Hello, I am new to Lucee and am working on the security hardening of an existing installation. Versions as noted above. I know nothing about ColdFusion but a decent amount about Apache.
For instance, this page on securing WEB-INF by moving it outside the document root: Securing /WEB-INF/ by moving it outside of the web root :: Lucee Documentation The page says HOW to do so but not WHY. It just says “if you wish to” but the page title would indicate there is some security implication of doing so or not doing so. So, what is the effect on security?
In our configuration everything coming on port 443 (if the servername is right) is redirected by Apache to Lucee like so:
<Location />
ProxyPreserveHost On
ProxyPass http://127.0.0.1:8888/
ProxyPassReverse http://127.0.0.1:8888/
</Location>
<Location /lucee>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Location>
If I try to access WEB-INF or anything under it, I get a 404 from tomcat. That exposes the tomcat version number, which I don’t want exposed, but it doesn’t otherwise seem problematic. I’m not completely sure how Tomcat/Lucee is configured; it’s more of a black box to me than Apache. For instance there is an .htaccess file in WEB-INF and in WEB-INF/lucee, but Apache is set to ignore those (AllowOverride None) and I don’t know where the equivalent Lucee or Tomcat control is. Any guidance on this would be helpful.
Re version: we wanted to update to 5.4.3.2 but it’s affected by [LDEV-4675] - Lucee and there isn’t a later release marked as “production ready.”
Another point, most tomcat hardening guides recommend removing all the default apps including webapps/ROOT, but it seems that lucee actually uses that one? Is that the intended default configuration or should lucee have that somewhere else?
Note there are TWO different WEB-INF directories. One is /var/www/html/our-company/WEB-INF/lucee/ (nothing in WEB-INF there but lucee/) and the other is /opt/lucee/tomcat/webapps/ROOT/WEB-INF/lucee/ but the contents appear identical.
According to the inline documentation in tomcat/conf/web.xml, there are two parameters, lucee-server-directory and lucee-web-directory, that will be set to the commented out defaults if not defined explicitly. But both defaults are supposedly in /var/Lucee/config/ which doesn’t exist. (/var/Lucee doesn’t exist at all.)
I think the actual defaults may be /var/www/html/our-company/WEB-INF/lucee (or some prefix thereof) and /opt/lucee/tomcat/webapps/ROOT/WEB-INF/lucee (or some prefix thereof). Haven’t yet verified this by testing (i.e. by uncommenting and overwriting the two parameters to see where stuff gets placed).
The documentation says that the “process which runs lucee” needs to have write access to whatever directory is specified, which is also misleading as it is actually the tomcat user (whatever it is named, we use cfuser) which needs to have that access, right? I don’t think there is such a thing as a separate lucee process, is there??
And it’s still not clear to me whether WEB-INF needs to move or not for better security, and if it does need to move, which of the two WEB-INF dirs should move and to where.