Lucee server security

I’ve run various versions of Lucee on Windows and Ubuntu (though mostly on Windows OS), for the server admin it’s simply password protected. This is 1F authentication, I wonder if there’s a way that we can beef up its admin security with 2F authentication or the like.

When you use apache, you could setup another authentification layer before the user can login, e.g. password based, ldap based,…

https://httpd.apache.org/docs/2.4/howto/auth.html

1 Like

Additionally to what @Michael_Diederich already said:
You have a point, but that is true when you forcefully need to exposed lucees admin to the public internet. That is usually the case for hosters only, so their users can acces the web admin. I supose you are installing Lucee for yourself only, and you will administrate on your own. In that case it is good practice not to allow any request to that resource from outside at all. I suggest adding a URL rewrite Rule to the fronted web server, blocking that access totally. If you want to do some changes, log into your server and call lucees administration sites through port 8888 from there.
In the URLrule you can even restrict access by IP and many more. That would enhance security more then 2F authentication.

1 Like

Additionally to what @andreas said:
You can also use some reverse proxy server like Nginx to only expose what you want from lucee server and keep the administration only for local connections and then you can login to server shell and access it.

1 Like

Thank you all. I’ll start with @andreas’s approach first. Now, I have two more constraints.
a) it’s ubuntu box, so, i won’t be able to access the lucee admin via localhost or 127.0.0.1
b) i get a dynamic ip address every time when I access the internet

Just use a SSH tunnel

@Zac_Spitzer, ssh shell/tunnel seems a terminal session, I cannot fathom a web browser session, am I missing something here?

You can tunnel everything in SSH when having portforwarding (ssh tunnel) enabled. That means, you can use a client on your local dev machine like you were on your remote machine. There is plenty of information (videos etc) in the internet about this.

1 Like

Good to know, thank you.

In addition of what @Zac_Spitzer and @andreas said:
You also can install some browser in the server and make use of X11 Forwarding to open a browser session in you local pc via ssh shell.

2 Likes

alas, that still won’t work with web admins, if you use a cdn like cloudflare, because even if you are local, your dns will resolve to out to cloudflare, i.e you’re always effectively seen as remote, even from localhost. you can add a loopback hosts entry, but that can cause other problems

what will always work is locally accessing the server admin on 127.0.0.1:8888

There are plans with Lucee 6 to make this problem go away :slight_smile:

3 Likes

@Zac_Spitzer good to hear, any estimate of when Lucee 6 would be out?

@omarpta the browser installation and X11 forwarding installation and configuration approach seems very messy… thanks for the idea tho.

1 Like