Block or remove administrator commandbox

nalbee · October 29, 2020, 8:11pm

How do you block access to Lucee Admin on CommandBox?

Thanks!

bdw429s · October 29, 2020, 8:28pm

@nalbee As of the 5.2.0 release candidate build, you simply start the server 5.2.0 has a new profile feature that defaults to production (unless overridden or bound to localhost) and blocks external access to the Lucee admin by default.

Or you can manually apply the lock down like so:

server set web.blockCFAdmin=true
# or
server set web.blockCFAdmin=external

If for some reason you can’t use the 5.2 release candidate, here is a guide that shows you how to do this on any other version using a custom Tuckey rewrite file.

nalbee · October 29, 2020, 8:29pm

Thank you so much. That is was I was looking for.

Zackster · October 30, 2020, 11:05am

you can also set the environment variable LUCEE_ADMIN_ENABLED=false

github.com

lucee/Lucee/blob/5.3/core/src/main/cfml/context/admin/Application.cfc#L55


      
          public function onRequestStart() {
          	// if not logged in, we only allow access to admin|web|server[.cfm]
          	if(!structKeyExists(session, "passwordWeb") && !structKeyExists(session, "passwordServer")){
          		var fileName=listLast(cgi.script_name,"/");
          		if(fileName!="admin.cfm" && fileName!="web.cfm" && fileName!="server.cfm") {
          			cfsetting(showdebugoutput:false);
          			cfheader(statuscode="404" statustext="Invalid access");
          			cfcontent(reset="true");
          			abort;
          		}
          	}
          }
          
          
public function onApplicationStart(){
          	if(structKeyExists(server.system.environment,"LUCEE_ADMIN_ENABLED") && server.system.environment.LUCEE_ADMIN_ENABLED EQ false){
          		cfheader(statuscode="404" statustext="Invalid access");
          		abort;
          	}
          }
          
          
private function getAppFolderPath() cachedwithin="request"{

nalbee · October 30, 2020, 1:39pm

Thank you Zac,

Is it possible to set the environment variable LUCEE_ADMIN_ENABLED in application.cfc?

Zackster · October 30, 2020, 1:50pm

Nup, because the admin has it’s own Application.cfc

as per the lockdown guides, you should be always blocking access to both /lucee/admin and /WEB-INF at the webserver level.

and I extremely highly recommend moving /WEB-INF outside your webroot

andreas · October 30, 2020, 8:28pm

Sorry for the beginner/newbie question, but I’ve only found people saying to use these environment variables, but I didn’t find anything about how and where to set them. Maybe that is something everybody knows, and I might not see the obvious. Are these Lucee environment variables set in Tomcats i setenv.sh/ .bat file, or java args in Lucees windows service? Or somewhere else?

bdw429s · October 30, 2020, 8:38pm

The env variables in Lucee are pretty poorly documented IMO. There is a spreadsheet here that’s sort of a “live document” of all the main ones.

I knew about the setting above, but only because I happened across it while reading some Lucee commits the other day.

As far as how to use them, Lucee will look either for a JVM system property or an OS environment variable, which can be set at a global level, a user level, or even inside the process running Lucee (just how env vars work).

Further more, Lucee will do several checks replacing underscores with periods like LUCEE_ADMIN_ENABLED and LUCEE.ADMIN.ENABLED. I don’t think any of that is documented, I just know it from reading the source code.

github.com

lucee/Lucee/blob/5.3/core/src/main/java/lucee/commons/io/SystemUtil.java#L1256-L1271


      
          	public static String convertSystemPropToEnvVar(String name) {
          		return name.replace('.', '_').toUpperCase();
          	}
          
          
	/**
          	 * returns a system setting by either a Java property name or a System environment variable
          	 * 
          	 * @param name - either a lowercased Java property name (e.g. lucee.controller.disabled) or an
          	 *            UPPERCASED Environment variable name ((e.g. LUCEE_CONTROLLER_DISABLED))
          	 * @param defaultValue - value to return if the neither the property nor the environment setting was
          	 *            found
          	 * @return - the value of the property referenced by propOrEnv or the defaultValue if not found
          	 */
          	public static String getSystemPropOrEnvVar(String name, String defaultValue) {
          		// env
          		String value = System.getenv(name);

github.com

lucee/Lucee/blob/5.3/core/src/main/java/lucee/commons/io/SystemUtil.java#L1243-L1245


      
          			}
          		}
          		return url;

andreas · October 30, 2020, 8:56pm

Yes, that is what I also think. There are lot’s of to do’s in the docs. I’ll try to dig into this and add some contribs to the docs as soon as I can. Thanks for the github code links.

Roberto_Marzialetti · October 14, 2022, 4:03pm

There is a lucee function to access system properties
and environment variables such as getSystemPropOrEnvVar()

I can read these variables are with:

server.system.environment.$KEY
server.system.properties.$KEY

I set them with CommandBox

bdw429s · October 14, 2022, 4:39pm

Did you intend to say “IS there a lucee function?”

If so, the answer is no. When working with legacy apps that don’t have the ColdBox helper, I usually write a UDF like so:


function getSetting( settingName, defaultValue='' ) {
	// Return system prop first, then env var, then default value
	return server.system.environment[ settingName ] ?: server.system.environment[ settingName ] ?: defaultValue;
}

Roberto_Marzialetti · October 14, 2022, 5:00pm

Should be

Thank you Brad!

Zackster · October 14, 2022, 5:26pm

bdw429s · October 14, 2022, 6:14pm

@Zackster This is an old thread. You’ll notice I typed that comment you quoted back in October of 2020 and at that point in history this is what that page contained, which was basically empty!

github.com

lucee/lucee-docs/blob/cf77287e06252ce4cdea4d9edcccc85e6b596ad1/docs/04.guides/13.Various/01.system-properties/page.md

---
title: System Properties
id: running-lucee-system-properties
---

# System properties #

System properties supported by Lucee

* **lucee.base.dir** - base directory for the engine
* **lucee.server.dir** - server context, same as init param lucee-server-directory
* **lucee.web.dir** - web context, same as init param lucee-web-directory
* **lucee.controller.interval** - number of milliseconds between controller calls, 0 to disable controller [useful for benchmark testing etc]
* **lucee.full.null.support** - Turns full null support on or off (true/false)
* **lucee-extensions** - Comma-delimited list of GUID IDs that correspond to extensions Lucee should install automatically
* **lucee.enable.dialect** - Enable the experimental Lucee dialect (true/false)

Find the ID of your extension for the `lucee-extensions` property on this page: [http://preview.lucee.org/download/?type=extensions](http://preview.lucee.org/download/?type=extensions)

All the useful stuff on that page was added about 3 months after my comment

andreas · October 15, 2022, 1:01pm

Yeah! Took 3 heavy days getting all that content from many sources and source code, experimenting, structuring and writing it all together for that PR feels great seeing Lucee admins using that content!!!