Secure your pygeoapi deployment with enterprise-grade authentication and authorization
This project provides a complete authentication and authorization solution for pygeoapi, supporting multiple deployment scenarios with Caddy or Nginx as reverse proxies, and flexible authentication backends including file-based and LDAP.
- π Enterprise-grade authentication and authorization with Authelia
- π Multiple reverse proxy options (Caddy/Nginx)
- π File-based or LDAP user management
- π Hot-reload configuration support
- π― Granular access control based on user groups
- π OpenAPI specification with security schemes
- πΊοΈ QGIS integration support
- Docker and Docker Compose
- Permission to edit
/etc/hosts
file (for local development) - Domain with DNS A records (for production)
- SSL certificates (self-signed for development, Let's Encrypt for production)
Add the following entries to your /etc/hosts
file:
127.0.0.1 pygeoapi.local
127.0.0.1 app.pygeoapi.local
127.0.0.1 lldap.pygeoapi.local # Required for LLDAP scenarios
docker compose -f docker-compose-caddy.yml up -d
- Access the API at: https://app.pygeoapi.local/api
- Default users:
- yharby/cartologic (cartologic group)
- francbartoli/francbartoli (geobeyond group)
docker compose -f docker-compose-caddy-lldap.yml up -d
- Access LLDAP admin interface: https://lldap.pygeoapi.local
- Login with default credentials:
- Username: admin
- Password: super_strong_ldap_password
- Create required groups:
- Create group: cartologic
- Create group: geobeyond
- Create a test user and assign to either group
- Access the API at: https://app.pygeoapi.local/api
- Generate development SSL certificates:
cd nginx/certs openssl genpkey -algorithm RSA -out pygeoapi.key openssl req -new -key pygeoapi.key -out pygeoapi.csr -subj "/C=EG/ST=Cairo/L=Cairo/O=Pygeoapi/OU=IT Department/CN=*.pygeoapi.local" openssl x509 -req -days 365 -in pygeoapi.csr -signkey pygeoapi.key -out pygeoapi.crt cd ../..
- Start services:
docker compose -f docker-compose-nginx.yml up -d
- Generate SSL certificates (if not done in step C)
- Start services:
docker compose -f docker-compose-nginx-lldap.yml up -d
- Follow LLDAP setup steps from section B
- Register a domain (e.g., pygeoapi-example.com)
- Create A records for your subdomains:
- app.pygeoapi-example.com
- auth.pygeoapi-example.com
- lldap.pygeoapi-example.com (if using LLDAP)
Important: After setting up your domain, you'll need to modify the domain names in the configuration files of your chosen stack:
- For Caddy: Update domains in
caddy/Caddyfile
orcaddy/lldap.Caddyfile
- For Nginx: Update server names in
nginx/site-confs/default.conf
ornginx/site-confs-lldap/default.conf
- Update domain in Authelia configuration:
authelia-*/configuration.yml
- If using LLDAP, update LLDAP environment variables and base DN in the docker-compose file
Choose one option:
- Install certbot:
sudo apt install certbot
- Obtain certificates:
sudo certbot certonly --standalone -d app.pygeoapi-example.com -d auth.pygeoapi-example.com -d lldap.pygeoapi-example.com
Use your organization's SSL certificates and place them in the appropriate directory:
- For Nginx:
nginx/certs/
- For Caddy: Automatic HTTPS is handled by Caddy
docker compose -f docker-compose-caddy.yml up -d # File-based auth
# or
docker compose -f docker-compose-caddy-lldap.yml up -d # LLDAP
docker compose -f docker-compose-nginx.yml up -d # File-based auth
# or
docker compose -f docker-compose-nginx-lldap.yml up -d # LLDAP
- Use strong passwords for all services
- Enable firewall rules
- Set up monitoring and logging
- Regular security updates
- Configure rate limiting
- Use secure headers
/api/collections/obs
: Requires cartologic group membership/api/collections/lakes
: Requires geobeyond group membership/api
: Accessible to all authenticated users
The OpenAPI specification is automatically injected with security schemes using pygeoapi-auth, which enables:
- Automatic security scheme injection into OpenAPI specification
- Swagger UI authentication support with Basic Auth
- API documentation with security requirements
The authentication injection is handled automatically by the entrypoint script using pygeoapi-auth's CLI:
pygeoapi-auth openapi inject-auth ${PYGEOAPI_OPENAPI} authelia ${PYGEOAPI_HOME}/authelia-config/configuration.yml --api-prefix api --output-file ${PYGEOAPI_OPENAPI}
This ensures that all API endpoints are properly documented with their security requirements and the OpenAPI specification reflects the actual authentication setup.
- β Basic Authentication support
- β Authelia integration
- β Multiple reverse proxy options (Caddy/Nginx)
- β LLDAP integration
- β OpenAPI specification injection
- β Group-based authorization
-
Authentication Enhancements
- π OAuth2 support
- π OpenID Connect support
- π Multi-factor authentication (MFA)
-
Integration Expansions
- π Additional identity providers
- π More reverse proxy options (eg. traefik)
- π Enhanced QGIS authentication methods
- π ArcGIS Pro authentication methods
- π Kubernetes deployment
-
Developer Experience
- π Cookiecutter CLI tool
- π Better documentation
- π Example implementations
- π Testing utilities
Want to contribute? Check our issues or submit a pull request!
-
Open QGIS
-
Add new WFS / OGC API - Features connection:
- URL: https://app.your-domain.com/api (or https://app.pygeoapi.local/api for local)
- Authentication: Basic (or create an authentication configuration)
- Username: (your username)
- Password: (your password)
-
Enable "Save Username" and "Save Password" if desired
-
Test connection
- For local development: Add SSL certificate exception in QGIS
- For production: Ensure valid SSL certificate
- Verify user has access to desired collections
- Check network connectivity to pygeoapi server
Contributions are welcome! Please feel free to submit a Pull Request.
This project is inspired by fastgeoapi and builds upon the excellent work of the pygeoapi community.
All bugs, enhancements and issues are managed on GitHub.
This project is licensed under the MIT License - see the LICENSE file for details.