What is the best way to configure my Tomcat/IIS7 site and prevent remote access to the server admin?

I am not sure how much of my question pertains to Lucee specifically and
how much is more generally about Tomcat and IIS, so if this is not the
appropriate forum for this question I will find another place to ask.

I am running Lucee on Windows Server 2008 with Tomcat as the app server and
IIS7 as the web server. I have the AJP connector installed and running.

What I am trying to do is move a site from ACF to Lucee. Things are working
well as far as the CFML processing is concerned, but I want to make the
server admin inaccessible from anywhere but the local machine. This was
easy with ACF because the CFIDE/Administrator was a physical directory, as
opposed to Lucee where it is virtual. I have tried and tried but cannot
seem to isolate the server admin. I have managed to make it completely
inaccessible by removing the http connector and leaving only the AJP
connector. I have tried using filters in web.xml (which I may be doing
wrong). I have tried creating lucee folders in my web root and applying the
restriction to them, thinking that IIS would filter the request, but since
the admin is only available over a nonstandard port that IIS isn’t
listening on, that doesn’t work either.

What else can I try? I feel like this must be a common task and I’m doing
something really stupid.

If you are using the BonCode IIS connector I think there is a setting for
this.

If you only need to access Lucee Server admin (not web) globally (not using
individual web context configuration):

  1. Use Request Filtering in IIS to block or Deny the URI: /lucee/
  2. Create a virtual host that ONLY listens on 127.0.0.1 or ::1
  3. Go to Request Filtering and remove the /lucee/ request filtering rule
    for this site.

Another option might be to simply add the HTTP connector to your tomcat
server.xml conf and access over a non standard port (eg 8080) ensuring that
the port is blocked on your firewall. Then hit
http://example.com:8080/lucee/admin/web.cfm--
Pete Freitag
https://foundeo.com/ http://foundeo.com/ - ColdFusion Consulting &
Products
http://hackmycf.com - CFML Server Security Scanner

On Mon, Aug 3, 2015 at 3:47 PM, res <@res> wrote:

I am not sure how much of my question pertains to Lucee specifically and
how much is more generally about Tomcat and IIS, so if this is not the
appropriate forum for this question I will find another place to ask.

I am running Lucee on Windows Server 2008 with Tomcat as the app server
and IIS7 as the web server. I have the AJP connector installed and running.

What I am trying to do is move a site from ACF to Lucee. Things are
working well as far as the CFML processing is concerned, but I want to make
the server admin inaccessible from anywhere but the local machine. This was
easy with ACF because the CFIDE/Administrator was a physical directory, as
opposed to Lucee where it is virtual. I have tried and tried but cannot
seem to isolate the server admin. I have managed to make it completely
inaccessible by removing the http connector and leaving only the AJP
connector. I have tried using filters in web.xml (which I may be doing
wrong). I have tried creating lucee folders in my web root and applying the
restriction to them, thinking that IIS would filter the request, but since
the admin is only available over a nonstandard port that IIS isn’t
listening on, that doesn’t work either.

What else can I try? I feel like this must be a common task and I’m doing
something really stupid.


See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your
ticket NOW - http://www.cfcamp.org/

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/d2442d62-a5df-4664-8a52-1c68869b1f4e%40googlegroups.com
https://groups.google.com/d/msgid/lucee/d2442d62-a5df-4664-8a52-1c68869b1f4e%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

It does, but I need port 80 open to the world. I guess my thinking is still
stuck in ACF mode. I haven’t even been able to figure out how to access the
web admin for a particular context. What I ideally want is for everything
on port 80 to work, including the server admin, and then lock it down by IP
the way I would lock down the CFIDE directory on ACF. I suspect the whole
way I’m thinking about this is wrong. It would be extremely helpful to see
an existing lucee/tomcat/iis config for reference, but I don’t know how I
would ever do that.On Monday, August 3, 2015 at 5:19:15 PM UTC-4, Jordan Michaels wrote:

My guess is locking down port 80 and access through IIS is the way that
you want to go. So, you’re on the right track already. You can lock down
port 8888 with tighter restrictions than you can port 80, so you could
potentially adjust your firewall rules to ONLY allow your IP to connect to
port 8888. Then you, and you alone, can access your admin on port 8888.

Sound reasonable?

-Jordan

----- Original Message -----
From: “res” <roswe...@gmail.com <javascript:>>
To: “Lucee” <lu...@googlegroups.com <javascript:>>
Cc: pe...@foundeo.com <javascript:>
Sent: Monday, August 3, 2015 1:48:58 PM
Subject: Re: [Lucee] What is the best way to configure my Tomcat/IIS7 site
and prevent remote access to the server admin?

Thank you for the response. Part of my problem is that I don’t think I’ve
fully wrapped my head around some concepts and the documentation hasn’t
been very helpful (I know it’s a work in progress and I’ve also been
referring to railo docs). I guess one question I need answered is, if I go
with option 1, how do I get IIS to process the request for the server
admin? Currently Tomcat is listening for http requests on port 8888, which
means if I go to mysite.com/lucee, I get a 404. If I go to
mysite.com:8888/lucee, then it works, but IIS isn’t processing that
request, since I can stop the IIS site and still pull up the server admin
via that URL. I’m not sure how to get to the server admin without using
the
port number. If I set tomcat to listen on port 80 instead of 8888, is that
going to cause some conflict with IIS which is also listening on port 80?

Thanks for your help and your patience. I’m new to all of this so being
able to ask questions really helps.

On Monday, August 3, 2015 at 4:02:51 PM UTC-4, Pete Freitag wrote:

If you are using the BonCode IIS connector I think there is a setting
for
this.

If you only need to access Lucee Server admin (not web) globally (not
using individual web context configuration):

  1. Use Request Filtering in IIS to block or Deny the URI: /lucee/
  2. Create a virtual host that ONLY listens on 127.0.0.1 or ::1
  3. Go to Request Filtering and remove the /lucee/ request filtering rule
    for this site.

Another option might be to simply add the HTTP connector to your tomcat
server.xml conf and access over a non standard port (eg 8080) ensuring
that
the port is blocked on your firewall. Then hit
http://example.com:8080/lucee/admin/web.cfm


Pete Freitag
https://foundeo.com/ http://foundeo.com/ - ColdFusion Consulting &
Products
http://hackmycf.com - CFML Server Security Scanner

On Mon, Aug 3, 2015 at 3:47 PM, res <roswe...@gmail.com <javascript:>> wrote:

I am not sure how much of my question pertains to Lucee specifically
and

how much is more generally about Tomcat and IIS, so if this is not the
appropriate forum for this question I will find another place to ask.

I am running Lucee on Windows Server 2008 with Tomcat as the app server
and IIS7 as the web server. I have the AJP connector installed and
running.

What I am trying to do is move a site from ACF to Lucee. Things are
working well as far as the CFML processing is concerned, but I want to
make

the server admin inaccessible from anywhere but the local machine. This
was

easy with ACF because the CFIDE/Administrator was a physical directory,
as

opposed to Lucee where it is virtual. I have tried and tried but cannot
seem to isolate the server admin. I have managed to make it completely
inaccessible by removing the http connector and leaving only the AJP
connector. I have tried using filters in web.xml (which I may be doing
wrong). I have tried creating lucee folders in my web root and applying
the

restriction to them, thinking that IIS would filter the request, but
since

the admin is only available over a nonstandard port that IIS isn’t
listening on, that doesn’t work either.

What else can I try? I feel like this must be a common task and I’m
doing

something really stupid.


See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get
your

ticket NOW - http://www.cfcamp.org/

You received this message because you are subscribed to the Google
Groups

“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send
an

email to lucee+un...@googlegroups.com <javascript:>.
To post to this group, send email to lu...@googlegroups.com
<javascript:>

.
To view this discussion on the web visit

https://groups.google.com/d/msgid/lucee/d2442d62-a5df-4664-8a52-1c68869b1f4e%40googlegroups.com

<
https://groups.google.com/d/msgid/lucee/d2442d62-a5df-4664-8a52-1c68869b1f4e%40googlegroups.com?utm_medium=email&utm_source=footer>

.
For more options, visit https://groups.google.com/d/optout.


See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your
ticket NOW - http://www.cfcamp.org/

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+un...@googlegroups.com <javascript:>.
To post to this group, send email to lu...@googlegroups.com <javascript:>.

To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/e9fd389a-5c07-405d-8975-ae586eb3d99e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

I use SSH tunneling to access the admin panels on both ACF and Lucee.
Rather than repeat myself, I’ll just post a link to the blog article I
wrote about it:

https://dnando.github.io/blog/2014/11/04/ssh-tunneling-coldfusion-lockdown-technique/

Aria Media Sagl
Via Rompada 40
6987 Caslano
Switzerland

+41 (0)91 600 9601
+41 (0)76 303 4477 cell
skype: ariamediaOn Mon, Aug 3, 2015 at 11:54 PM, Jordan Michaels <@Jordan_Michaels> wrote:

It does, but I need port 80 open to the world.

I’m not suggesting otherwise. =)

What I ideally want is for everything
on port 80 to work, including the server admin, and then lock it down by
IP
the way I would lock down the CFIDE directory on ACF.

Using the first method talked about in this blog post, you should be able
to do that:

http://utdream.org/post.cfm/how-to-block-access-to-railo-3-4-administrators-in-iis-7-security

It would be extremely helpful to see
an existing lucee/tomcat/iis config for reference, but I don’t know how I
would ever do that.

There are screen shots in the above blog post from when I did exactly what
you’re wanting to do on my test machine.

Hope this helps!

-Jordan

----- Original Message -----
From: “res” <@res>
To: “Lucee” lucee@googlegroups.com
Sent: Monday, August 3, 2015 2:27:50 PM
Subject: Re: [Lucee] What is the best way to configure my Tomcat/IIS7 site
and prevent remote access to the server admin?

It does, but I need port 80 open to the world. I guess my thinking is still
stuck in ACF mode. I haven’t even been able to figure out how to access the
web admin for a particular context. What I ideally want is for everything
on port 80 to work, including the server admin, and then lock it down by IP
the way I would lock down the CFIDE directory on ACF. I suspect the whole
way I’m thinking about this is wrong. It would be extremely helpful to see
an existing lucee/tomcat/iis config for reference, but I don’t know how I
would ever do that.

On Monday, August 3, 2015 at 5:19:15 PM UTC-4, Jordan Michaels wrote:

My guess is locking down port 80 and access through IIS is the way that
you want to go. So, you’re on the right track already. You can lock down
port 8888 with tighter restrictions than you can port 80, so you could
potentially adjust your firewall rules to ONLY allow your IP to connect
to
port 8888. Then you, and you alone, can access your admin on port 8888.

Sound reasonable?

-Jordan

----- Original Message -----
From: “res” <roswe...@gmail.com <javascript:>>
To: “Lucee” <lu...@googlegroups.com <javascript:>>
Cc: pe...@foundeo.com <javascript:>
Sent: Monday, August 3, 2015 1:48:58 PM
Subject: Re: [Lucee] What is the best way to configure my Tomcat/IIS7
site
and prevent remote access to the server admin?

Thank you for the response. Part of my problem is that I don’t think I’ve
fully wrapped my head around some concepts and the documentation hasn’t
been very helpful (I know it’s a work in progress and I’ve also been
referring to railo docs). I guess one question I need answered is, if I
go
with option 1, how do I get IIS to process the request for the server
admin? Currently Tomcat is listening for http requests on port 8888,
which
means if I go to mysite.com/lucee, I get a 404. If I go to
mysite.com:8888/lucee, then it works, but IIS isn’t processing that
request, since I can stop the IIS site and still pull up the server admin
via that URL. I’m not sure how to get to the server admin without using
the
port number. If I set tomcat to listen on port 80 instead of 8888, is
that
going to cause some conflict with IIS which is also listening on port 80?

Thanks for your help and your patience. I’m new to all of this so being
able to ask questions really helps.

On Monday, August 3, 2015 at 4:02:51 PM UTC-4, Pete Freitag wrote:

If you are using the BonCode IIS connector I think there is a setting
for
this.

If you only need to access Lucee Server admin (not web) globally (not
using individual web context configuration):

  1. Use Request Filtering in IIS to block or Deny the URI: /lucee/
  2. Create a virtual host that ONLY listens on 127.0.0.1 or ::1
  3. Go to Request Filtering and remove the /lucee/ request filtering
    rule

for this site.

Another option might be to simply add the HTTP connector to your tomcat
server.xml conf and access over a non standard port (eg 8080) ensuring
that
the port is blocked on your firewall. Then hit
http://example.com:8080/lucee/admin/web.cfm


Pete Freitag
https://foundeo.com/ http://foundeo.com/ - ColdFusion Consulting &
Products
http://hackmycf.com - CFML Server Security Scanner

On Mon, Aug 3, 2015 at 3:47 PM, res <roswe...@gmail.com <javascript:>> wrote:

I am not sure how much of my question pertains to Lucee specifically
and

how much is more generally about Tomcat and IIS, so if this is not the
appropriate forum for this question I will find another place to ask.

I am running Lucee on Windows Server 2008 with Tomcat as the app
server

and IIS7 as the web server. I have the AJP connector installed and
running.

What I am trying to do is move a site from ACF to Lucee. Things are
working well as far as the CFML processing is concerned, but I want to
make

the server admin inaccessible from anywhere but the local machine.
This
was

easy with ACF because the CFIDE/Administrator was a physical
directory,
as

opposed to Lucee where it is virtual. I have tried and tried but
cannot

seem to isolate the server admin. I have managed to make it completely
inaccessible by removing the http connector and leaving only the AJP
connector. I have tried using filters in web.xml (which I may be doing
wrong). I have tried creating lucee folders in my web root and
applying
the

restriction to them, thinking that IIS would filter the request, but
since

the admin is only available over a nonstandard port that IIS isn’t
listening on, that doesn’t work either.

What else can I try? I feel like this must be a common task and I’m
doing

something really stupid.


See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get
your

ticket NOW - http://www.cfcamp.org/

You received this message because you are subscribed to the Google
Groups

“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send
an

email to lucee+un...@googlegroups.com <javascript:>.
To post to this group, send email to lu...@googlegroups.com
<javascript:>

.
To view this discussion on the web visit

https://groups.google.com/d/msgid/lucee/d2442d62-a5df-4664-8a52-1c68869b1f4e%40googlegroups.com

<

https://groups.google.com/d/msgid/lucee/d2442d62-a5df-4664-8a52-1c68869b1f4e%40googlegroups.com?utm_medium=email&utm_source=footer

.
For more options, visit https://groups.google.com/d/optout.


See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your
ticket NOW - http://www.cfcamp.org/

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+un...@googlegroups.com <javascript:>.
To post to this group, send email to lu...@googlegroups.com
<javascript:>.

To view this discussion on the web visit

https://groups.google.com/d/msgid/lucee/e9fd389a-5c07-405d-8975-ae586eb3d99e%40googlegroups.com
.

For more options, visit https://groups.google.com/d/optout.


See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your
ticket NOW - http://www.cfcamp.org/

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/869448ae-ef27-4c7e-aa3e-4179cbf7b0b5%40googlegroups.com
.
For more options, visit https://groups.google.com/d/optout.


See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your
ticket NOW - http://www.cfcamp.org/

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/641589575.252223.1438638842371.JavaMail.zimbra%40viviotech.net
.
For more options, visit https://groups.google.com/d/optout.

Thank you for the response. Part of my problem is that I don’t think I’ve
fully wrapped my head around some concepts and the documentation hasn’t
been very helpful (I know it’s a work in progress and I’ve also been
referring to railo docs). I guess one question I need answered is, if I go
with option 1, how do I get IIS to process the request for the server
admin? Currently Tomcat is listening for http requests on port 8888, which
means if I go to mysite.com/lucee, I get a 404. If I go to
mysite.com:8888/lucee, then it works, but IIS isn’t processing that
request, since I can stop the IIS site and still pull up the server admin
via that URL. I’m not sure how to get to the server admin without using the
port number. If I set tomcat to listen on port 80 instead of 8888, is that
going to cause some conflict with IIS which is also listening on port 80?

Thanks for your help and your patience. I’m new to all of this so being
able to ask questions really helps.On Monday, August 3, 2015 at 4:02:51 PM UTC-4, Pete Freitag wrote:

If you are using the BonCode IIS connector I think there is a setting for
this.

If you only need to access Lucee Server admin (not web) globally (not
using individual web context configuration):

  1. Use Request Filtering in IIS to block or Deny the URI: /lucee/
  2. Create a virtual host that ONLY listens on 127.0.0.1 or ::1
  3. Go to Request Filtering and remove the /lucee/ request filtering rule
    for this site.

Another option might be to simply add the HTTP connector to your tomcat
server.xml conf and access over a non standard port (eg 8080) ensuring that
the port is blocked on your firewall. Then hit
http://example.com:8080/lucee/admin/web.cfm


Pete Freitag
https://foundeo.com/ http://foundeo.com/ - ColdFusion Consulting &
Products
http://hackmycf.com - CFML Server Security Scanner

On Mon, Aug 3, 2015 at 3:47 PM, res <roswe...@gmail.com <javascript:>> wrote:

I am not sure how much of my question pertains to Lucee specifically and
how much is more generally about Tomcat and IIS, so if this is not the
appropriate forum for this question I will find another place to ask.

I am running Lucee on Windows Server 2008 with Tomcat as the app server
and IIS7 as the web server. I have the AJP connector installed and running.

What I am trying to do is move a site from ACF to Lucee. Things are
working well as far as the CFML processing is concerned, but I want to make
the server admin inaccessible from anywhere but the local machine. This was
easy with ACF because the CFIDE/Administrator was a physical directory, as
opposed to Lucee where it is virtual. I have tried and tried but cannot
seem to isolate the server admin. I have managed to make it completely
inaccessible by removing the http connector and leaving only the AJP
connector. I have tried using filters in web.xml (which I may be doing
wrong). I have tried creating lucee folders in my web root and applying the
restriction to them, thinking that IIS would filter the request, but since
the admin is only available over a nonstandard port that IIS isn’t
listening on, that doesn’t work either.

What else can I try? I feel like this must be a common task and I’m doing
something really stupid.


See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your
ticket NOW - http://www.cfcamp.org/

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+un...@googlegroups.com <javascript:>.
To post to this group, send email to lu...@googlegroups.com <javascript:>
.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/d2442d62-a5df-4664-8a52-1c68869b1f4e%40googlegroups.com
https://groups.google.com/d/msgid/lucee/d2442d62-a5df-4664-8a52-1c68869b1f4e%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

My guess is locking down port 80 and access through IIS is the way that you want to go. So, you’re on the right track already. You can lock down port 8888 with tighter restrictions than you can port 80, so you could potentially adjust your firewall rules to ONLY allow your IP to connect to port 8888. Then you, and you alone, can access your admin on port 8888.

Sound reasonable?

-Jordan----- Original Message -----
From: “res” <@res>
To: “Lucee” lucee@googlegroups.com
Cc: @Pete_Freitag
Sent: Monday, August 3, 2015 1:48:58 PM
Subject: Re: [Lucee] What is the best way to configure my Tomcat/IIS7 site and prevent remote access to the server admin?

Thank you for the response. Part of my problem is that I don’t think I’ve
fully wrapped my head around some concepts and the documentation hasn’t
been very helpful (I know it’s a work in progress and I’ve also been
referring to railo docs). I guess one question I need answered is, if I go
with option 1, how do I get IIS to process the request for the server
admin? Currently Tomcat is listening for http requests on port 8888, which
means if I go to mysite.com/lucee, I get a 404. If I go to
mysite.com:8888/lucee, then it works, but IIS isn’t processing that
request, since I can stop the IIS site and still pull up the server admin
via that URL. I’m not sure how to get to the server admin without using the
port number. If I set tomcat to listen on port 80 instead of 8888, is that
going to cause some conflict with IIS which is also listening on port 80?

Thanks for your help and your patience. I’m new to all of this so being
able to ask questions really helps.

On Monday, August 3, 2015 at 4:02:51 PM UTC-4, Pete Freitag wrote:

If you are using the BonCode IIS connector I think there is a setting for
this.

If you only need to access Lucee Server admin (not web) globally (not
using individual web context configuration):

  1. Use Request Filtering in IIS to block or Deny the URI: /lucee/
  2. Create a virtual host that ONLY listens on 127.0.0.1 or ::1
  3. Go to Request Filtering and remove the /lucee/ request filtering rule
    for this site.

Another option might be to simply add the HTTP connector to your tomcat
server.xml conf and access over a non standard port (eg 8080) ensuring that
the port is blocked on your firewall. Then hit
http://example.com:8080/lucee/admin/web.cfm


Pete Freitag
https://foundeo.com/ http://foundeo.com/ - ColdFusion Consulting &
Products
http://hackmycf.com - CFML Server Security Scanner

On Mon, Aug 3, 2015 at 3:47 PM, res <roswe...@gmail.com <javascript:>> wrote:

I am not sure how much of my question pertains to Lucee specifically and
how much is more generally about Tomcat and IIS, so if this is not the
appropriate forum for this question I will find another place to ask.

I am running Lucee on Windows Server 2008 with Tomcat as the app server
and IIS7 as the web server. I have the AJP connector installed and running.

What I am trying to do is move a site from ACF to Lucee. Things are
working well as far as the CFML processing is concerned, but I want to make
the server admin inaccessible from anywhere but the local machine. This was
easy with ACF because the CFIDE/Administrator was a physical directory, as
opposed to Lucee where it is virtual. I have tried and tried but cannot
seem to isolate the server admin. I have managed to make it completely
inaccessible by removing the http connector and leaving only the AJP
connector. I have tried using filters in web.xml (which I may be doing
wrong). I have tried creating lucee folders in my web root and applying the
restriction to them, thinking that IIS would filter the request, but since
the admin is only available over a nonstandard port that IIS isn’t
listening on, that doesn’t work either.

What else can I try? I feel like this must be a common task and I’m doing
something really stupid.


See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your
ticket NOW - http://www.cfcamp.org/

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+un...@googlegroups.com <javascript:>.
To post to this group, send email to lu...@googlegroups.com <javascript:>
.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/d2442d62-a5df-4664-8a52-1c68869b1f4e%40googlegroups.com
https://groups.google.com/d/msgid/lucee/d2442d62-a5df-4664-8a52-1c68869b1f4e%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.


See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your ticket NOW - http://www.cfcamp.org/

You received this message because you are subscribed to the Google Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/e9fd389a-5c07-405d-8975-ae586eb3d99e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

It does, but I need port 80 open to the world.

I’m not suggesting otherwise. =)

What I ideally want is for everything
on port 80 to work, including the server admin, and then lock it down by IP
the way I would lock down the CFIDE directory on ACF.

Using the first method talked about in this blog post, you should be able to do that:
http://utdream.org/post.cfm/how-to-block-access-to-railo-3-4-administrators-in-iis-7-security

It would be extremely helpful to see
an existing lucee/tomcat/iis config for reference, but I don’t know how I
would ever do that.

There are screen shots in the above blog post from when I did exactly what you’re wanting to do on my test machine.

Hope this helps!

-Jordan----- Original Message -----
From: “res” <@res>
To: “Lucee” lucee@googlegroups.com
Sent: Monday, August 3, 2015 2:27:50 PM
Subject: Re: [Lucee] What is the best way to configure my Tomcat/IIS7 site and prevent remote access to the server admin?

It does, but I need port 80 open to the world. I guess my thinking is still
stuck in ACF mode. I haven’t even been able to figure out how to access the
web admin for a particular context. What I ideally want is for everything
on port 80 to work, including the server admin, and then lock it down by IP
the way I would lock down the CFIDE directory on ACF. I suspect the whole
way I’m thinking about this is wrong. It would be extremely helpful to see
an existing lucee/tomcat/iis config for reference, but I don’t know how I
would ever do that.

On Monday, August 3, 2015 at 5:19:15 PM UTC-4, Jordan Michaels wrote:

My guess is locking down port 80 and access through IIS is the way that
you want to go. So, you’re on the right track already. You can lock down
port 8888 with tighter restrictions than you can port 80, so you could
potentially adjust your firewall rules to ONLY allow your IP to connect to
port 8888. Then you, and you alone, can access your admin on port 8888.

Sound reasonable?

-Jordan

----- Original Message -----
From: “res” <roswe...@gmail.com <javascript:>>
To: “Lucee” <lu...@googlegroups.com <javascript:>>
Cc: pe...@foundeo.com <javascript:>
Sent: Monday, August 3, 2015 1:48:58 PM
Subject: Re: [Lucee] What is the best way to configure my Tomcat/IIS7 site
and prevent remote access to the server admin?

Thank you for the response. Part of my problem is that I don’t think I’ve
fully wrapped my head around some concepts and the documentation hasn’t
been very helpful (I know it’s a work in progress and I’ve also been
referring to railo docs). I guess one question I need answered is, if I go
with option 1, how do I get IIS to process the request for the server
admin? Currently Tomcat is listening for http requests on port 8888, which
means if I go to mysite.com/lucee, I get a 404. If I go to
mysite.com:8888/lucee, then it works, but IIS isn’t processing that
request, since I can stop the IIS site and still pull up the server admin
via that URL. I’m not sure how to get to the server admin without using
the
port number. If I set tomcat to listen on port 80 instead of 8888, is that
going to cause some conflict with IIS which is also listening on port 80?

Thanks for your help and your patience. I’m new to all of this so being
able to ask questions really helps.

On Monday, August 3, 2015 at 4:02:51 PM UTC-4, Pete Freitag wrote:

If you are using the BonCode IIS connector I think there is a setting
for
this.

If you only need to access Lucee Server admin (not web) globally (not
using individual web context configuration):

  1. Use Request Filtering in IIS to block or Deny the URI: /lucee/
  2. Create a virtual host that ONLY listens on 127.0.0.1 or ::1
  3. Go to Request Filtering and remove the /lucee/ request filtering rule
    for this site.

Another option might be to simply add the HTTP connector to your tomcat
server.xml conf and access over a non standard port (eg 8080) ensuring
that
the port is blocked on your firewall. Then hit
http://example.com:8080/lucee/admin/web.cfm


Pete Freitag
https://foundeo.com/ http://foundeo.com/ - ColdFusion Consulting &
Products
http://hackmycf.com - CFML Server Security Scanner

On Mon, Aug 3, 2015 at 3:47 PM, res <roswe...@gmail.com <javascript:>> wrote:

I am not sure how much of my question pertains to Lucee specifically
and

how much is more generally about Tomcat and IIS, so if this is not the
appropriate forum for this question I will find another place to ask.

I am running Lucee on Windows Server 2008 with Tomcat as the app server
and IIS7 as the web server. I have the AJP connector installed and
running.

What I am trying to do is move a site from ACF to Lucee. Things are
working well as far as the CFML processing is concerned, but I want to
make

the server admin inaccessible from anywhere but the local machine. This
was

easy with ACF because the CFIDE/Administrator was a physical directory,
as

opposed to Lucee where it is virtual. I have tried and tried but cannot
seem to isolate the server admin. I have managed to make it completely
inaccessible by removing the http connector and leaving only the AJP
connector. I have tried using filters in web.xml (which I may be doing
wrong). I have tried creating lucee folders in my web root and applying
the

restriction to them, thinking that IIS would filter the request, but
since

the admin is only available over a nonstandard port that IIS isn’t
listening on, that doesn’t work either.

What else can I try? I feel like this must be a common task and I’m
doing

something really stupid.


See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get
your

ticket NOW - http://www.cfcamp.org/

You received this message because you are subscribed to the Google
Groups

“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send
an

email to lucee+un...@googlegroups.com <javascript:>.
To post to this group, send email to lu...@googlegroups.com
<javascript:>

.
To view this discussion on the web visit

https://groups.google.com/d/msgid/lucee/d2442d62-a5df-4664-8a52-1c68869b1f4e%40googlegroups.com

<
https://groups.google.com/d/msgid/lucee/d2442d62-a5df-4664-8a52-1c68869b1f4e%40googlegroups.com?utm_medium=email&utm_source=footer>

.
For more options, visit https://groups.google.com/d/optout.


See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your
ticket NOW - http://www.cfcamp.org/

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+un...@googlegroups.com <javascript:>.
To post to this group, send email to lu...@googlegroups.com <javascript:>.

To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/e9fd389a-5c07-405d-8975-ae586eb3d99e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your ticket NOW - http://www.cfcamp.org/

You received this message because you are subscribed to the Google Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/869448ae-ef27-4c7e-aa3e-4179cbf7b0b5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

I should have specified that step 1) Use Request Filtering in IIS to block
or Deny the URI: /lucee/ would be done at the Server wide level, not on a
site specific level in IIS.–
Pete Freitag
https://foundeo.com/ http://foundeo.com/ - ColdFusion Consulting &
Products
http://hackmycf.com - CFML Server Security Scanner

On Mon, Aug 3, 2015 at 4:02 PM, Pete Freitag <@Pete_Freitag> wrote:

If you are using the BonCode IIS connector I think there is a setting for
this.

If you only need to access Lucee Server admin (not web) globally (not
using individual web context configuration):

  1. Use Request Filtering in IIS to block or Deny the URI: /lucee/
  2. Create a virtual host that ONLY listens on 127.0.0.1 or ::1
  3. Go to Request Filtering and remove the /lucee/ request filtering rule
    for this site.

Another option might be to simply add the HTTP connector to your tomcat
server.xml conf and access over a non standard port (eg 8080) ensuring that
the port is blocked on your firewall. Then hit
http://example.com:8080/lucee/admin/web.cfm


Pete Freitag
https://foundeo.com/ http://foundeo.com/ - ColdFusion Consulting &
Products
http://hackmycf.com - CFML Server Security Scanner

On Mon, Aug 3, 2015 at 3:47 PM, res <@res> wrote:

I am not sure how much of my question pertains to Lucee specifically and
how much is more generally about Tomcat and IIS, so if this is not the
appropriate forum for this question I will find another place to ask.

I am running Lucee on Windows Server 2008 with Tomcat as the app server
and IIS7 as the web server. I have the AJP connector installed and running.

What I am trying to do is move a site from ACF to Lucee. Things are
working well as far as the CFML processing is concerned, but I want to make
the server admin inaccessible from anywhere but the local machine. This was
easy with ACF because the CFIDE/Administrator was a physical directory, as
opposed to Lucee where it is virtual. I have tried and tried but cannot
seem to isolate the server admin. I have managed to make it completely
inaccessible by removing the http connector and leaving only the AJP
connector. I have tried using filters in web.xml (which I may be doing
wrong). I have tried creating lucee folders in my web root and applying the
restriction to them, thinking that IIS would filter the request, but since
the admin is only available over a nonstandard port that IIS isn’t
listening on, that doesn’t work either.

What else can I try? I feel like this must be a common task and I’m doing
something really stupid.


See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your
ticket NOW - http://www.cfcamp.org/

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/d2442d62-a5df-4664-8a52-1c68869b1f4e%40googlegroups.com
https://groups.google.com/d/msgid/lucee/d2442d62-a5df-4664-8a52-1c68869b1f4e%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

Very helpful, thank you.

My problem now is that I don’t know how to get to the web admin for my
site. I have blocked port 8888 on the firewall, so I can go on the local
machine and hit the server admin by going to mysite.com:8888/lucee/
But I set up a site in IIS so I could have the webroot on a disk separate
from the lucee install, and I changed WEB-INF so that it has a different
name and is placed a level above the webroot. I followed the railo
documentation for this (which is missing relevant
info http://www.getrailo.org/index.cfm/documentation/configuration/tips-and-tricks/)
and I think it worked because when I start Railo and make a page request,
my alternately-named WEB-INF folder gets created above the root. But I
don’t know how to access the web admin for that new site.
mysite.com/lucee/… gives me a 404, which makes sense because there is no
physcial directory with that name, so IIS can’t find it. What am I missing
here?On Monday, August 3, 2015 at 5:54:05 PM UTC-4, Jordan Michaels wrote:

It does, but I need port 80 open to the world.

I’m not suggesting otherwise. =)

What I ideally want is for everything
on port 80 to work, including the server admin, and then lock it down by
IP
the way I would lock down the CFIDE directory on ACF.

Using the first method talked about in this blog post, you should be able
to do that:

http://utdream.org/post.cfm/how-to-block-access-to-railo-3-4-administrators-in-iis-7-security

It would be extremely helpful to see
an existing lucee/tomcat/iis config for reference, but I don’t know how
I
would ever do that.

There are screen shots in the above blog post from when I did exactly what
you’re wanting to do on my test machine.

Hope this helps!

-Jordan

----- Original Message -----
From: “res” <roswe...@gmail.com <javascript:>>
To: “Lucee” <lu...@googlegroups.com <javascript:>>
Sent: Monday, August 3, 2015 2:27:50 PM
Subject: Re: [Lucee] What is the best way to configure my Tomcat/IIS7 site
and prevent remote access to the server admin?

It does, but I need port 80 open to the world. I guess my thinking is
still
stuck in ACF mode. I haven’t even been able to figure out how to access
the
web admin for a particular context. What I ideally want is for everything
on port 80 to work, including the server admin, and then lock it down by
IP
the way I would lock down the CFIDE directory on ACF. I suspect the whole
way I’m thinking about this is wrong. It would be extremely helpful to see
an existing lucee/tomcat/iis config for reference, but I don’t know how I
would ever do that.

On Monday, August 3, 2015 at 5:19:15 PM UTC-4, Jordan Michaels wrote:

My guess is locking down port 80 and access through IIS is the way that
you want to go. So, you’re on the right track already. You can lock down
port 8888 with tighter restrictions than you can port 80, so you could
potentially adjust your firewall rules to ONLY allow your IP to connect
to
port 8888. Then you, and you alone, can access your admin on port 8888.

Sound reasonable?

-Jordan

----- Original Message -----
From: “res” <roswe...@gmail.com <javascript:>>
To: “Lucee” <lu...@googlegroups.com <javascript:>>
Cc: pe...@foundeo.com <javascript:>
Sent: Monday, August 3, 2015 1:48:58 PM
Subject: Re: [Lucee] What is the best way to configure my Tomcat/IIS7
site
and prevent remote access to the server admin?

Thank you for the response. Part of my problem is that I don’t think
I’ve
fully wrapped my head around some concepts and the documentation hasn’t
been very helpful (I know it’s a work in progress and I’ve also been
referring to railo docs). I guess one question I need answered is, if I
go
with option 1, how do I get IIS to process the request for the server
admin? Currently Tomcat is listening for http requests on port 8888,
which
means if I go to mysite.com/lucee, I get a 404. If I go to
mysite.com:8888/lucee, then it works, but IIS isn’t processing that
request, since I can stop the IIS site and still pull up the server
admin
via that URL. I’m not sure how to get to the server admin without using
the
port number. If I set tomcat to listen on port 80 instead of 8888, is
that
going to cause some conflict with IIS which is also listening on port
80?

Thanks for your help and your patience. I’m new to all of this so being
able to ask questions really helps.

On Monday, August 3, 2015 at 4:02:51 PM UTC-4, Pete Freitag wrote:

If you are using the BonCode IIS connector I think there is a setting
for
this.

If you only need to access Lucee Server admin (not web) globally (not
using individual web context configuration):

  1. Use Request Filtering in IIS to block or Deny the URI: /lucee/
  2. Create a virtual host that ONLY listens on 127.0.0.1 or ::1
  3. Go to Request Filtering and remove the /lucee/ request filtering
    rule

for this site.

Another option might be to simply add the HTTP connector to your
tomcat

server.xml conf and access over a non standard port (eg 8080) ensuring
that
the port is blocked on your firewall. Then hit
http://example.com:8080/lucee/admin/web.cfm


Pete Freitag
https://foundeo.com/ http://foundeo.com/ - ColdFusion Consulting &
Products
http://hackmycf.com - CFML Server Security Scanner

On Mon, Aug 3, 2015 at 3:47 PM, res <roswe...@gmail.com <javascript:>> wrote:

I am not sure how much of my question pertains to Lucee specifically
and

how much is more generally about Tomcat and IIS, so if this is not
the

appropriate forum for this question I will find another place to ask.

I am running Lucee on Windows Server 2008 with Tomcat as the app
server

and IIS7 as the web server. I have the AJP connector installed and
running.

What I am trying to do is move a site from ACF to Lucee. Things are
working well as far as the CFML processing is concerned, but I want
to
make

the server admin inaccessible from anywhere but the local machine.
This
was

easy with ACF because the CFIDE/Administrator was a physical
directory,
as

opposed to Lucee where it is virtual. I have tried and tried but
cannot

seem to isolate the server admin. I have managed to make it
completely

inaccessible by removing the http connector and leaving only the AJP
connector. I have tried using filters in web.xml (which I may be
doing

wrong). I have tried creating lucee folders in my web root and
applying
the

restriction to them, thinking that IIS would filter the request, but
since

the admin is only available over a nonstandard port that IIS isn’t
listening on, that doesn’t work either.

What else can I try? I feel like this must be a common task and I’m
doing

something really stupid.


See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get
your

ticket NOW - http://www.cfcamp.org/

You received this message because you are subscribed to the Google
Groups

“Lucee” group.
To unsubscribe from this group and stop receiving emails from it,
send
an

email to lucee+un...@googlegroups.com <javascript:>.
To post to this group, send email to lu...@googlegroups.com
<javascript:>

.
To view this discussion on the web visit

https://groups.google.com/d/msgid/lucee/d2442d62-a5df-4664-8a52-1c68869b1f4e%40googlegroups.com

<

https://groups.google.com/d/msgid/lucee/d2442d62-a5df-4664-8a52-1c68869b1f4e%40googlegroups.com?utm_medium=email&utm_source=footer>

.
For more options, visit https://groups.google.com/d/optout.


See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get
your
ticket NOW - http://www.cfcamp.org/

You received this message because you are subscribed to the Google
Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send
an
email to lucee+un...@googlegroups.com <javascript:>.
To post to this group, send email to lu...@googlegroups.com
<javascript:>.

To view this discussion on the web visit

https://groups.google.com/d/msgid/lucee/e9fd389a-5c07-405d-8975-ae586eb3d99e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your
ticket NOW - http://www.cfcamp.org/

You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+un...@googlegroups.com <javascript:>.
To post to this group, send email to lu...@googlegroups.com <javascript:>.

To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/869448ae-ef27-4c7e-aa3e-4179cbf7b0b5%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.