Geoserver 2 17 1

Geoserver Installation GuideDeploying on Ubuntu 22.04 LTS with Tomcat 9.0.83, GeoServer 2.24.1 and PostgreSQL 14.10 with PostGIS 3.2GeoServer serves as an open-source server, facilitating the sharing of geospatial data. Notably designed for interoperability, it enables seamless publication of data from diverse data sources using open standards.Author InformationAuthor: Daniel Pinto SalazarTested Platform: Ubuntu 22.04 LTSSoftware Versions: Tomcat 9.0.83, GeoServer 2.24.1, PostgreSQL 14.10, PostGIS 3.2Tested Date: December 2023Software VersionsSoftwareVersionUbuntu22.04 LTSJava17.0.9Tomcat9.0.83GeoServer2.24.1PostgreSQL14.10PostGIS3.2Installation StepsStep 1: Create a Droplet (Ubuntu 22.04 LTS)First, update the packages list on Ubuntu:Set the Firewall to allow traffic from SSH, HTTP, and HTTPS:sudo ufw allow 22sudo ufw enableStep 2: Install Java 17 dependenciesInstall OpenJDK 17:sudo apt install openjdk-17-jdk openjdk-17-jreOnce installed, verify the Java version:Step 3: Install Servlet Container for Java code (Tomcat)Step 3.1: Create a Tomcat group and usersudo groupadd tomcatsudo useradd -s /bin/false -g tomcat -d /opt/tomcat tomcatStep 3.2: Install TomcatNavigate to the temporary folder to download and extract Tomcat 9.0.83:cd /tmpcurl -O mkdir /opt/tomcat/sudo tar xzvf apache-tomcat-9.0.83.tar.gz -C /opt/tomcat/ --strip-components=1Step 3.3: Update Tomcat PermissionsAdjust permissions for Tomcat directories:cd /opt/tomcat/sudo chgrp -R tomcat /opt/tomcat/sudo chmod -R g+r confsudo chmod g+x confsudo chown -R tomcat webapps/ work/ temp/ logs/Step 3.4: Create a systemd Service FileTo enable running Tomcat as a service, we'll create a systemd service file. To ensure Tomcat functions properly, it requires knowledge of the Java installation directory, often denoted as 'JAVA_HOME.' The most convenient method to find this location is by executing the following command:sudo update-java-alternatives -lTo create the accurate JAVA_HOME variable, you can build it by extracting the output found in the final column the suitable JAVA_HOME for this server would be:JAVA_HOME/usr/lib/jvm/java-1.17.0-openjdk-amd64Using this data, we're ready to generate the systemd service file. Access the /etc/systemd/system directory and create a file named tomcat.service by executing the following command:"sudo nano /etc/systemd/system/tomcat.serviceCopy and insert the below content into your service file. Adjust the JAVA_HOME value, if needed, to correspond with the value you discovered on your system. Additionally, consider adjusting the memory allocation settings specified in CATALINA_OPTS. In previous Tomcat versions, remember to append the '/jre' extension to JAVA_HOME.[Unit]Description=Apache Tomcat Web Application ContainerAfter=network.target[Service]Type=forkingEnvironment=JAVA_HOME=/usr/lib/jvm/java-1.17.0-openjdk-amd64Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pidEnvironment=CATALINA_HOME=/opt/tomcatEnvironment=CATALINA_BASE=/opt/tomcatEnvironment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'ExecStart=/opt/tomcat/bin/startup.shExecStop=/opt/tomcat/bin/shutdown.shUser=tomcatGroup=tomcatUMask=0007RestartSec=10Restart=always[Install]WantedBy=multi-user.targetUpon completion, save and close the file.Subsequently, refresh the systemd daemon to ensure recognition of our service file:sudo systemctl daemon-reloadInitiate the Tomcat service using the command:sudo systemctl start tomcatVerify its startup without any errors by executing:sudo systemctl status tomcatStep 3.5: Adjust the Firewall and Test the Tomcat ServerHaving initiated the Tomcat service, it's essential

GeoServer 2, in some configurations, allows remote attackers to execute arbitrary code via java.lang.Runtime.getRuntime().exec in wps:LiteralData within a wps:Execute request, as exploited in the wild in June 2023.RCE in JiffleThe Jiffle map algebra language, provided by jai-ext, allows efficiently execute map algebra over large images. A vulnerability CVE-2022-24816 has been recently found in Jiffle, that allows a Code Injection to be performed by properly crafting a Jiffle invocation.In the case of GeoServer, the injection can be performed from a remote request.AssessmentGeoTools includes the Jiffle language as part of the gt-process-raster- module, applications using it should check whether it’s possible to provide a Jiffle script from remote, and if so, upgrade or remove the functionality (see also the GeoServer mitigation, below).The issue is of particular interest for GeoServer users, as GeoServer embeds Jiffle in the base WAR package. Jiffle is available as a OGC function, for usage in SLD rendering transformations.This allows for a Remote Code Execution in properly crafted OGC requests, as well as from the administration console, when editing SLD files.MitigationsIn case you cannot upgrade at once, then the following mitigation is strongly recommended:Stop GeoServerOpen the war file, get into WEB-INF/lib and remove the janino-.jarRestart GeoServer.This effectively removes the Jiffle ability to compile scripts in Java code, from any of the potential attack vectors (Janino is the library used to turn the Java code generated from the Jiffle script, into executable bytecode).GeoServer should still work properly after the removal, but any attempt to use Jiffle will result in an exception.References

The latest release, while the maintenance version, though an earlier release, is maintained and officially supported for a specific duration. For this installation, we'll opt for the stable version.Upon clicking the stable version link, you'll be redirected to Right-click on the Web Archive under the Packages section and copy the link.Now, open your Linux terminal and navigate to the temporary folder by typing cd /tmp. In this directory, use wget to download the GeoServer .war file by pasting the previously copied link.Step 4.1: Download GeoServercd /tmpwget unzip the downloaded file into the Tomcat webapps directory using the following commands:sudo apt-get install unzipsudo unzip geoserver-2.24.1-war.zipStep 4.2: Install GeoServer in TomcatTo integrate GeoServer with Tomcat, execute the following command to move GeoServer inside the Tomcat webapps directory:mv geoserver.war /opt/tomcat/webapps/This action concludes the installation process.Open in web browser opening this link, you'll arrive at the GeoServer welcome page. The default login credentials for GeoServer are admin as the username and geoserver as the password. Utilize these credentials to access the GeoServer admin panel for further configurations and operations.Step 5: Configuring Nginx Proxy for Tomcat with SSLStep 5.1: Install NginxBegin by installing Nginx on your VPS:sudo apt-get install nginxsudo systemctl start nginxsudo systemctl status nginxNext, install Certbot, a tool used for managing Let’s Encrypt certificates:sudo apt-get install python3-certbot-nginxTo obtain a Let’s Encrypt SSL certificate, use the following Certbot commands:For Subdomainsudo certbot certonly --nginx -d subdomain.example.comFor Domainsudo certbot certonly --nginx -d example.comUpon successful certificate acquisition, Certbot automatically stores the certificate files. Note the certificate and key locations:Certificate is saved at: /etc/letsencrypt/live/subdomain.example.com/fullchain.pemKey is saved at: /etc/letsencrypt/live/subdomain.example.com/privkey.pemAllow both HTTP (80) and HTTPS (443) traffic through the firewall using Nginx Full:sudo ufw allow 'Nginx Full'Step 5.2: Create a new virtual host configuration file for TomcatCreate and edit a new virtual host configuration file for Nginx:sudo nano /etc/nginx/sites-available/geoserverInsert the following configuration:upstream tomcat { server 127.0.0.1:8080 fail_timeout=0;}server { listen 80; listen [::]:80; server_name subdomain.example.com; access_log /var/log/nginx/tomcat-access.log; error_log /var/log/nginx/tomcat-error.log; return 301 { listen 443 ssl; listen [::]:443 ssl ipv6only=on; server_name subdomain.example.com; ssl_certificate /etc/letsencrypt/live/subdomain.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/subdomain.example.com/privkey.pem; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass }}Step 5.3: Auto renewal SSL CertificateConfigure automatic SSL certificate renewal by editing the crontab:Add the following line to the crontab file to perform a renewal check monthly:0 0 1 * * certbot renew --nginx --quietStep 6: Configure Cross-Origin Filter and Proxy Settings for Tomcat in GeoServerAccess the 'web.xml' file within the GeoServer application

For Vendors Help Create Join Login Business Software Open Source Software SourceForge Podcast Resources Articles Case Studies Blog Menu Help Create Join Login Home Browse GeoServer Mailing Lists Brought to you by: aaime, gtbuilder, hai-etlik, ianturton, and 3 others Summary Files Reviews Support Wiki Mailing Lists Tickets ▾ Patches Feature Requests News CVS Menu ▾ ▴ geoserver-builds geoserver-devel geoserver-users geoserver-devel [Geoserver-devel] GeoServer 2.14.2 released From: Torben B. - 2019-01-19 00:11:32 We are happy to announce the release of GeoServer 2.14.2 Downloads are provided (zip with docs (html extensions is a stable release of the GeoServer 2.14 series and is recommendedfor all production systems. Users of prior releases of GeoServer areencouraged to upgrade.This release is made in conjunction with GeoTools 20.2 and GeoWebCache1.14.2. Thanks to all who contributed to this release.For more information please see our release notes (2.14.2 2.14.1 and FixesThis release includes a number of new features and improvements: - gs:DownloadEstimator (almost always) returns true when estimating full raster downloads at native resolution - Cannot create jp2k coverage through rest (IndexOutOfBounds) - KML ignores sortBy parameter when querying records - NullPointerException when using env() function with LIKE operator in CSS filters - Can't modify existing GWC blobstore via UI without renaming - NPE if a Jiffle Rendering Transformation is used with Channel Selection - OpenLayers2 preview does not trigger automatically on IE8 - Bad rendering with JAI-EXT and Input/Output TransparentColor options - Complex MongoDB generated properties are not correctly handlded in SLDs - Move the GeoServer ENV Parametrization documentation