Blocking access to /lucee/admin/ mappings on Ubuntu

harryf · April 22, 2021, 8:53pm

Hi guys,

I hope someone can help me.

I’m working on my first Lucee box on EC2 and after many headaches and hurdles I’m getting somewhere!

I’m wanting to lockdown /lucee/admin/ for security and cosmetics in production but I’m finding that very hard.

I’m using VirtualMin/Apache with Lucee auto-installed on top of it.

Just as I have my EC2 instance’s SSH lockeddown to certain IPs, and I have phpmyadmin locked down to certain IPs with a .htaccess rewrite rule, I want to do the same with /lucee/admin/.

I’ve tried .htaccess rewrite rules but it looks like they aren’t effective with the /lucee/* mappings.

The docs (linked) say you can use this Rewrite rule:

RewriteCond %{REMOTE_ADDR}       !=127\.0\.0\.1
RewriteRule ^.*/lucee/admin/   -   [F]

But that doesn’t work for my virtual host.

Whereas this does work to lockdown my /phpmyadmin:

RewriteCond %{REMOTE_HOST} !^33\.145\.20\.307
RewriteCond %{REQUEST_URI} /(phpmyadmin|server_tools|WEB-INF|lucee)(.*)
RewriteRule .* /403.shtml [L]

I hope that’s clear and I hope someone can help. Thanks in advance.

harryf · April 22, 2021, 9:45pm

Update:

If anyone can offer guidance on how to do rewrite-level IP blocking that would be great.

But for now it seems like if you XML-comment out the relevant mapping(s) in:
/opt/lucee/tomcat/lucee-server/context/lucee-server.xml

…and reboot with…
/opt/lucee/lucee_ctl restart

… you can block /lucee/admin access by disabling the mapping.

cfmitrah · April 23, 2021, 10:24am

Did you try with this Lockdown Guide :: Lucee Documentation?

harryf · April 23, 2021, 10:35am

Yes, I did but sadly the docs have code snippets with no instructions as to where to locate them!!!

cfmitrah · April 23, 2021, 10:44am

Yeah, but there was some hint like apache directive. In windows Check here C:\xampp\apache\conf\httpd.conf