Require all denied don't work


#1

Hello Lucee Community

We use Lucee latest release with apache 2.4
(configuration: https://hwdevelopment.com/blog/25-configuring-lucee-5-1-with-apache-2-4-on-windows-server-using-mod-cfml)

now i can’t whitelist some ip’s over .htaccess i tryed it with “require all denied” and with “Order Allow,Deny”
but it dosen’t work for .cfm/cfc files. (if i add a .jpg to the folder, the jpg is blocked) but .cfm / .cfc files are still reachable. Same issue if i add “requiere all denied” to the apache conf.

Someone has a fix for this problem?

Thank you


#2

Mod_JK and Mod_Proxy roughly do the same thing, which is they take a listener at the localhost and match them up with session requests from Apache.

Either one of these directives only see ColdFusion running at the local system.

You could in ColdFusion check the remote IP and take action
You could firewall all systems out except those that are whitelisted


#3

i supposed some like this. okay thank you. then we will handle it with CFM.


#4

If you using mod_proxy you can:

<proxy *>
  Order Deny,Allow
  Deny from all
  Allow from 127.0.0.1/24
</proxy>

#5

hey david thank you.

this is working!

but is it possible to do this for a specific folder? or multiple folders. Thanks!


#6

Mhh i dont know.
I checked the docs and this should be possible:

<Proxy "http://example.com/foo/*">

If that dont work, you can try to put a location-block around it.


#7

hmm don’t work for me

lucee need this entry i guess:

<Proxy *>
</Proxy>

if i wrap a <directory> outside or inside i get a apache error on start.

if i add a second entry. like:

<Proxy *>
</Proxy>
<proxy /folder/xyz>
  Order Deny,Allow
  Deny from all
  Allow from 127.0.0.1/24
</proxy>

nothing happend.


#8

Your doing this in a server-context or a vhost?
I guess if you are in the server-context, you have to add the domain like the example above.


#9

Apache/conf/httpd.conf
i tryed with url and local path.


#10

Ah got it. Use ProxyMatch instead of Proxy :slight_smile:

<ProxyMatch /folder/>
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1/24
</ProxyMatch>

#11

after the

<Proxy *>
</Proxy>

?


#12

What excatly you want to do?

If you just want to whitelist a folder and nothing else, you just have to use the proxymatch-directive without the proxy-directive.


#13

i want allow from all, for my entry /project/ folder.
but for one specific folder “/project/xyz/system/”
i want deny all and whistelist some ip’s


#14

Than you just have to do:

<ProxyMatch /project/xyz/system/>
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1/24
</ProxyMatch>

You dont have to use the proxy-directive in this case.
But i have set this in the vhost and not in the server-context.


#15

i tryed to use this in the vhost, i get an apache error. Can’t start the server. did ProxyMatch not require regex?


#16

Yes it uses regex and it should work.
Its working fine for me.

Can you show me the vhost.conf?
What does apache says on startup, you should be able to see the error why its not starting.


#17

i added a * at the end, now it works fine!! Thank you man you are the hero of the day :smiley:


#18

No Problem :slight_smile:
I am glad that i could help you.