Protecting Railo's Server/Web Admin

[Todd Rafferty]

Using CF Standard, I just moved CFIDE folder elsewhere and symlinked
to it as needed. Which was great.

With Railo, things are a little trickier.

Method #1:
===============================================
In my apache httpd.conf directory, I have a file called
'protect_rialo.conf' and it has the following:

<Location /railo-context/admin>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>

Inside the httpd.conf I have:

Include conf/protect-railo.conf

Whenever I need access to Railo context, I just comment it out by
putting a # in front of the include and restart apache. This is me
being lazy tho as I should figure out what my current dynamic IP
address is and using the "Allow" statement. My FiOS reassigns my ip
address every so often and I do use dyndns.com, but I don't think that
apache will use the Allow from whatever.dyndns.com -- I haven't tried
it tho.

Method #2:
===============================================
Gert mentioned the following on twitter:
- Just create a virtual path named /railo-context/admin and have it
point elsewhere in which you would not the webadmin. You would need to
do that ip-wise or call it over port 8600 instead.

Call for Feedback:
===============================================
I think the Railo Team is interested in putting something inside the
Railo Admin that will allow them to secure the access a little more,
but they would like feedback. Gert really wants to get this down to
something that you can just click on.

* I'm not sure that in my situation, that'll work as I have a VPS that
is hosted elsewhere, not a box on my local network. So, I'm very much
dependent on being able to secure and work on this remotely with the
understanding that my ip address isn't a static thing.

[Todd Rafferty]

I should also note that I'm not starting this thread because I feel Railo's admin access is insecure. I just want to be a little more draconian about giving access to the railo-context/admin directory.

Side note:
* Gert also mentioned on twitter that CFVideo and such needs access to the railo-context. So, we're just looking to protect the admin, not the entire railo-context folder.

[Ryan Letulle]

Thanks, Todd.  I am interested in this as well.  Nothing sucks more than getting your site(s) destroyed by an outsider.  You can never be too secure. :)

--
Ryan

[Sean Corfield]

What we did at MACR/ADBE was effectively method 2 - and it's what I
used at Broadchoice as well.

Have Apache rewrite / block the regular path to the admin but let it
remain available on the 'regular' path for your app server and just
lock it down at the firewall level.

You can also create another Apache vhost and have it listen on a
'strange' port and proxy via a 'strange' path to the admin. You can
even give it a weird hostname and have the vhost listen on that, e.g.,

http://railo-admin.mydomain.com:9610/wibble/admin.cfm

(proxied to localhost:8080/railo-context/admin.cfm - and port 8080 not
accessible outside the box)

--
Sean A Corfield -- (904) 302-SEAN
CTO, Railo US -- http://getrailo.com/
An Architect's View -- http://corfield.org/

"If you're not annoying somebody, you're not really alive."
-- Margaret Atwood

[Jamie Krug]

On Apr 26, 12:37 am, Sean Corfield <seancorfi...@gmail.com> wrote:
> Have Apache rewrite / block the regular path to the admin but let it
> remain available on the 'regular' path for your app server and just
> lock it down at the firewall level.
>
> You can also create another Apache vhost and have it listen on a
> 'strange' port and proxy via a 'strange' path to the admin. You can
> even give it a weird hostname and have the vhost listen on that, e.g.,

@Sean,

This is basically what I'm doing, but I didn't bother with the
separate vhost/port yet. I like the solution. Here's a sample vhost:

<VirtualHost *>
ServerName myhost
DocumentRoot /var/www/myhost/webroot
DirectoryIndex index.cfm index.html

<Proxy *>
Allow from 127.0.0.1
</Proxy>

ProxyPreserveHost On
ProxyPassReverse / ajp://myhost:8009/

RewriteEngine On

# Custom/app-specific rewrite rules would go here...

# Forbid public access to Railo admins:
RewriteRule ^/railo-context/admin/(.*) - [F]

# Proxy a hard-to-guess URL base to the Railo Admin base (could
also use a separate virtual host and put this on a non-standard port
and/or force SSL):
RewriteRule ^/some-secret-way-to-access-railo-context/admin/(.*)
ajp://%{HTTP_HOST}:8009/railo-context/admin/$1 [P]

# Proxy CFML requests to Tomcat:
RewriteRule ^/(.*\.cf[cm]/?.*)$ ajp://%{HTTP_HOST}:8009/$1 [P]
</VirtualHost>

You could also get rid of that rewrite rule that forbids the normal
admin URLs and use a global Location directive, like Todd mentioned:

<Location /railo-context/admin>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>

> On Fri, Apr 24, 2009 at 6:34 AM, Todd Rafferty <web...@gmail.com> wrote:
> > address is and using the "Allow" statement. My FiOS reassigns my ip
> > address every so often and I do use dyndns.com, but I don't think that
> > apache will use the Allow from whatever.dyndns.com -- I haven't tried
> > it tho.

@Todd,

I'm pretty sure you *can* do this, but it's *not* recommended.
Basically, there are some security loop holes or Apache could hang
while waiting on DNS resolution. Here's a summary from the Apache 2.2
docs:
http://httpd.apache.org/docs/2.2/dns-caveats.html

Best,
Jamie

On Apr 26, 12:37 am, Sean Corfield <seancorfi...@gmail.com> wrote:
> What we did at MACR/ADBE was effectively method 2 - and it's what I
> used at Broadchoice as well.
>
> Have Apache rewrite / block the regular path to the admin but let it
> remain available on the 'regular' path for your app server and just
> lock it down at the firewall level.
>
> You can also create another Apache vhost and have it listen on a
> 'strange' port and proxy via a 'strange' path to the admin. You can
> even give it a weird hostname and have the vhost listen on that, e.g.,
>
> http://railo-admin.mydomain.com:9610/wibble/admin.cfm
>
> (proxied to localhost:8080/railo-context/admin.cfm - and port 8080 not
> accessible outside the box)
>
> --
> Sean A Corfield -- (904) 302-SEAN

> CTO, Railo US --http://getrailo.com/
> An Architect's View --http://corfield.org/

[Ryan Letulle]

So exactly how insecure is the default implementation?

--
Ryan

[Todd]

How strong is your password?

[Ryan Letulle]

K.  Just wanted to make sure there wasn't something else I was missing.

thx

--
Ryan

[Todd]

Well, obviously it can be brute forced/dictionary attack. Not aware of any "throttling" for the admin. 

[Jamie Krug]

On Sat, May 9, 2009 at 2:02 PM, Todd <web...@gmail.com> wrote:

Well, obviously it can be brute forced/dictionary attack. Not aware of any "throttling" for the admin. 

Right, I think of the Railo Admin as being just as secure/insecure as any other Web application that is protected only by a username/password combo. A strong password makes things a bit more secure. Changing the URL makes a brute force/dictionary attack impossible, unless a hacker guesses the new URL. Adding SSL will of course encrypt what goes over the wire, making it much safer from packet sniffing. I'm using a non-standard URL and plan to add SSL, to be safe. Remember, you don't need a cert from a trusted authority, since you know you can trust yourself as the cert authority :) So, use a self-signed cert, which is free, and can be reused for as many virtual hosts as you'd like.

Best,
Jamie

[Tom Chiverton]

2009/5/11 Jamie Krug <jami...@gmail.com>:

> add SSL, to be safe. Remember, you don't need a cert from a trusted
> authority, since you know you can trust yourself as the cert authority :)
> So, use a self-signed cert, which is free, and can be reused for as many
> virtual hosts as you'd like.

The gandi DNS registra is giving away free fully functioning 'CA
already in your browser' SSL certificates, as is
http://cert.startcom.org/

--
Tom