Lucee server hardening

OS: Debian 11
Java Version: 11.0.20+8
Tomcat Version: 9.0.78
Lucee Version:

Hello, I am new to Lucee and am working on the security hardening of an existing installation. Versions as noted above. I know nothing about ColdFusion but a decent amount about Apache.

I found this guide: Lucee Security Best Practices :: Lucee Documentation but there are certain questions left unanswered.

For instance, this page on securing WEB-INF by moving it outside the document root: Securing /WEB-INF/ by moving it outside of the web root :: Lucee Documentation The page says HOW to do so but not WHY. It just says “if you wish to” but the page title would indicate there is some security implication of doing so or not doing so. So, what is the effect on security?

the idea is to keep everything out of the webroot that doesn’t need to be

i.e. nothing that doesn’t need to be publicly accessible should be under the webroot.

if you don’t do this, you need to add webserver rules to block access to /WEB-INF

Speaking of hardening your server, you shouldn’t be running, as it’s subject to a CVE

Hi Zackster, thanks for the quick response!

In our configuration everything coming on port 443 (if the servername is right) is redirected by Apache to Lucee like so:

  <Location />
    ProxyPreserveHost On
  <Location /lucee>
    Order Deny,Allow
    Deny from all
    Allow from

If I try to access WEB-INF or anything under it, I get a 404 from tomcat. That exposes the tomcat version number, which I don’t want exposed, but it doesn’t otherwise seem problematic. I’m not completely sure how Tomcat/Lucee is configured; it’s more of a black box to me than Apache. For instance there is an .htaccess file in WEB-INF and in WEB-INF/lucee, but Apache is set to ignore those (AllowOverride None) and I don’t know where the equivalent Lucee or Tomcat control is. Any guidance on this would be helpful.

Re version: we wanted to update to but it’s affected by [LDEV-4675] - Lucee and there isn’t a later release marked as “production ready.”

Another point, most tomcat hardening guides recommend removing all the default apps including webapps/ROOT, but it seems that lucee actually uses that one? Is that the intended default configuration or should lucee have that somewhere else?

Note there are TWO different WEB-INF directories. One is /var/www/html/our-company/WEB-INF/lucee/ (nothing in WEB-INF there but lucee/) and the other is /opt/lucee/tomcat/webapps/ROOT/WEB-INF/lucee/ but the contents appear identical.

According to the inline documentation in tomcat/conf/web.xml, there are two parameters, lucee-server-directory and lucee-web-directory, that will be set to the commented out defaults if not defined explicitly. But both defaults are supposedly in /var/Lucee/config/ which doesn’t exist. (/var/Lucee doesn’t exist at all.)

I think the actual defaults may be /var/www/html/our-company/WEB-INF/lucee (or some prefix thereof) and /opt/lucee/tomcat/webapps/ROOT/WEB-INF/lucee (or some prefix thereof). Haven’t yet verified this by testing (i.e. by uncommenting and overwriting the two parameters to see where stuff gets placed).

The documentation says that the “process which runs lucee” needs to have write access to whatever directory is specified, which is also misleading as it is actually the tomcat user (whatever it is named, we use cfuser) which needs to have that access, right? I don’t think there is such a thing as a separate lucee process, is there??

And it’s still not clear to me whether WEB-INF needs to move or not for better security, and if it does need to move, which of the two WEB-INF dirs should move and to where.

@mweilgart Re: Tomcat version number, take a look at Apache Tomcat 9 (9.0.80) - Security Considerations. The config options you want are in the “Valves” section, but that document has lots great information.

To disable Tomcat version disclosure, you can set the property to an arbitrary value or set an ErrorReportValve to showReport="false"

1 Like