Secured Rest Services

KylerDiershaw · ‎05-11-2012

Being new to public deployment of flexviewers, I have spent a lot of time reading posts on securing flexviewer sites. Specifically, an associate noted that he could mine information from the ../arcgis/rest/services endpoint and suggested access be removed to that resource. I removed access to it using basic IIS directory settings, but then my app could not satisfy map requests (viewer image is blank). Similar results using the rest/admin "Disable Services Directory" option except there I think only my queries wouldn't run.

My own research shows many public sites do not restrict access to the services endpoint or any of the functionality there. Since we are using dynamic map services, I also note that other public sites using dynamic map services likewise do no restrict access.

Is there a real reason to restrict access to this location for a public site? If so, what is the best way without implementing logon pages and passwords? Of course I am looking for a step by step guide, not generalities. If there has been a post I have missed that details this, thanks in advance for pointing me there. Any help is greatly appreciated.

Kyler Diershaw
City of Costa Mesa, CA

MarcWeinshenker1 · ‎05-14-2012

Not sure what kind of configuration you have, but I'll tell you how I approached this. First, I'm using a reverse proxy in IIS 7 as described in the article here: http://support.esri.com/en/knowledgebase/techarticles/detail/35894

Second, I had the same concern about exposing all services in the REST directory, partly due to not wanting some services to be out there and partly due to not knowing how much of a hit my one server would take if all services were out there. I posted a question to the forum and here is the thread: http://forums.arcgis.com/threads/4870-Services-directory-exposed-through-reverse-proxy

What it came down to was the instructions in setting up the reverse proxy rules included generic rewrite rules for getting to the arcgis/rest/services/*and arcgis/services/* locations. I removed those rules and replaced them with individual rules with explicit paths to every service required by my public Flex map applications, using the pattern arcgis/rest/services/<service name>*. Since I don't want the general public to have to log in just to see our maps, I really have no choice but to make the required set of services publicly available and discoverable. But, through this method I have been able to keep all other services from public exposure.

The last thing I did with respect to the reverse proxy rewrite rules had to do with my having two virtual directories in my web server, one for internal Flex maps and one for public Flex maps. I created a rewrite rule to access the public virtual directory.

If you are also using a reverse proxy with IIS7, I may be able to provide more explicit instructions. Just as a disclaimer, I'm no expert at this but just someone who got this to work.

Hope this helps.

Marc

KylerDiershaw · ‎05-14-2012

Marc,

Thanks for your prompt reply. I had read a bit on setting up a reverse proxy, but posted in hopes of a simpler approach. The server I am working on is an x64 2003 R2/IIS 6 box, but I will also be configuring an x64 2008/IIS 7 server in the near future. I will be able to use your link resource on the second sever, but will have to find something similar for the 2003/IIS6 config since the solution outlined uses settings specific to IIS7.

If you are aware of a similar reverse proxy flexviewer setup link for 2003/IIS6, I would be quite grateful. Currently working my way through those posts, which can take some real time as you are aware.

Thanks again for your direction,

Kyler Diershaw
City of Costa Mesa, CA

MarcWeinshenker1 · ‎05-14-2012

Kyler,

I don't know about IIS 6. The ESRI article I referenced was the only one I was aware of and I made sure to have a server with IIS 7 to work with. I configured a reverse proxy server with Windows Server 2008 Web Edition which came with IIS 7. Sorry I can't help with IIS 6. Is there any way you can upgrade your IIS 6 to IIS 7 on your Server 2003 box? [EDIT: I just found out that you can't. IIS 7 is tied to 2008.]

Marc