What is the best way to configure my Tomcat/IIS7 site and prevent remote access to the server admin?

[res]

I am not sure how much of my question pertains to Lucee specifically and how much is more generally about Tomcat and IIS, so if this is not the appropriate forum for this question I will find another place to ask.

I am running Lucee on Windows Server 2008 with Tomcat as the app server and IIS7 as the web server. I have the AJP connector installed and running.

What I am trying to do is move a site from ACF to Lucee. Things are working well as far as the CFML processing is concerned, but I want to make the server admin inaccessible from anywhere but the local machine. This was easy with ACF because the CFIDE/Administrator was a physical directory, as opposed to Lucee where it is virtual. I have tried and tried but cannot seem to isolate the server admin. I have managed to make it completely inaccessible by removing the http connector and leaving only the AJP connector. I have tried using filters in web.xml (which I may be doing wrong). I have tried creating lucee folders in my web root and applying the restriction to them, thinking that IIS would filter the request, but since the admin is only available over a nonstandard port that IIS isn't listening on, that doesn't work either.

What else can I try? I feel like this must be a common task and I'm doing something really stupid.

[Pete Freitag]

If you are using the BonCode IIS connector I think there is a setting for this. 

If you only need to access Lucee Server admin (not web) globally (not using individual web context configuration):

1) Use Request Filtering in IIS to block or Deny the URI: /lucee/ 

2) Create a virtual host that ONLY listens on 127.0.0.1 or ::1 

3) Go to Request Filtering and remove the /lucee/ request filtering rule for this site.

Another option might be to simply add the HTTP connector to your tomcat server.xml conf and access over a non standard port (eg 8080) ensuring that the port is blocked on your firewall. Then hit http://example.com:8080/lucee/admin/web.cfm 

--

Pete Freitag
https://foundeo.com/ - ColdFusion Consulting & Products
http://hackmycf.com - CFML Server Security Scanner

--
See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your ticket NOW - http://www.cfcamp.org/
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/d2442d62-a5df-4664-8a52-1c68869b1f4e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Pete Freitag]

I should have specified that step 1) Use Request Filtering in IIS to block or Deny the URI: /lucee/ would be done at the Server wide level, not on a site specific level in IIS.

--

Pete Freitag
https://foundeo.com/ - ColdFusion Consulting & Products
http://hackmycf.com - CFML Server Security Scanner

[Jordan Michaels]

It is possible to create a quasi-directory for the lucee admin directory and assign directory permissions to it. The method is described in the following blog post:

http://utdream.org/post.cfm/how-to-block-access-to-railo-3-4-administrators-in-iis-7-security

... the first method describes how to create the directory then assign permissions to it. The directory can exist, but it doesn't have to. The important part is the IIS configs needed to protect the URI.

Hope this helps!

-Jordan

[res]

Thank you for the response. Part of my problem is that I don't think I've fully wrapped my head around some concepts and the documentation hasn't been very helpful (I know it's a work in progress and I've also been referring to railo docs). I guess one question I need answered is, if I go with option 1, how do I get IIS to process the request for the server admin? Currently Tomcat is listening for http requests on port 8888, which means if I go to mysite.com/lucee, I get a 404. If I go to mysite.com:8888/lucee, then it works, but IIS isn't processing that request, since I can stop the IIS site and still pull up the server admin via that URL. I'm not sure how to get to the server admin without using the port number. If I set tomcat to listen on port 80 instead of 8888, is that going to cause some conflict with IIS which is also listening on port 80?

Thanks for your help and your patience. I'm new to all of this so being able to ask questions really helps.

[Jordan Michaels]

My guess is locking down port 80 and access through IIS is the way that you want to go. So, you're on the right track already. You can lock down port 8888 with tighter restrictions than you can port 80, so you could potentially adjust your firewall rules to ONLY allow your IP to connect to port 8888. Then you, and you alone, can access your admin on port 8888.

Sound reasonable?

-Jordan



----- Original Message -----
From: "res" <roswe...@gmail.com>
To: "Lucee" <lu...@googlegroups.com>

> https://foundeo.com/ <http://foundeo.com/> - ColdFusion Consulting &

> Products
> http://hackmycf.com - CFML Server Security Scanner
>
>

> On Mon, Aug 3, 2015 at 3:47 PM, res <roswe...@gmail.com <javascript:>>

>> email to lucee+un...@googlegroups.com <javascript:>.
>> To post to this group, send email to lu...@googlegroups.com <javascript:>
>> .

>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/lucee/d2442d62-a5df-4664-8a52-1c68869b1f4e%40googlegroups.com

>> <https://groups.google.com/d/msgid/lucee/d2442d62-a5df-4664-8a52-1c68869b1f4e%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .

>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

--
See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your ticket NOW - http://www.cfcamp.org/
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/e9fd389a-5c07-405d-8975-ae586eb3d99e%40googlegroups.com.

[res]

It does, but I need port 80 open to the world. I guess my thinking is still stuck in ACF mode. I haven't even been able to figure out how to access the web admin for a particular context. What I ideally want is for everything on port 80 to work, including the server admin, and then lock it down by IP the way I would lock down the CFIDE directory on ACF. I suspect the whole way I'm thinking about this is wrong. It would be extremely helpful to see an existing lucee/tomcat/iis config for reference, but I don't know how I would ever do that.

[Jordan Michaels]

> It does, but I need port 80 open to the world.

I'm not suggesting otherwise. =)

> What I ideally want is for everything
> on port 80 to work, including the server admin, and then lock it down by IP
> the way I would lock down the CFIDE directory on ACF.

Using the first method talked about in this blog post, you should be able to do that:
http://utdream.org/post.cfm/how-to-block-access-to-railo-3-4-administrators-in-iis-7-security

> It would be extremely helpful to see
> an existing lucee/tomcat/iis config for reference, but I don't know how I
> would ever do that.

There are screen shots in the above blog post from when I did exactly what you're wanting to do on my test machine.

Hope this helps!

> https://groups.google.com/d/msgid/lucee/e9fd389a-5c07-405d-8975-ae586eb3d99e%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
>

--
See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your ticket NOW - http://www.cfcamp.org/
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/869448ae-ef27-4c7e-aa3e-4179cbf7b0b5%40googlegroups.com.

[Nando Breiter]

I use SSH tunneling to access the admin panels on both ACF and Lucee. Rather than repeat myself, I'll just post a link to the blog article I wrote about it:

https://dnando.github.io/blog/2014/11/04/ssh-tunneling-coldfusion-lockdown-technique/

Aria Media Sagl
Via Rompada 40
6987 Caslano
Switzerland

+41 (0)91 600 9601
+41 (0)76 303 4477 cell
skype: ariamedia

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/641589575.252223.1438638842371.JavaMail.zimbra%40viviotech.net.

[res]

Very helpful, thank you.

My problem now is that I don't know how to get to the web admin for my site. I have blocked port 8888 on the firewall, so I can go on the local machine and hit the server admin by going to mysite.com:8888/lucee/...

But I set up a site in IIS so I could have the webroot on a disk separate from the lucee install, and I changed WEB-INF so that it has a different name and is placed a level above the webroot. I followed the railo documentation for this (which is missing relevant info http://www.getrailo.org/index.cfm/documentation/configuration/tips-and-tricks/) and I think it worked because when I start Railo and make a page request, my alternately-named WEB-INF folder gets created above the root. But I don't know how to access the web admin for that new site. mysite.com/lucee/... gives me a 404, which makes sense because there is no physcial directory with that name, so IIS can't find it. What am I missing here?