It does, but I need port 80 open to the world.
I’m not suggesting otherwise. =)
What I ideally want is for everything
on port 80 to work, including the server admin, and then lock it down by IP
the way I would lock down the CFIDE directory on ACF.
Using the first method talked about in this blog post, you should be able to do that:
http://utdream.org/post.cfm/how-to-block-access-to-railo-3-4-administrators-in-iis-7-security
It would be extremely helpful to see
an existing lucee/tomcat/iis config for reference, but I don’t know how I
would ever do that.
There are screen shots in the above blog post from when I did exactly what you’re wanting to do on my test machine.
Hope this helps!
-Jordan----- Original Message -----
From: “res” <@res>
To: “Lucee” lucee@googlegroups.com
Sent: Monday, August 3, 2015 2:27:50 PM
Subject: Re: [Lucee] What is the best way to configure my Tomcat/IIS7 site and prevent remote access to the server admin?
It does, but I need port 80 open to the world. I guess my thinking is still
stuck in ACF mode. I haven’t even been able to figure out how to access the
web admin for a particular context. What I ideally want is for everything
on port 80 to work, including the server admin, and then lock it down by IP
the way I would lock down the CFIDE directory on ACF. I suspect the whole
way I’m thinking about this is wrong. It would be extremely helpful to see
an existing lucee/tomcat/iis config for reference, but I don’t know how I
would ever do that.
On Monday, August 3, 2015 at 5:19:15 PM UTC-4, Jordan Michaels wrote:
My guess is locking down port 80 and access through IIS is the way that
you want to go. So, you’re on the right track already. You can lock down
port 8888 with tighter restrictions than you can port 80, so you could
potentially adjust your firewall rules to ONLY allow your IP to connect to
port 8888. Then you, and you alone, can access your admin on port 8888.
Sound reasonable?
-Jordan
----- Original Message -----
From: “res” <roswe...@gmail.com <javascript:>>
To: “Lucee” <lu...@googlegroups.com <javascript:>>
Cc: pe...@foundeo.com <javascript:>
Sent: Monday, August 3, 2015 1:48:58 PM
Subject: Re: [Lucee] What is the best way to configure my Tomcat/IIS7 site
and prevent remote access to the server admin?
Thank you for the response. Part of my problem is that I don’t think I’ve
fully wrapped my head around some concepts and the documentation hasn’t
been very helpful (I know it’s a work in progress and I’ve also been
referring to railo docs). I guess one question I need answered is, if I go
with option 1, how do I get IIS to process the request for the server
admin? Currently Tomcat is listening for http requests on port 8888, which
means if I go to mysite.com/lucee, I get a 404. If I go to
mysite.com:8888/lucee, then it works, but IIS isn’t processing that
request, since I can stop the IIS site and still pull up the server admin
via that URL. I’m not sure how to get to the server admin without using
the
port number. If I set tomcat to listen on port 80 instead of 8888, is that
going to cause some conflict with IIS which is also listening on port 80?
Thanks for your help and your patience. I’m new to all of this so being
able to ask questions really helps.
On Monday, August 3, 2015 at 4:02:51 PM UTC-4, Pete Freitag wrote:
If you are using the BonCode IIS connector I think there is a setting
for
this.
If you only need to access Lucee Server admin (not web) globally (not
using individual web context configuration):
- Use Request Filtering in IIS to block or Deny the URI: /lucee/
- Create a virtual host that ONLY listens on 127.0.0.1 or ::1
- Go to Request Filtering and remove the /lucee/ request filtering rule
for this site.
Another option might be to simply add the HTTP connector to your tomcat
server.xml conf and access over a non standard port (eg 8080) ensuring
that
the port is blocked on your firewall. Then hit
http://example.com:8080/lucee/admin/web.cfm
–
Pete Freitag
https://foundeo.com/ http://foundeo.com/ - ColdFusion Consulting &
Products
http://hackmycf.com - CFML Server Security Scanner
On Mon, Aug 3, 2015 at 3:47 PM, res <roswe...@gmail.com <javascript:>> wrote:
I am not sure how much of my question pertains to Lucee specifically
and
how much is more generally about Tomcat and IIS, so if this is not the
appropriate forum for this question I will find another place to ask.
I am running Lucee on Windows Server 2008 with Tomcat as the app server
and IIS7 as the web server. I have the AJP connector installed and
running.
What I am trying to do is move a site from ACF to Lucee. Things are
working well as far as the CFML processing is concerned, but I want to
make
the server admin inaccessible from anywhere but the local machine. This
was
easy with ACF because the CFIDE/Administrator was a physical directory,
as
opposed to Lucee where it is virtual. I have tried and tried but cannot
seem to isolate the server admin. I have managed to make it completely
inaccessible by removing the http connector and leaving only the AJP
connector. I have tried using filters in web.xml (which I may be doing
wrong). I have tried creating lucee folders in my web root and applying
the
restriction to them, thinking that IIS would filter the request, but
since
the admin is only available over a nonstandard port that IIS isn’t
listening on, that doesn’t work either.
What else can I try? I feel like this must be a common task and I’m
doing
something really stupid.
–
See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get
your
ticket NOW - http://www.cfcamp.org/
You received this message because you are subscribed to the Google
Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send
an
email to lucee+un...@googlegroups.com <javascript:>.
To post to this group, send email to lu...@googlegroups.com
<javascript:>
.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/d2442d62-a5df-4664-8a52-1c68869b1f4e%40googlegroups.com
<
https://groups.google.com/d/msgid/lucee/d2442d62-a5df-4664-8a52-1c68869b1f4e%40googlegroups.com?utm_medium=email&utm_source=footer>
.
For more options, visit https://groups.google.com/d/optout.
–
See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your
ticket NOW - http://www.cfcamp.org/
You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+un...@googlegroups.com <javascript:>.
To post to this group, send email to lu...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/e9fd389a-5c07-405d-8975-ae586eb3d99e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your ticket NOW - http://www.cfcamp.org/
You received this message because you are subscribed to the Google Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/869448ae-ef27-4c7e-aa3e-4179cbf7b0b5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.