Block or remove administrator commandbox

How do you block access to Lucee Admin on CommandBox?


@nalbee As of the 5.2.0 release candidate build, you simply start the server :slight_smile: 5.2.0 has a new profile feature that defaults to production (unless overridden or bound to localhost) and blocks external access to the Lucee admin by default.

Or you can manually apply the lock down like so:

server set web.blockCFAdmin=true
# or
server set web.blockCFAdmin=external

If for some reason you can’t use the 5.2 release candidate, here is a guide that shows you how to do this on any other version using a custom Tuckey rewrite file.

Thank you so much. That is was I was looking for.

you can also set the environment variable LUCEE_ADMIN_ENABLED=false


Thank you Zac,

Is it possible to set the environment variable LUCEE_ADMIN_ENABLED in application.cfc?

Nup, because the admin has it’s own Application.cfc

as per the lockdown guides, you should be always blocking access to both /lucee/admin and /WEB-INF at the webserver level.

and I extremely highly recommend moving /WEB-INF outside your webroot

Sorry for the beginner/newbie question, but I’ve only found people saying to use these environment variables, but I didn’t find anything about how and where to set them. Maybe that is something everybody knows, and I might not see the obvious. Are these Lucee environment variables set in Tomcats i .bat file, or java args in Lucees windows service? Or somewhere else?

The env variables in Lucee are pretty poorly documented IMO. There is a spreadsheet here that’s sort of a “live document” of all the main ones.

I knew about the setting above, but only because I happened across it while reading some Lucee commits the other day.

As far as how to use them, Lucee will look either for a JVM system property or an OS environment variable, which can be set at a global level, a user level, or even inside the process running Lucee (just how env vars work).

Further more, Lucee will do several checks replacing underscores with periods like LUCEE_ADMIN_ENABLED and LUCEE.ADMIN.ENABLED. I don’t think any of that is documented, I just know it from reading the source code.

1 Like

Yes, that is what I also think. There are lot’s of to do’s in the docs. I’ll try to dig into this and add some contribs to the docs as soon as I can. Thanks for the github code links.