Security of server and web admin


#1

When running Railo, it was recommended to secure the admin context like so (if I recall correctly),

<Location /railo-context>
	SSLRequireSSL
</Location>

<Location /railo-context>
	AuthType Basic
	AuthName "LuceeAdmin"
	AuthUserFile /etc/apache2/passwords/webauth
	Require user dopadmin  
</Location>

Not sure if that was the best way, but it was one way.

I’ve done this with Lucee on a test install. But I am not sure the correct context paths. That syntax is a little confusing to me.

I’ve also seen comments along the lines that if a user can get a response when accessing https://www.bluebongos.net/lucee/ even if it’s a prompt for directory authentication, that you should not allow that and hide the admin (likely over SSH port forwarding or tunneling).

So, what’s the best practice for securing the admin but still access it when you are away from your laptop/desktop?

Here is what I have presently:

##
## secure the lucee admin behind SSL and basic auth
##

<Location /lucee-context>
	SSLRequireSSL
</Location>

<Location /lucee>
	AuthType Basic
	AuthName "LuceeAdmin"
	AuthUserFile /etc/apache2/passwords/webauth
	Require user xxxxx  
</Location>

<Location /lucee-context>
	AuthType Basic
	AuthName "LuceeAdmin"
	AuthUserFile /etc/apache2/passwords/webauth
	Require user xxxxx  
</Location>

<Location /lucee/admin>
	AuthType Basic
	AuthName "LuceeAdmin"
	AuthUserFile /etc/apache2/passwords/webauth
	Require user xxxxx  
</Location>

<Location /lucee-server>
	AuthType Basic
	AuthName "LuceeAdmin"
	AuthUserFile /etc/apache2/passwords/webauth
	Require user xxxxx  
</Location>

##
## secure the lucee admin behind SSL and basic auth
##


#2

I just use /lucee/admin. I had /lucee but some lucee commands use files in the web context. (I think it was cfimage maybe?) and was blocking access. I use IP deny/allow.


#3

Thanks! So you’re basically saying that all I need is

<Location /lucee/admin>
	SSLRequireSSL
</Location>

<Location /lucee/admin>
	AuthType Basic
	AuthName "LuceeAdmin"
	AuthUserFile /etc/apache2/passwords/webauth
	Require user xxxx  
</Location>

And by “all I need” clearly that is not the end of security and I need to do more. But that should secure the Lucee web and server admin behind directory authentication?

And then you are specifying a specific IP for access? Yes/no?

I don’t want to do that (yet). I would prefer to do a port forwarding scenario after ssh login. I did that a long time ago and just need to go find that example.

Any other tips?


#4

Should be good. I am just using the regular Deny from All and Allow from and not using logins.

I remembered that the problem I had was Coldbox needed the graph.cfm for debugging and /lucee blocked it where /lucee/admin worked.