This application is a demonstration of how to display private thredds data that is served from a server with only a local network ip address and is not accessible to the public. The application must be run on the same network and usually has a public ip address. This application does not go into all the different ways you can manage access but rather shows the process using authentication and groups.
The installation described here will make use of conda to ensure there are no package conflicts with existing or future applications on the machine. It is highly recommended using a dedicated environment for this application to avoid any issues.
Conda (To manage packages within the applications own environment)
- Create the env
conda env create -f environment.yml
Add a file named data.json in the base directory. This file will hold a json object containing
specific information to run your application that you might want secret and in this case we include an easy
way to load a sample dataset. I am using CHIRPS data (/thredds/wms/Agg/ucsb-chirps_global_0.05deg_daily.nc4),
you will need to change that to a dataset you have in your thredds server. This should be the url with the domain
removed as you see in the example. This will make the url target the application and the proxy will do the work.
Also, you will need to update the sample_layer_layers and style property to match your specific layer.
A quick piece of information: You will need to run this application on the same network as the private data. If you want to test with a public thredds dataset you can point to that in the THREDDS_SERVER_URL. Keep in mind it is not private data if it's exposed publicly. Our concept is to set up a thredds server on the same network as the application server. Open public access only to the application server, the proxy will access through the local ip address, for example 10.0.0.8 or whatever your local network ip address is.
The format will be:
{
"siteID": 3,
"SECRET_KEY": "(~;|use_random_characters_for_this/:~|",
"ALLOWED_HOSTS": ["localhost", "127.0.0.1", "your_domain"],
"CSRF_TRUSTED_ORIGINS": ["http://localhost:8000", "http://127.0.0.1:8000", "https://your_domain.com"],
"THREDDS_SERVER_URL": "local url to your thredds server on the same network as the deployment server /thredds/wms/",
"DEBUG": "True",
"ACCOUNT_DEFAULT_HTTP_PROTOCOL": "http",
"sample_layer_url": "/thredds/wms/Agg/ucsb-chirps_global_0.05deg_daily.nc4",
"sample_layer_layers": "precipitation_amount",
"sample_layer_style": "boxfill/apcp_surface"
}
- Google Authentication setup This example uses Google authentication, you may substitute with any authentication you prefer or even combine multiple.
- In a browser navigate to https://console.cloud.google.com/projectcreate
- Follow the prompts to create the project.
- After you create the project you must select it from the project dropdown in the top menu bar.
- In the left panel under APIs & Services click the "OAuth consent screen" link, then fill out the form with the information for your application. There are a few pages with choices, proceed when finished.
- In the left panel click "Credentials" link
- At the top left click + Create Credentials and select "OAuth 2.0 Client ID"
- In the dropdown select "Web Application" and give a name.
- In the App Domain fields use the dev domains for example:
- Add Authorized JavaScript origins (you may enable multiple)
- Examples:
- http://localhost:8000
- http://127.0.0.1:8000
- https://your_domain
- Examples:
- Add Authorized redirect URIs (you may enable multiple)
- Examples:
- http://localhost:8000/accounts/google/login/callback/
- http://127.0.0.1:8000/accounts/google/login/callback/
- https://your_domain/accounts/google/login/callback/
- Copy and save the Client ID and Client secret to your local machine (you will need these later)
- Click DOWNLOAD JSON and save
- Click save
- enter the environment
conda activate web_tile_proxy
- Create database tables and superuser
python manage.py migrate
python manage.py createsuperuser
python manage.py collectstatic
- Start the App
python manage.py runserver
- Open a browser, navigate to http://127.0.0.1:8000/admin/ and login with the superuser
- Click Social applications
- Click ADD SOCIAL APPLICATION
- Select Google in the provider
- Enter your application name in name
- Enter the Client id from the Google console
- Enter the Secret Key from the Google console
- Leave Key empty
- Select 127.0.0.1 and hit the arrow to move it to Chosen sites
- Click Save and continue editing
- If 127.0.0.1 is not still in Chosen sites repeat step 9 and 10.
- In the right panel click Groups
- Click add group and enter Private_Data_Viewer for the name
- Leave permissions ain their default state and click save
- Click VIEW SITE at the top right of the screen
Your site should be ready to test. You should be able to view the private data on the map currently because you are still logged in as the superuser. You can test the general user functionality by logging out, then clicking Login with Google and login with a different Google account. This user by default will not see the private data shown on the map. Now you will have to log out from the Google account and log back in with your superuser by navigating to http://127.0.0.1:8000/admin/ again. Click Users, click the user that was created, then scroll down to Groups. Select the Private_Data_Viewer group and move it to Chosen Groups. Click save. Log out from the superuser and log back in with your Google account and you will see the data on the map.
WMS Tile Proxy is distributed by IMapApps under the terms of the MIT License. See LICENSE in this directory for more information.
WMS Tile Proxy abides to all of IMapApps's privacy and terms of use as described at https://imapapps.com/Privacy-Terms-of-Use.html.