Preventing New Web Contexts
149 views
Skip to first unread message
Steve Lauen
Sep 1, 2016, 5:56:34 PM9/1/16
to Lucee
Running Lucee 4.5 on Linux and Apache.
My understanding is that to setup a new Lucee site (i.e. a new web context), we would need to do the following general steps:
1) Setup the hosting directory.
2) Setup the website in Apache.
3) Browse to /lucee/admin/web.cfm under the domain.
Our experience is that this will create the new web context, with the WEB-INF directory, under the hosting directory for the website and mod_cfml will configure Tomcat appropriately.
However, this means that anyone could browse to lucee/admin/web.cfm under any of the other sites hosted on that server, and it would create a new web context, which would be a huge problem/security concern.
I must be missing something!
How do I configure Lucee and/or Apache to prevent web contexts from being created under other sites?
Thanks in advance for any assistance.
Jordan Michaels
Sep 13, 2016, 6:16:30 AM9/13/16
to lu...@googlegroups.com
I'm not sure how you came to that conclusion, but mod_cfml does NOT create contexts based off a request for /lucee/admin/web.cfm.
The code is open, and you can see for yourself that new contexts are created are based off the "host" value of the http header request (this is the same method Tomcat uses to identify separate contexts), which must be authenticated by the secret key that Apache passes on to Tomcat, and new contexts are only created when that "host" value can't be resolved to an existing context by Tomcat. Usually the "host" value just contains the domain of what you're trying to hit, but it can also be an ip address, or whatever resolves to a "host" value in your web server. A non-domain value might be something like "vivio.local", if I'm developing something locally and I want to use Lucee with it.
--
Kind regards,
Jordan Michaels
Vivio Technologies
--
Get 10% off of the regular price for this years CFCamp in Munich, Germany (Oct. 20th & 21st) with the Lucee discount code Lucee@cfcamp. 189€ instead of 210€. Visit https://ti.to/cfcamp/cfcamp-2016/discount/Lucee@cfcamp
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/e988535e-b499-4938-91bd-91ccfc41201e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
The code is open, and you can see for yourself that new contexts are created are based off the "host" value of the http header request (this is the same method Tomcat uses to identify separate contexts), which must be authenticated by the secret key that Apache passes on to Tomcat, and new contexts are only created when that "host" value can't be resolved to an existing context by Tomcat. Usually the "host" value just contains the domain of what you're trying to hit, but it can also be an ip address, or whatever resolves to a "host" value in your web server. A non-domain value might be something like "vivio.local", if I'm developing something locally and I want to use Lucee with it.
--
Kind regards,
Jordan Michaels
Vivio Technologies
Get 10% off of the regular price for this years CFCamp in Munich, Germany (Oct. 20th & 21st) with the Lucee discount code Lucee@cfcamp. 189€ instead of 210€. Visit https://ti.to/cfcamp/cfcamp-2016/discount/Lucee@cfcamp
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/e988535e-b499-4938-91bd-91ccfc41201e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Steve Lauen
Sep 13, 2016, 9:32:23 AM9/13/16
to Lucee
Thanks Jordan. In hindsight, I'm not sure how I came to that conclusion. I thought I saw it in a posting on this forum or somewhere else online, but can't put my hands on it now. That's the process we used to create the web context for the only site for which we are using Lucee, and it just stuck in my head.
Forgive my ignorance, but, hopefully you or someone else could further clarify things for me. We've got a server on which we host a number of websites. Only one of them uses Lucee. As a result, we have only one web context. I would rather not have web contexts created for the other, non-Lucee websites that we host on that server. My reasoning is that we don't need our system cluttered with the web contexts and WEB-INF folders for those sites, if they aren't using Lucee. Plus, it just seems more secure to not have the extra, unneeded web contexts on the server.
So...a couple questions:
1) Let's say I setup a new website on that server, called steveco.com. I want to use Lucee with it. I have the hosting directory setup and have the site setup in Apache. What's the recommend process for creating a web context for steveco.com?
2) Let's say I setup another new website on that server, called lauenco.com. I will not be using Lucee with it. I want to make sure that a Lucee web context never gets setup for that website. How do I go about preventing a web context from being created for that website?
Thanks again for your help.
-- Steve
Jordan Michaels
Sep 13, 2016, 2:50:32 PM9/13/16
to lu...@googlegroups.com
Hi Steve,
In your case, you don't need mod_cfml. I'd simply remove it (there are two configs for it, one in the server.xml file and one in your apache config), or don't install it during installation.
From there, you can configure your context manually in the Tomcat server.xml file. Go to the bottom of the file and you'll find comments about the config you need to add another host in Tomcat. Adding a new host to Tomcat is extremely similar to adding a new host to Apache. Once you add your host, just reboot Tomcat an your new host (context) will be created at boot time. There are other ways of manually adding contexts, but I've found the server.xml file method to be the easiest to explain.
--
Kind regards,
Jordan Michaels
Vivio Technologies
----- Original Message -----
From: "Steve Lauen" <sla...@gmail.com>
To: "Lucee" <lu...@googlegroups.com>
In your case, you don't need mod_cfml. I'd simply remove it (there are two configs for it, one in the server.xml file and one in your apache config), or don't install it during installation.
From there, you can configure your context manually in the Tomcat server.xml file. Go to the bottom of the file and you'll find comments about the config you need to add another host in Tomcat. Adding a new host to Tomcat is extremely similar to adding a new host to Apache. Once you add your host, just reboot Tomcat an your new host (context) will be created at boot time. There are other ways of manually adding contexts, but I've found the server.xml file method to be the easiest to explain.
--
Kind regards,
Jordan Michaels
Vivio Technologies
----- Original Message -----
From: "Steve Lauen" <sla...@gmail.com>
To: "Lucee" <lu...@googlegroups.com>
--
Get 10% off of the regular price for this years CFCamp in Munich, Germany (Oct. 20th & 21st) with the Lucee discount code Lucee@cfcamp. 189€ instead of 210€. Visit https://ti.to/cfcamp/cfcamp-2016/discount/Lucee@cfcamp
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/9c37bbbe-cdb7-4ff0-b376-d6e02f1255a0%40googlegroups.com.
Get 10% off of the regular price for this years CFCamp in Munich, Germany (Oct. 20th & 21st) with the Lucee discount code Lucee@cfcamp. 189€ instead of 210€. Visit https://ti.to/cfcamp/cfcamp-2016/discount/Lucee@cfcamp
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages