When running Railo, it was recommended to secure the admin context like so (if I recall correctly),
<Location /railo-context>
SSLRequireSSL
</Location>
<Location /railo-context>
AuthType Basic
AuthName "LuceeAdmin"
AuthUserFile /etc/apache2/passwords/webauth
Require user dopadmin
</Location>
Not sure if that was the best way, but it was one way.
I’ve done this with Lucee on a test install. But I am not sure the correct context paths. That syntax is a little confusing to me.
I’ve also seen comments along the lines that if a user can get a response when accessing https://www.bluebongos.net/lucee/ even if it’s a prompt for directory authentication, that you should not allow that and hide the admin (likely over SSH port forwarding or tunneling).
So, what’s the best practice for securing the admin but still access it when you are away from your laptop/desktop?
Here is what I have presently:
##
## secure the lucee admin behind SSL and basic auth
##
<Location /lucee-context>
SSLRequireSSL
</Location>
<Location /lucee>
AuthType Basic
AuthName "LuceeAdmin"
AuthUserFile /etc/apache2/passwords/webauth
Require user xxxxx
</Location>
<Location /lucee-context>
AuthType Basic
AuthName "LuceeAdmin"
AuthUserFile /etc/apache2/passwords/webauth
Require user xxxxx
</Location>
<Location /lucee/admin>
AuthType Basic
AuthName "LuceeAdmin"
AuthUserFile /etc/apache2/passwords/webauth
Require user xxxxx
</Location>
<Location /lucee-server>
AuthType Basic
AuthName "LuceeAdmin"
AuthUserFile /etc/apache2/passwords/webauth
Require user xxxxx
</Location>
##
## secure the lucee admin behind SSL and basic auth
##