It’s a current CentOS 7 Minimal Install with Tomcat 8 and OpenJDK 8.
I’d like to limit the entire Lucee admin folder/* to a few select admin IP’s.
I can’t find this in the Lucee Admin app, and I’m getting conflicting info via search. I think this is mostly due to the guides being for Tomcat 7, etc.
Per the Lucee LockDown guide I should be able to add the following tag to make the restriction, but I’m not sure where. I’ve tried both server and web context server/web.xml files, but to no avail.
<Location /lucee>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Location>
Thoughts?
If you are working with mod_proxy or mod_cfm and using Apache Web Server, then you could add that to either a htaccess file or inside the /etc/httpd/conf/httpd.conf
I would recommend using Apache web server in addition to tomcat / lucee so you are not using additional resources to serve static files and gain a greater level of control over your security and content.
Thanks.
But how can I do this in Tomcat? The hardening guide I linked says how to do it, just doesn’t say where to do it.
You would have to run /lucee as a different application instance
in CATALINA_HOME/conf/Catalina/localhost/manager.xml
there should be something like
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.1.*" />
That is where you would set up your LAN request ip addresses for /lucee
though, I caution as if you are not sure, really should just use mod_proxy and lucee
the installation from centos / rhel is as follows
yum update
yum install httpd http-devel
now rerun the lucee installer
/lucee is just the folder for the admin files. I can’t run that as a seperate instance from my own application instane. it’d be an application within an application.
The real location is
/tomcat/webapps/myapp/web-INF/lucee
I only want to restrict that folder (and likely the entire WEB-INF folder), not the entire application.
Let’s say I wanted to restrict the WEB-INF folder, this is what I’d expect the code to look like.
<Location /WEB-INF>
Order Deny,Allow
Deny from all
Allow from 192.168.200.233
</Location>
I should add I’m porting an app from OpenBD. With OpenBD, I’d just remove the entire admin site code before pushing it to production so there were no files to restrict.