Restricting Lucee Admin on Windows

We’re working on configuring a Lucee 5.3.x installation with Tomcat 9.x running under 64-bit Windows Server 2022, and was wondering what the best way is to restrict access to the Admin portion of things?

We’d like to restrict access to the Admin area to a set of static IP addresses, but we also need to allow the graph/chart stuff to work. Our current understanding is that we can’t just restrict “/lucee/*” since the Lucee system files that the charts in our web apps need reside within that area as well.

What’s the best way under Windows to secure Lucee, but still ensure that charts function properly?

There are lots of scenarios that you could try. I wouldn’t allow access to the admin through IIS anyway. If possible I’d always move all the settings to the application.cfc, create schedules programmatically and remove the admin extension completely. If that’s not possibile I’d rather tunnel through ssh to the admin directly on port 8888, bypassing IIS.

Regarding IIS, I personally like not allowing lucee/* as a default. In case you develope something that needs additional settings, for e.g. lucee/temp/*, you could adapt that rules accordingly.

We’re not looking to access it through IIS (we’ll use the direct port), but wondering what the best method is to restrict it within Tomcat. Is there a specific method we should use to secure the Admin interface so our Devs can get in and do what they need, but nobody else?

Could you please elaborate a little more about that setup?

Do you want to expose Tomcat http port to the internet without any webserver fronted? Should those users be able to access the admin from anywhere then?

We’re trying to figure out the best method to restrict the Admin interface to everyone except our Devs - that are on workstations using static IPs. So the thought was to restrict the Admin interface to only those static IPs. But we run into an issue that we can’t just use an IP request filter on “/lucee/” because there may be things inside there that our apps may need to use.

We’re sort of assuming that others have the same need that there’s something we’re overlooking that allows us to secure the Admin interface to only a select population, but still allows apps access to files as needed.

Ok, as I said, there are many, many options and all depends on your decsions and security needs.

You need to decide what you need exactly.

  1. First decision to decide: can you move your admin settings to system properties, Application.cfc or use CommandBox (server.json), use cfschedule programatically?
    Yes: Option 1: block your admin using the system property lucee.admin.enabled
    Option 2. Uninstall the Lucee admin extension.
    If the answer is “No”: proceed to next point 2.

  2. So you need to install and use Lucee admin:
    Do you need to use certain functionality that needs the virtual Lucee mapping (e.g. cfchart, cfimage captcha, etc)?
    No: Block the location /lucee/*within your fronted webserver
    Yes: Block the location /lucee/admin/* only within your fronted IIS. Better would be to allow only the location of the needed service, e.g. allow /lucee/temp/*only.

  3. Decide how and who needs to have access to the Lucee admin. Can you add ssh tunneling and run a tunneled browser? You may also allow RDP (allow access by IP to RDP) to the machine and fire a local browser from there?
    Yes: use Lucee Admin through a tunnel or RDP.
    No: Option 1: Allow direct web access to the lucee admin as follows:

  • use IIS to access it, since it supports SSL. Force SSL!
  • add basic authentication with URL rewrite
    Option 2: Check if it is possible to add a firewall rule to allow access port 8888 by IP… If so, implement SSL on Tomcat. You may also consider implementing other Tomcat related security settings (e.g. basic authentication).

The above are some options you may consider. And of course… It always depends.

@andreas that is a good decision list.
Just to add, that the BonCode connector will support your option (2) and (3) by simply using the
<EnableRemoteAdmin>False</EnableRemoteAdmin> directive in the setting file.
You can only use a local browser on server to access admin

1 Like

Of course @Bilal!!! How could I’ve forgotten to list that! I have these setting enabled.

Time to pull request all that info to the docs! Set it on my list.

1 Like