OS : Linux 4.14.281-212.502.amzn2.aarch64 (also x86_64)
Java Version : OpenJDK Runtime Environment Corretto-126.96.36.199.1 (build 11.0.15+9-LTS)
Tomcat Version : 9.0.58-1
Lucee Version : 188.8.131.52 and 184.108.40.206
I’m in the process of wrapping up an update to Lucee 5.3 for a legacy system and running into unexpected behavior with some of the lockdown steps I’ve taken. Specifically, I’m attempting to use the LUCEE_ADMIN_ENABLED/lucee.admin.enabled environment variable and system property.
By default I am setting this value to false, and Lucee behaves as I expect. If I change the value to true and restart tomcat, I still receive a 404 for the admin. If I manually add the mapping to lucee-server.xml for lucee-admin.lar, I will be able to reach the admin. Changing lucee.admin.enabled and restarting lucee will not disable the admin at this point.
My goal is to have the admin disabled by default in production, but enable developers to run a script to turn it on if they need to troubleshoot. From the documentation, I believed that we could use this variable/property to control the admin, though I’m beginning to wonder if it’s only read on the first run.
From a troubleshooting standpoint, I am running on Linux, and I have confirmed that the property is present on the java command line when launching Tomcat and that the environment variable is visible within the process. As indicated above, I’ve also tested on both 220.127.116.11 and 18.104.22.168.
My main questions are:
- Does changing the property have any effect after first launch?
- Would it be more reliable for me to add/remove the mapping to lucee-admin.lar?
- Is there a reliable way to verify the other security related properties (lucee.extension.install, lucee.enable.bundle.download, and lucee.upload.blocklist) are working properly?
Are you referring to the Disabling the Lucee Administrator section of the Lucee Lockdown Guide?
I’m not able to answer your three main questions, but I can say that the section below that, Restrict Access to the Lucee Administrator and other folders, worked for me, although I did need to update it for Apache 2.4:
Require ip 127.0.0.1
cPanel root users can apply this globally via:
WHM > Service Configuration > Apache Configuration > Include Editor > Post VirtualHost Include
And see the next section in the Lockdown Guide, SSH Tunnelling or Remote Desktop, for how your devs can access the Admin for troubleshooting via 127.0.0.1, or you can simply add their ip addresses to the Require list separated by spaces.
Thanks, Lionel. I do have additional levels of protection set up within the web-layer, but I would love to fully disable the administrator component given that my client doesn’t rely on it in production. In the extremely rare case that this is needed for troubleshooting (once every couple years), I want a way to enable admin locally so that they can access through a tunnel.
In addition to the Lucee Lockdown Guide reference, the document System Properties and Environment Variables describes how should be accomplished.
It doesn’t seem that this approach has any effect (or possibly only works at initial deployment). Without clarity on expectations, this gives me some concern since I’m also leveraging several other properties to harden the server.
I can’t remember for sure, but I’d say the admin gets deployed on first run when the contexts get created.
I’d wait until Lucee6 is out, because there will be a new feature where Lucee will be able to run in single context mode (without any web context for each wwwroot), This might affect anything that you might be experimenting now. Can’t really say for sure.