Restricting access to Lucee Admin

dev
1

It’s a current CentOS 7 Minimal Install with Tomcat 8 and OpenJDK 8.

I’d like to limit the entire Lucee admin folder/* to a few select admin IP’s.

I can’t find this in the Lucee Admin app, and I’m getting conflicting info via search. I think this is mostly due to the guides being for Tomcat 7, etc.

Per the Lucee LockDown guide I should be able to add the following tag to make the restriction, but I’m not sure where. I’ve tried both server and web context server/web.xml files, but to no avail.

<Location /lucee> 
Order Deny,Allow 
Deny from all 
Allow from 127.0.0.1
</Location>

Thoughts?

2

If you are working with mod_proxy or mod_cfm and using Apache Web Server, then you could add that to either a htaccess file or inside the /etc/httpd/conf/httpd.conf

I would recommend using Apache web server in addition to tomcat / lucee so you are not using additional resources to serve static files and gain a greater level of control over your security and content.

3

Thanks.

But how can I do this in Tomcat? The hardening guide I linked says how to do it, just doesn’t say where to do it.

4

You would have to run /lucee as a different application instance

in CATALINA_HOME/conf/Catalina/localhost/manager.xml

there should be something like

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.1.*" />

That is where you would set up your LAN request ip addresses for /lucee

though, I caution as if you are not sure, really should just use mod_proxy and lucee

the installation from centos / rhel is as follows

yum update
yum install httpd http-devel

now rerun the lucee installer
5

/lucee is just the folder for the admin files. I can’t run that as a seperate instance from my own application instane. it’d be an application within an application.

The real location is

/tomcat/webapps/myapp/web-INF/lucee

I only want to restrict that folder (and likely the entire WEB-INF folder), not the entire application.

Let’s say I wanted to restrict the WEB-INF folder, this is what I’d expect the code to look like.

<Location /WEB-INF> 
Order Deny,Allow 
Deny from all 
Allow from 192.168.200.233
</Location>

I should add I’m porting an app from OpenBD. With OpenBD, I’d just remove the entire admin site code before pushing it to production so there were no files to restrict.