Blocking remote access to admin


#1

OK so up till now I have always used a rule in IIS to block access to server admin, thus still allowing access to web admin.
A user on cfmldeveloper this week reports they were being denied remote access to their web admin.
After some investigation I discovered this was caused by a setting in BonCodeAJP13.settings which denied remote admin access.
I assume this setting has been added by a recent update since this was never there previously.
Unfortunately this setting also now overrides my request filtering rules in IIS, and so if I set it to true, access to the server admin is now also allowed on every site.

Any way to get this back to the way it worked before?


#2

I’m not sure how long Boncode has has that setting. It’s been there for as long as I’ve used Boncode, but that’s not a very long time. I’m a little confused why you can’t just turn off the Boncode filter and then go back to using your IIS filter. What exactly is the issue with that?


#3

I’m a little confused why you can’t just turn off the Boncode filter and then go back to using your IIS filter

I’m not sure what you mean by “go back to using my iis filter”? as I haven’t stopped using it, so there is nothing to go back to. As stated “this setting also now overrides my request filtering rules in IIS”.

What exactly is the issue with that?

The issue is thhat I do not want it to override my URL filter, as the whole purpose of the url filter is to block remote access to the server admin.
And before you say “just use the boncode filter then”, the whole point in this question is because this blocks access to web admin and server admin, which is no good, as users need access to the web admin.


#4

Sorry, I guess we’re not on the same page. The setting in Boncode that disables access to the administrators is called EnableRemoteAdmin. See the docs here:

http://www.boncode.net/connector/webdocs/Tomcat_Connector.htm#_Toc483166268

You just configure that setting in your BonCodeAJP13.settings file:

<EnableRemoteAdmin>True</EnableRemoteAdmin>

The default is true which allows access. The reason I’m confused is because I assume it should be a very quick and easy fix for you to simply turn off (or on, as it were) this setting. What do you have this setting set to? According to the docs, it defaults to true which means the remote admin is accessible. Am I missing something or were you just not aware of this setting?


#5

I am confused why you are telling about this setting? Obviously I know where this setting is, thus how I was able to edit it in the first place and why I am posting this question to begin with,

I have explained exactly what the issue is, but I will try and simplify it further,

There is a file called BonCodeAJP13.settings in c:\windows

In this file there is the following setting.
EnableRemoteAdmin

It was set to FALSE by default.
When it is set to false, it blocks all access to the lucee admins (both of them)
When it is set to true, it allows access to the lucee admins, but also overrides the IIS URL filter.

The Lucce admin has 2 sections. Web admin, which is used by each website owned to configure their own website.
Server admin, l which is used to control the server wide settings.

The purpose of the URL filter I use is to clock the server only. This means the web admin is still accessible to website owners.

I hope it is clear now.


#6
  • There is a setting in BonCode that blocks access to the administrator through the IIS connector
  • You have configured this setting to block access to the admin
  • You don’t like the fact that this setting is blocking access to the admin
  • You need to change the setting.

I don’t know what else to tell you. If you don’t like it, change it. Like seriously, am I missing something here?


#7

There is a setting in BonCode that blocks access to the administrator through the IIS connector
yes I know, since that is what we have been talking about all along

You have configured this setting to block access to the admin
No I haven’t, read my previous replies more carefully.

You don’t like the fact that this setting is blocking access to the admin
I never said that. read my previous replies more carefully.

You need to change the setting.
I did, read my replies more carefully


#8

I think you ar egetting the values the wrong way round.

When you set EnableRemoteAdmin = true

This means remote access to the admins is ALLOWED


#9

I believe what he’s saying is:

When BonCode EnableRemoteAdmin is False - neither admin is available anywhere.

When BonCode EnableRemoteAdmin is True - His REQUEST FILTERS are BEING IGNORED. So BOTH admins are available EVERYWHERE.

So the suggestion to filter the admins, which he’s trying to do, isn’t working.

I can’t verify the assertion because I don’t run anything in IIS or BonCode - but I believe that’s what he’s reporting. :slight_smile:


#10

Thanks for chiming in Joe. I was coming to that same conclusion, but only after Russ edited his second reply to include a ton more information than he had originally typed.

I don’t know what sort of “filters” are being implemented (i.e., rewrites or hidden segments, etc) but I’m surprised to hear that BonCode is somehow siphoning off the traffic before the IIS filters are applied. I’d recommend you post this to the issue tracker at BonCode’s repo since this question seems to really have nothing to do with Lucee and I don’t believe Bilal is part of this Lucee forum.

My guess is that IIS is firing the handler mappings prior to whatever module is implementing the request filtering, but I’m not a super IIS guru.


#11

Thanks Joe, I thought that is what I had said :slight_smile:


#12

It’s been there since at least 2011 when Bilal put the project on Github:


#13

Well I can only guess that somehting changed, sinc ethe issue only started after re-installing Lucee. I never even looked at that setting before since I always did the lock down via IIS.


#14

Was your BonCode connector upgraded as part of the Lucee re-installation (ie was it a complete overwrite of the installation including BonCode)? If so try downgrading the BonCode .dll files (there are 2 of them in the BIN folder) to see if it’s the culprit.

It looks like the current Lucee installer ships with BonCode v1.0.36. The minimum version for Lucee is v1.0.20 (from 2015 when Lucee was first released).