Preventing New Web Contexts

dev google-group-archive
1

Running Lucee 4.5 on Linux and Apache.

My understanding is that to setup a new Lucee site (i.e. a new web
context), we would need to do the following general steps:

  1. Setup the hosting directory.
  2. Setup the website in Apache.
  3. Browse to /lucee/admin/web.cfm under the domain.

Our experience is that this will create the new web context, with the
WEB-INF directory, under the hosting directory for the website and mod_cfml
will configure Tomcat appropriately.

However, this means that anyone could browse to lucee/admin/web.cfm under
any of the other sites hosted on that server, and it would create a new web
context, which would be a huge problem/security concern.

I must be missing something!

How do I configure Lucee and/or Apache to prevent web contexts from being
created under other sites?

Thanks in advance for any assistance.

2

I’m not sure how you came to that conclusion, but mod_cfml does NOT create contexts based off a request for /lucee/admin/web.cfm.

The code is open, and you can see for yourself that new contexts are created are based off the “host” value of the http header request (this is the same method Tomcat uses to identify separate contexts), which must be authenticated by the secret key that Apache passes on to Tomcat, and new contexts are only created when that “host” value can’t be resolved to an existing context by Tomcat. Usually the “host” value just contains the domain of what you’re trying to hit, but it can also be an ip address, or whatever resolves to a “host” value in your web server. A non-domain value might be something like “vivio.local”, if I’m developing something locally and I want to use Lucee with it.–
Kind regards,
Jordan Michaels
Vivio Technologies

----- Original Message -----
From: “Steve Lauen” <@Steve_Lauen>
To: “Lucee” lucee@googlegroups.com
Sent: Thursday, September 1, 2016 2:56:34 PM
Subject: [Lucee] Preventing New Web Contexts

Running Lucee 4.5 on Linux and Apache.

My understanding is that to setup a new Lucee site (i.e. a new web
context), we would need to do the following general steps:

  1. Setup the hosting directory.
  2. Setup the website in Apache.
  3. Browse to /lucee/admin/web.cfm under the domain.

Our experience is that this will create the new web context, with the
WEB-INF directory, under the hosting directory for the website and mod_cfml
will configure Tomcat appropriately.

However, this means that anyone could browse to lucee/admin/web.cfm under
any of the other sites hosted on that server, and it would create a new web
context, which would be a huge problem/security concern.

I must be missing something!

How do I configure Lucee and/or Apache to prevent web contexts from being
created under other sites?

Thanks in advance for any assistance.


Get 10% off of the regular price for this years CFCamp in Munich, Germany (Oct. 20th & 21st) with the Lucee discount code Lucee@cfcamp. 189€ instead of 210€. Visit CFCamp 2016

You received this message because you are subscribed to the Google Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/e988535e-b499-4938-91bd-91ccfc41201e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

3

Thanks Jordan. In hindsight, I’m not sure how I came to that conclusion.
I thought I saw it in a posting on this forum or somewhere else online,
but can’t put my hands on it now. That’s the process we used to create the
web context for the only site for which we are using Lucee, and it just
stuck in my head.

Forgive my ignorance, but, hopefully you or someone else could further
clarify things for me. We’ve got a server on which we host a number of
websites. Only one of them uses Lucee. As a result, we have only one web
context. I would rather not have web contexts created for the other,
non-Lucee websites that we host on that server. My reasoning is that we
don’t need our system cluttered with the web contexts and WEB-INF folders
for those sites, if they aren’t using Lucee. Plus, it just seems more
secure to not have the extra, unneeded web contexts on the server.

So…a couple questions:

  1. Let’s say I setup a new website on that server, called steveco.com. I
    want to use Lucee with it. I have the hosting directory setup and have the
    site setup in Apache. What’s the recommend process for creating a web
    context for steveco.com?

  2. Let’s say I setup another new website on that server, called
    lauenco.com. I will not be using Lucee with it. I want to make sure that
    a Lucee web context never gets setup for that website. How do I go about
    preventing a web context from being created for that website?

Thanks again for your help.

– Steve

4

Hi Steve,

In your case, you don’t need mod_cfml. I’d simply remove it (there are two configs for it, one in the server.xml file and one in your apache config), or don’t install it during installation.