URL</param-name>
<param-value>https://geoserver.co.ck/geoserver</param-value>
</context-param>Note: If you screw this up, you can try to get back to the webinterface through port 8080
Security/Production settings
https://docs.geoserver.org/latest/en/user/production/config.html
Now that SSL is running, we can tighten up security
- Block Port 8080
- in security group
- firewall:
sudo ufw deny 8080
- Update admin password (
Security>Users) - Update master pwd (
Security>Passwords) - We don’t care about service limits since we won’t allow unauthorized access
- We might want to disable the web admin IF
Not allowing unauthorized requests to geoserver
- Do not remove anonymous from Authentication settings
- Create new user (e.g.
arconline) - Change layer security;
- by default nothing is ticked meaning everyone can do everything
- tick “read” for ROLE_AUTHENTICATED. That should only allow authenticated users to access
Plugins
PGraster geoserver plugin
https://docs.geoserver.org/stable/en/user/community/pgraster/pgraster.html
VERSION=2.23
sudo apt install libpostgresql-jdbc-java
wget https://build.geoserver.org/geoserver/$VERSION.x/community-latest/geoserver-$VERSION-SNAPSHOT-pgraster-plugin.zip
mv geoserver-$VERSION-SNAPSHOT-pgraster-plugin.zip /usr/share/geoserver/webapps/geoserver/WEB-INF/lib/
cd /usr/share/geoserver/webapps/geoserver/WEB-INF/lib/
unzip geoserver-$VERSION-SNAPSHOT-pgraster-plugin.zip
rm geoserver-$VERSION-SNAPSHOT-pgraster-plugin.zipThis does not work out-of-the-box for me. We have to do something with imagemosaic first. I never figured it out.
java -Xbootclasspath/a:<location of jdbc.jar> -jar <your_geoserver_install_dir>/webapps/geoserver/WEB-INF/lib/gt-imagemosaic-jdbc-{version}.jar import -config <your geoserver data dir>/coverages/osm.postgis.xml -spatialTNPrefix tileosm -tileTNPrefix tileosm -dir tiles -ext pngRemove:
rm /usr/share/geoserver/webapps/geoserver/WEB-INF/lib/gs-pgraster-2.23-SNAPSHOT.jarInstall COG geoserver plugin
VERSION=2.23
wget https://build.geoserver.org/geoserver/$VERSION.x/community-latest/geoserver-$VERSION-SNAPSHOT-cog-plugin.zip
mv geoserver-$VERSION-SNAPSHOT-cog-plugin.zip /usr/share/geoserver/webapps/geoserver/WEB-INF/lib/
cd /usr/share/geoserver/webapps/geoserver/WEB-INF/lib/
unzip geoserver-$VERSION-SNAPSHOT-cog-plugin.zip
rm geoserver-$VERSION-SNAPSHOT-cog-plugin.zip Restart. Verify by heading to stores > add store > Geotiff; you now should have “Cloud Optimized GeoTIFF (COG)” Checkbox
Install authkey plugin
The authkey module for GeoServer allows for a very simple authentication protocol designed for OGC clients that cannot handle any kind of security protocol, not even the HTTP basic authentication … like ArcOnline!
- https://docs.geoserver.org/latest/en/user/extensions/authkey/index.html
- download from here: https://geoserver.org/release/stable/
VERSION=2.23.2
wget https://sourceforge.net/projects/geoserver/files/GeoServer/$VERSION/extensions/geoserver-$VERSION-authkey-plugin.zip
mv geoserver-$VERSION-authkey-plugin.zip /usr/share/geoserver/webapps/geoserver/WEB-INF/lib/
cd /usr/share/geoserver/webapps/geoserver/WEB-INF/lib/
unzip geoserver-$VERSION-authkey-plugin.zip
rm geoserver-$VERSION-authkey-plugin.zipThen follow https://docs.geoserver.org/latest/en/user/extensions/authkey/index.html#configuration
Now add a new authentication filter
- Go to
Security>Authentication> UnderAuthentication Filters, clickAdd new - Click
Authkeyup top - set:
Name:whatevername of url parameter:authkeyAuth key to user mapper:user propertyUser/group service:default
- Sync the user/group services
- save
After configuring the filter, it is necessary to put this filter on the authentication filter chain(s). i.e. add a filter chain.
- Go to
Security>Authentication> UnderFilters Chains, clickAdd service chain. - Set:
- Name:
key_pwd Comma delimited list of ANT patterns (with optional query string):/wms/**,/ows/**- Add both the
authkeyandbasicchain filter
- Name:
- Make it second to the last (bottom); before default
Allow CORS
We might want to allow CORS for acronline to use user/pwd login
- https://docs.geoserver.org/latest/en/user/production/container.html#enable-cors
- https://www.geosolutionsgroup.com/news/gs-secured-with-agol/
sudo nano /usr/share/geoserver/webapps/geoserver/WEB-INF/web.xml