Skip to main content
marywilkins68
marywilkins68
Participant
May 23, 2018
Question

ColdFusion 2016 restrict IP Addresses

  • May 23, 2018
  • 1 reply
  • 1501 views

Hi,

I have a Cold Fusion 2016 at update 3 and I am trying to restrict access to the internal components (adminapi) and the administrator to the server itself so that no one can access it without logging onto the server.  I added the IP address of the server and local host.  It seems to have saved it but it still allows outside access.  The administrator is hosted on the local tomcat server at port 8500.

My security team is insisting to lock this down but this feature isn't working.  Do I need to apply an update to fix a bug or do I need to restart cold fusion?

    This topic has been closed for replies.

    1 reply

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    May 23, 2018

    Mary, there would seem to be some unexpected explanation.

    First, on the CF Admin "allowed ip addresses" page, note that there are 2 fields, one at the top and one at the bottom. For what you want, you need to be updating the bottom field.

    Second, once you add to that list, if you leave and return to the page, are the changes remaining?

    Third, you say you are on update 3. As you may know, there is now an update 6. It may be interesting to see if it still happened after that. But even before doing that, you could see if there was perhaps an error during the application of update 3. I have a blog post on that (including how to find the update log, how to make sense of it, and how to fix problems that may have happened in applying the update, that could leave things not working quite right.)

    But before I share that, you may find that your CF already came with update 3 applied (due to being a later installer), in which case you will not have an update folder and log for update 3, so what I write here will not apply (for that update 3):

    How to solve common problems with applying ColdFusion updates (in 10 and above)

    Let us know if any of the above may help.

    /Charlie (troubleshooter, carehart. org)
    marywilkins68
    marywilkins68Author
    Participant
    May 23, 2018

    Hi,

    Thanks for the update.  I did apply the IP addresses to the bottom section and I leave the page and go back and they are still there.  If I log out and back in it is still there.  But if I go to the administrator from another server it still brings it up and you can also get to the scripts that are under adminapi.

    it looks like the cold fusion update 3 was embedded I followed your link and found that it was embedded.  So it's not a bad update.  I haven't had to update cold fusion, I used to use it a long time ago so I was planning on putting the update on and seeing if that works.

    It's not a public facing web site so they are going to try and block it with the firewall for  now.  I'm hoping the updates will work.

    marywilkins68
    marywilkins68Author
    Participant
    June 2, 2018

    Hi,

    It looks like it prevents login to the Cold Fusion Administrator, the site comes up but any attempt to login to it is denied.  But it still allows me to get to the adminapi.  We only use this as a small web site, how can I determine if I try to actually use adminapi cfc files they will be denied?  I don't know how to invoke them, the ?wsdl works though.

    Does anyone know?

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices