HTTPS

If your application is accessed in HTTPS, you have to make sure that all URLs generated by the application (CSS and Javascript files, images, MapServer requests, etc.) use the HTTPS scheme as well. Otherwise the browser will prompt “unsecure content” warnings.

There are two ways to manage this:

  • application behind a proxy
  • application and SSL certificate on the same server

Application behind a proxy

If the application is placed behind some proxy that removes the SSL encryption (plain HTTP is used between the proxy and the server) then some specific configuration is required both on the c2cgeoportal application, and on the proxy:

  • The proxy should add a specific header to the requests. For example X-Https on (X-Https is the header name, and on is the header value).

  • To make c2cgeoportal generate HTTPS URLs when requests with this header are received you will set the HTTPS environment variable by adding the following in the apache/wsgi.conf.mako file in the <location ...> section, in our example:

    SetEnvIf    X-Https on HTTPS=1
    

In Mako templates, if you need to know what scheme is used, you may test the value of request.scheme. For example:

var WMTS_OPTIONS = {
% if request.scheme == 'https':
    url: 'https://my.wmts.server/'
% else:
    url: 'http://my.wmts.server/'
% endif
/* ... */
};

Application and SSL certificate on the same server

If the SSL certificate and the application are located on the same server, all requests will be redirect to https. So you should change the scheme to https for all url except for some parameters that should always use http (actually all request on localhost): url parameter in tilegeneration configuration.

If you apply ssl encryption on your application, you should take care of the tiles url to use https scheme to avoid secure and insecure contents: change tiles_url in the vars_xxx.yaml file.

Finaly, you should redirect all http request to https scheme. On Camptocamp’s server, this should be asked to our sysadmin team.

In case you load http external resources into your application, you should use resourceproxy service as described below.

Loading non https external resources

If you want to load non https external resources in your https application, you must use the resourceproxy service and add the list of hosts you want to access in your project vars_<project>.yaml configuration file:

resourceproxy:
    # list of urls from which it is safe to load content
    targets:
      #exempletargetname: http://www.camptocamp.com/?param1=%s&param2=%s
      rfinfo: http://www.rfinfo.vd.ch/rfinfo.php?no_commune=%s&no_immeuble=%s

Then you can access resources by building urls using the following schema: http://<host>/<instanceid>/wsgi/resourceproxy?target=<targetname>&values=(<valueparam1>,...).

For example:

http://geoportail.camptocamp.com/main/wsgi/resourceproxy?target=rfinfo&values=(175,2633)

Local certificate checks

Certain c2cgeoportal features open a http session to your c2cgeoportal services, for example the checker or the lingua_extractor. If you are running your server in https and wish to disable certificate checks in these connections, you can achieve this by adding the following configuration element to your vars file:

vars:
    http_options:
        disable_ssl_certificate_validation: True