Require all denied don't work

silvioacrom · June 11, 2018, 12:21pm

Hello Lucee Community

We use Lucee latest release with apache 2.4
(configuration: Blog | Configuring Lucee 5.1 with Apache 2.4 on Windows Server using mod_cfml.)

now i can’t whitelist some ip’s over .htaccess i tryed it with “require all denied” and with “Order Allow,Deny”
but it dosen’t work for .cfm/cfc files. (if i add a .jpg to the folder, the jpg is blocked) but .cfm / .cfc files are still reachable. Same issue if i add “requiere all denied” to the apache conf.

Someone has a fix for this problem?

Thank you

Terry_Whitney · June 11, 2018, 1:10pm

Mod_JK and Mod_Proxy roughly do the same thing, which is they take a listener at the localhost and match them up with session requests from Apache.

Either one of these directives only see ColdFusion running at the local system.

You could in ColdFusion check the remote IP and take action
You could firewall all systems out except those that are whitelisted

silvioacrom · June 11, 2018, 1:13pm

i supposed some like this. okay thank you. then we will handle it with CFM.

David_Raschper · June 11, 2018, 1:18pm

If you using mod_proxy you can:

<proxy *>
  Order Deny,Allow
  Deny from all
  Allow from 127.0.0.1/24
</proxy>

silvioacrom · June 11, 2018, 1:23pm

hey david thank you.

this is working!

but is it possible to do this for a specific folder? or multiple folders. Thanks!

David_Raschper · June 11, 2018, 1:35pm

Mhh i dont know.
I checked the docs and this should be possible:

<Proxy "http://example.com/foo/*">

If that dont work, you can try to put a location-block around it.

silvioacrom · June 11, 2018, 1:47pm

hmm don’t work for me

lucee need this entry i guess:

<Proxy *>
</Proxy>

if i wrap a <directory> outside or inside i get a apache error on start.

if i add a second entry. like:

<Proxy *>
</Proxy>
<proxy /folder/xyz>
  Order Deny,Allow
  Deny from all
  Allow from 127.0.0.1/24
</proxy>

nothing happend.

David_Raschper · June 11, 2018, 1:49pm

Your doing this in a server-context or a vhost?
I guess if you are in the server-context, you have to add the domain like the example above.

silvioacrom · June 11, 2018, 1:56pm

Apache/conf/httpd.conf
i tryed with url and local path.

David_Raschper · June 11, 2018, 2:33pm

Ah got it. Use ProxyMatch instead of Proxy

<ProxyMatch /folder/>
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1/24
</ProxyMatch>

silvioacrom · June 11, 2018, 2:41pm

after the

<Proxy *>
</Proxy>

?

David_Raschper · June 11, 2018, 2:44pm

What excatly you want to do?

If you just want to whitelist a folder and nothing else, you just have to use the proxymatch-directive without the proxy-directive.

silvioacrom · June 11, 2018, 2:49pm

i want allow from all, for my entry /project/ folder.
but for one specific folder “/project/xyz/system/”
i want deny all and whistelist some ip’s

David_Raschper · June 11, 2018, 2:53pm

Than you just have to do:

<ProxyMatch /project/xyz/system/>
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1/24
</ProxyMatch>

You dont have to use the proxy-directive in this case.
But i have set this in the vhost and not in the server-context.

silvioacrom · June 11, 2018, 3:09pm

i tryed to use this in the vhost, i get an apache error. Can’t start the server. did ProxyMatch not require regex?

David_Raschper · June 11, 2018, 3:15pm

Yes it uses regex and it should work.
Its working fine for me.

Can you show me the vhost.conf?
What does apache says on startup, you should be able to see the error why its not starting.

silvioacrom · June 11, 2018, 3:24pm

i added a * at the end, now it works fine!! Thank you man you are the hero of the day

David_Raschper · June 11, 2018, 3:28pm

No Problem
I am glad that i could help you.