Is it possible to block remote acces to Lucee admins via BonCode connector?

Hi,

I would like to block remote access to Lucee Server a Web admins and keep
them accesible only from 127.0.0.1

I have noticed, that even if I set
False in BonCodeAJP13.settings the
admins are still accesible. If I recall correctly with Railo this worked.

I know, I could put a rewrite rule in each context and achieve the same
thing, but if it could be done via the BonCode settings server-wide, it
would be cleaner.

So I was wondering, how other people deal with this ?

Regards

Ivan

Hi Ivan

To block the Lucee server interface we opted for denying access to it in
IIS.
We added a Deny Sequence rule in the Request Filtering section in IIS.
Add the deny rule that reads: lucee/admin/server.cfm

This will lead to a 404 error when accessing the server.cfm from all urls
except 127.0.0.1.
Maybe not very clean approach but works for us.

Hope this helps.
–DavidOn Friday, March 20, 2015 at 3:42:58 PM UTC+1, rot…@smartway.cz wrote:

Hi,

I would like to block remote access to Lucee Server a Web admins and keep
them accesible only from 127.0.0.1

I have noticed, that even if I set
False in BonCodeAJP13.settings the
admins are still accesible. If I recall correctly with Railo this worked.

I know, I could put a rewrite rule in each context and achieve the same
thing, but if it could be done via the BonCode settings server-wide, it
would be cleaner.

So I was wondering, how other people deal with this ?

Regards

Ivan

Ivan,
please check your connector version.
On the server:
http://localhost/any.cfm?BoncodeConnectorVersion=true

It should say 1.0.20+

If not you need to upgrade connector or use IIS IP blocking to disable
access. The latest Lucee installer already has the correct version.

Once done, you should see this message when attempting to access anything
that looks like a lucee URL from remote including canonicalized
obfuscations:

Access from remote not allowed (2).

Normally the setting file to change is the one in c:\windows directory.

HTH,
Bilal>>

Bilal, thanks a lot ! My problem was I was editing the wrong file:
C:/lucee/AJP13/BonCodeAJP13.settings. Once I edited the correct file
located in C:/windows/, the access to admins was blocked properly.

David, I appreciate your solution also. I might just use it for a slightly
different purpose: Just now I have found out that the Lucee Documetation
is accessible in similar way and on some of my sites got picked up by
Google. For example, path: /lucee/doc/tags.cfm?item=cfimage etc… It
seems that a deny rule similar to the one you have described will be a
perfect solution to prevent this.

Regards

Ivan

Hi ML

I would recommend Bilal’s suggestion to use the built in blocker in BonCode.

In IIS we had 2 sites. Default Web Site and one manually created.
We configured the IIS on the server level with the deny rule in Request
Filtering.
The manually added site was configured to listen to a specific host name.

We were then only able to access the Default Web Site’s Server interface
on http://127.0.0.1:8888/lucee/admin/server.cfm (Please notice that we
access the interface on the port 8888)
Accessing the manually added site on
http://domain.com/lucee/admin/server.cfm generated HTTP Error 404.5 Not
Found

Hope this helps.
–DavidOn Tuesday, March 24, 2015 at 5:17:29 AM UTC+1, ML wrote:

Hi David,

Could you clarify how you do that? When I add a deny rule for server.cfm,
IIS denies all access including from 127.0.0.1. How do you add an
exception for 127.0.0.1? Thanks.

ML

On Saturday, March 21, 2015 at 12:02:58 AM UTC+8, David Eurenius wrote:

Hi Ivan

To block the Lucee server interface we opted for denying access to it in
IIS.
We added a Deny Sequence rule in the Request Filtering section in IIS.
Add the deny rule that reads: lucee/admin/server.cfm

This will lead to a 404 error when accessing the server.cfm from all urls
except 127.0.0.1.
Maybe not very clean approach but works for us.

Hope this helps.
–David

On Friday, March 20, 2015 at 3:42:58 PM UTC+1, rot…@smartway.cz wrote:

Hi,

I would like to block remote access to Lucee Server a Web admins and
keep them accesible only from 127.0.0.1

I have noticed, that even if I set
False in BonCodeAJP13.settings the
admins are still accesible. If I recall correctly with Railo this worked.

I know, I could put a rewrite rule in each context and achieve the same
thing, but if it could be done via the BonCode settings server-wide, it
would be cleaner.

So I was wondering, how other people deal with this ?

Regards

Ivan

Hi David,

Could you clarify how you do that? When I add a deny rule for server.cfm,
IIS denies all access including from 127.0.0.1. How do you add an
exception for 127.0.0.1? Thanks.

MLOn Saturday, March 21, 2015 at 12:02:58 AM UTC+8, David Eurenius wrote:

Hi Ivan

To block the Lucee server interface we opted for denying access to it in
IIS.
We added a Deny Sequence rule in the Request Filtering section in IIS.
Add the deny rule that reads: lucee/admin/server.cfm

This will lead to a 404 error when accessing the server.cfm from all urls
except 127.0.0.1.
Maybe not very clean approach but works for us.

Hope this helps.
–David

On Friday, March 20, 2015 at 3:42:58 PM UTC+1, rot…@smartway.cz wrote:

Hi,

I would like to block remote access to Lucee Server a Web admins and
keep them accesible only from 127.0.0.1

I have noticed, that even if I set
False in BonCodeAJP13.settings the
admins are still accesible. If I recall correctly with Railo this worked.

I know, I could put a rewrite rule in each context and achieve the same
thing, but if it could be done via the BonCode settings server-wide, it
would be cleaner.

So I was wondering, how other people deal with this ?

Regards

Ivan