Download geoserver 2 14 1

The latest release, while the maintenance version, though an earlier release, is maintained and officially supported for a specific duration. For this installation, we'll opt for the stable version.Upon clicking the stable version link, you'll be redirected to Right-click on the Web Archive under the Packages section and copy the link.Now, open your Linux terminal and navigate to the temporary folder by typing cd /tmp. In this directory, use wget to download the GeoServer .war file by pasting the previously copied link.Step 4.1: Download GeoServercd /tmpwget unzip the downloaded file into the Tomcat webapps directory using the following commands:sudo apt-get install unzipsudo unzip geoserver-2.24.1-war.zipStep 4.2: Install GeoServer in TomcatTo integrate GeoServer with Tomcat, execute the following command to move GeoServer inside the Tomcat webapps directory:mv geoserver.war /opt/tomcat/webapps/This action concludes the installation process.Open in web browser opening this link, you'll arrive at the GeoServer welcome page. The default login credentials for GeoServer are admin as the username and geoserver as the password. Utilize these credentials to access the GeoServer admin panel for further configurations and operations.Step 5: Configuring Nginx Proxy for Tomcat with SSLStep 5.1: Install NginxBegin by installing Nginx on your VPS:sudo apt-get install nginxsudo systemctl start nginxsudo systemctl status nginxNext, install Certbot, a tool used for managing Let’s Encrypt certificates:sudo apt-get install python3-certbot-nginxTo obtain a Let’s Encrypt SSL certificate, use the following Certbot commands:For Subdomainsudo certbot certonly --nginx -d subdomain.example.comFor Domainsudo certbot certonly --nginx -d example.comUpon successful certificate acquisition, Certbot automatically stores the certificate files. Note the certificate and key locations:Certificate is saved at: /etc/letsencrypt/live/subdomain.example.com/fullchain.pemKey is saved at: /etc/letsencrypt/live/subdomain.example.com/privkey.pemAllow both HTTP (80) and HTTPS (443) traffic through the firewall using Nginx Full:sudo ufw allow 'Nginx Full'Step 5.2: Create a new virtual host configuration file for TomcatCreate and edit a new virtual host configuration file for Nginx:sudo nano /etc/nginx/sites-available/geoserverInsert the following configuration:upstream tomcat { server 127.0.0.1:8080 fail_timeout=0;}server { listen 80; listen [::]:80; server_name subdomain.example.com; access_log /var/log/nginx/tomcat-access.log; error_log /var/log/nginx/tomcat-error.log; return 301 { listen 443 ssl; listen [::]:443 ssl ipv6only=on; server_name subdomain.example.com; ssl_certificate /etc/letsencrypt/live/subdomain.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/subdomain.example.com/privkey.pem; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass }}Step 5.3: Auto renewal SSL CertificateConfigure automatic SSL certificate renewal by editing the crontab:Add the following line to the crontab file to perform a renewal check monthly:0 0 1 * * certbot renew --nginx --quietStep 6: Configure Cross-Origin Filter and Proxy Settings for Tomcat in GeoServerAccess the 'web.xml' file within the GeoServer application

GeoServer 2, in some configurations, allows remote attackers to execute arbitrary code via java.lang.Runtime.getRuntime().exec in wps:LiteralData within a wps:Execute request, as exploited in the wild in June 2023.RCE in JiffleThe Jiffle map algebra language, provided by jai-ext, allows efficiently execute map algebra over large images. A vulnerability CVE-2022-24816 has been recently found in Jiffle, that allows a Code Injection to be performed by properly crafting a Jiffle invocation.In the case of GeoServer, the injection can be performed from a remote request.AssessmentGeoTools includes the Jiffle language as part of the gt-process-raster- module, applications using it should check whether it’s possible to provide a Jiffle script from remote, and if so, upgrade or remove the functionality (see also the GeoServer mitigation, below).The issue is of particular interest for GeoServer users, as GeoServer embeds Jiffle in the base WAR package. Jiffle is available as a OGC function, for usage in SLD rendering transformations.This allows for a Remote Code Execution in properly crafted OGC requests, as well as from the administration console, when editing SLD files.MitigationsIn case you cannot upgrade at once, then the following mitigation is strongly recommended:Stop GeoServerOpen the war file, get into WEB-INF/lib and remove the janino-.jarRestart GeoServer.This effectively removes the Jiffle ability to compile scripts in Java code, from any of the potential attack vectors (Janino is the library used to turn the Java code generated from the Jiffle script, into executable bytecode).GeoServer should still work properly after the removal, but any attempt to use Jiffle will result in an exception.References

To enable its use in a Tomcat proxy:sudo nano /opt/tomcat/webapps/geoserver/WEB-INF/web.xmlStep 6.1: Configure Proxy Base URL in GeoServerLocate the following configuration and uncomment it to utilize the domain proxy: PROXY_BASE_URL param-name>PROXY_BASE_URL/param-name> param-value> the allow list for CSRF Protection on Geoserver. GEOSERVER_CSRF_WHITELIST subdomain.example.com">context-param> param-name>GEOSERVER_CSRF_WHITELIST/param-name> param-value>subdomain.example.com/param-value>/context-param>Step 6.2: Enable Cross-Origin CorsFilterSearch for the following configuration and uncomment it to enable CORS in Catalina with Tomcat: cross-origin org.apache.catalina.filters.CorsFilter cors.allowed.origins * cors.allowed.methods GET,POST,PUT,DELETE,HEAD,OPTIONS cors.allowed.headers * ">!-- Uncomment following filter to enable CORS in Tomcat. Do not forget the second config block further down. -->filter> filter-name>cross-origin/filter-name> filter-class>org.apache.catalina.filters.CorsFilter/filter-class> init-param> param-name>cors.allowed.origins/param-name> param-value>*/param-value> /init-param> init-param> param-name>cors.allowed.methods/param-name> param-value>GET,POST,PUT,DELETE,HEAD,OPTIONS/param-value> /init-param> init-param> param-name>cors.allowed.headers/param-name> param-value>*/param-value> /init-param>/filter> cross-origin /*">!-- Uncomment following filter-mapping to enable CORS -->filter-mapping> filter-name>cross-origin/filter-name> url-pattern>/*/url-pattern>/filter-mapping>Make sure to save the changes after uncommenting these configurations to apply the settings for the GeoServer application using Tomcat's proxy functionality.Step 7: Set Up GeoSpatial DatabaseStep 7.1: Install PostgreSQL 14 and PostGIS 3Install PostgreSQL 14 and PostGIS 3 using the following commands:sudo apt install postgis postgresql-14-postgis-3psql --versionsudo systemctl status postgresqlStep 7.2: Create Database and User for the ServiceSwitch to the 'postgres' user:Using the 'postgres' user, create a user and a database:createuser geocreatedb geodb -O geoStep 7.2: Add the PostGIS Extension in the DatabaseAccess the 'geodb' database:psql -d geodb sudo -u geo psql geodbWithin the 'geodb' database, enable the PostGIS extension:geodb=# CREATE EXTENSION postgis;geodb=# CREATE EXTENSION postgis_topology;geodb=# SELECT PostGIS_version();Set a password for the 'geo' user in the Spatial Database and grant all privileges:geodb=# ALTER USER geo WITH PASSWORD 'password';geodb=# GRANT ALL PRIVILEGES ON DATABASE geodb TO geo;geodb=# \q;exitStep 7.3: Expose the Spatial DatabaseModify the PostgreSQL configuration file to allow connections from all origins:sudo nano /etc/postgresql/14/main/postgresql.confUncomment and modify the following line to listen on all IP addresses:#------------------------------------------------------------------------------# CONNECTIONS AND AUTHENTICATION#------------------------------------------------------------------------------# - Connection Settings -listen_addresses = '*' # what IP address(es) to listen on;Configure allowed hosts in the 'pg_hba.conf' file:sudo nano /etc/postgresql/14/main/pg_hba.confAdd the following lines to allow connections to the 'geodb' database from any address:# TYPE DATABASE USER ADDRESS METHOD# "local" is for Unix domain socket connections onlylocal all all peer# IPv4 local connections:host all all 127.0.0.1/32 trusthost geodb geo 0.0.0.0/0 md5# IPv6 local connections:host all all ::1/128 md5# Allow replication connections from localhost, by a user with the# replication privilege.local replication all peerhost replication all 127.0.0.1/32 trusthost replication all ::1/128 md5Allow incoming connections on port 5432 (PostgreSQL default port):Restart the PostgreSQL service:sudo systemctl restart postgresqlFinally, test the connection to the database from a local terminal:psql -U userremoteconnexion -h server_ip_address_hosting_this_database