Cold Fusion 2023 Restrict access to SOLR web app to localhost on server with IPV6

Suggestions:

1.  Test with 0:0:0:0:0:0:0:1 in place of ::1 in the above  jetty/etc/jetty-ipaccess.xml setting.
2.  After the chnage, make sure you restart both the Add-On service and the ColdFusion service.

BKBK, nope, neither works (not ::1 nor 0:0:0:0:0:0:0:1).

Let's clarify a few things, for everyone's sake. And I think I may see why you are experiencing things differently.

1) First, just to be clear: while he was asking about CF2023, and you are talking about CF2025, the issue is the same for each (at least since the April 2025 CF updates that incorporated the changes in the configuration of the add-on service/jetty/solr/pdfg to rely on this jetty-ipaccess.xml file).

As for why it seems "ok" for you to specify a ipv6 value in that whitelist, I have a couple of thoughts.

2a) First I'd propose a test for you to try: change the value of the whitelist to use ONLY 127.0.0.2 (or any random ip) and restart your add-on service. Then try to visit that localhost:8997 url. (Folks on CF2023 would use 8995, while folks on CF2021 would use 8993.)

The point here is that you SHOULD get an error rejecting that request, if the whitelist is protecting you. If you do not get an error, then your jetty-ipaccess.xml is not doing the protection it should.(And so jetty may not even be loading it let alone verifying it as we're experiencing. And I share below the error we see in the jetty logs.) 

And there could be two reasons for that happening for you. 

2b) One is that I notice your screenshot of the solr dashboard, it shows one of the values as -Dsolr.solr.home=multicore. From my experience, that's the value one gets if you have implemented the separate add-on installer, in which case of course you need to be editing the jetty-ipaccess.xml within the etc subfolder where THAT was installed. By default, it would be /ColdFusion2025Add-onServices. 

Sadly, that solr dashboard does not confirm for us what folder the Solr is running in, beyond that jvm arg. (FWIW, with respect to the Jetty implemented within a CF2025 folder, the value would instead show -Dsolr.solr.home=C:\ColdFusion2025\cfusion\jetty\multicore

2c) Second, along the same lines, in the root of the jetty folder (whereever it's installed) there will be a start.ini. In that file. In that file, do you see a line indicating this:

--module=ipaccess

You should. In a default CF install of Jetty (at least since those April updates), it's the last line of that file. But of course it doesn't need to be last. It DOES need to not be commented (that start.ini file uses pound signs as comments).

Again, sadly the solr dashboard does not show anywhere a confirmation of this. That's why I started with the test in my point 2a.

3) Finally, just to clarify for Ian and anyone else following along, when things fail as he and I have experienced, not only do we find the add-on service won't start (and that localhost call to the add-on service/jetty/solr/pdfg port will fail), but also in the jetty/logs folder, the one called [yyyy_mm_dd].stderror.log will report the error as "Invalid IP address pattern: ::1" (when attempting what Ian reported originally).

Ian, can you confirm you see that error?

4) If you do see that error, again (as I reported originally), this is not an Adobe problem: it's a jetty problem. And to be clear, Adobe chose (starting with cf9) to bundle the solr feature (technically the add-on service which it's a part of) as an implementation atop Jetty, which is itself another app server implemented within CF. (And in CF11 they also implemented the PDFG feature, for cfhtmltopdf, on the same jetty. Both solr and pdfg are implemented as "web apps" within Jetty. It was never clear why they didn't do it via Tomcat instead.)  

It's only when the Jetty project chooses to solve this ipv6 problem in jetty-ipaccess.xml (or there becomes some other way to limit Jetty by ipv6 addresses) that the error will no longer occur.

(As an update since posting this reply, I do think I have found the solution. See my next reply.)

In nay case, BKBK, I will again be very curious to hear what you find when you do the test in my point 2a above, and what you find with respect to points 2b and 2c. Even just as a sanity check for you. 🙂

5) Along those lines (for those following along), when one DOES have this jetty-ipaccess.xml set to whitelist some IP address but your request does NOT come from that (like if it's set to 127.0.0.1 but yuor machine running CF makes that request via IPV6), and you then try to visit the localhost:[jettyport] page (whether you add "/solr" on the URL or not), the error you get for CF2025's add-on service will simply be "HTTP ERROR 403 Forbidden". But the error for CF2023's add-on service will be "HTTP ERROR 500 java.lang.IllegalArgumentException: Invalid IP address: <the ip you tried to use, or the ip the hostname resolved to>".

I suspect that difference has something to do with other aspects of Jetty configuration, like that ipaccess module I referred to in point 2c. Anyway, I offer those also in case others get the error and search for it, so that they may find this discussion.

Hope it proves helpful.

@Charlie Arehart , thanks for the clarification. That was helpful.

I had tested in the following scenario:

• The two IPs were configured in C:\ColdFusion2025\cfusion\jetty\etc\jetty-ipaccess.xml;
• Standalone ColdFusion2025Add-onService is installed.

I didn't have to look far. To confirm, when I configured the two IPs in a similar way in C:\ColdFusion2025Add-onServices\etc\jetty-ipaccess.xml I was unable to restart the Add-On service. 

Thanks for the update, BKBK. It was an easy mistake to make. Glad I noticed that solr.home value to connect the dots. 🙂

But I have great news (well, some will find it great, I think): I have figured out how to get Solr to let us whitelist an ipv6 address. More in a note I'll be sharing here shortly. 

It's double good news then. I, too, have found a way to configure Solr to listen to 127.0.0.1 as well as to ::1.

Looking at some examples on the web, I discovered that the Jetty file to configure is neither C:\ColdFusion2025\cfusion\jetty\etc\jetty-ipaccess.xml nor C:\ColdFusion2025Add-onServices\etc\jetty-ipaccess.xml. So, first and foremost, I returned those files to their original state. Then I followed these steps:

1.  Stop the ColdFusion 2025 .NET Service, the ColdFusion 2025 Add-On Service and the ColdFusion 2025 Application Server. 

2.  Create the XML files C:\ColdFusion2025\cfusion\jetty\etc\jetty-inetaccess.xml and C:\ColdFusion2025Add-onServices\etc\jetty-inetaccess.xml. Ensure they have the same content, which is:

<!--
Setting to whitelist localhost. 
Both IPv4 and IPv6 localhost are allowed. External connections are blocked.
-->
<Configure id="Server" class="org.eclipse.jetty.server.Server">
  <Call name="insertHandler">
    <Arg>
      <New  id="InetAccessHandler" class="org.eclipse.jetty.server.handler.InetAccessHandler">
        <Set name="whiteList">
          <Array type="String">
            <Item>127.0.0.1</Item>
            <Item>::1</Item>
          </Array>
        </Set>
      </New>
    </Arg>
  </Call>
</Configure>

3.  Edit C:\ColdFusion2025\cfusion\jetty\etc\jetty-http.xml and C:\ColdFusion2025Add-onServices\etc\jetty-http.xml as follows: 
- Comment out the two "Set" elements for "host" and "port":

  <!--<Set name="host"><Property name="jetty.http.host" deprecated="jetty.host" /></Set> -->
  <!--<Set name="port"><Property name="jetty.http.port" deprecated="jetty.port" /></Set> -->

-  Add the following two elements underneath, just before the closing tag </Configure>:

  
<Call name="addConnector">
  <Arg>
    <New class="org.eclipse.jetty.server.ServerConnector">
      <Arg name="server"><Ref refid="Server"/></Arg>
      <Set name="host">127.0.0.1</Set>
      <Set name="port">8997</Set>
    </New>
  </Arg>
</Call>

<Call name="addConnector">
  <Arg>
    <New class="org.eclipse.jetty.server.ServerConnector">
      <Arg name="server"><Ref refid="Server"/></Arg>
      <Set name="host">::1</Set>
      <Set name="port">8997</Set>
    </New>
  </Arg>
</Call>

4.  Restart the 3 services in this order: (a) the ColdFusion 2025 Application Server;
    (b) the ColdFusion 2025 Add-On Service;
    (c) the ColdFusion 2025 .NET Service. 

5. To test, launch the  URLs http://127.0.0.1:8997/solr/ and http://[::1]:8997/solr/ in a browser. You should get the Solr dashboard in both cases.

Sadly, no. You were on the right track, but I think I will demonstrate to you why this is not doing what you propose.

1) First, yes, you are RIGHT that the solution is to leverage the inetaccess modile. That is indeed what I will be showing. But your file will not work, if you enable that module. The thing is, you have not included the step for enabling that module. (I will.)

2) And if you did enable that module, you would find that your XML would fail, reporting (in the jetty stderr log) that there was a "Config error at <Set name="whiteList">", along with dozens more lines. The thing is, that XML (offered in various places on the web) is simply incorrect. I will offer the correct XML. (And this is what I meant in saying that it was proving difficult to resolve correctly.)

3) But I get it that you may feel I'm wrong in my assertion.  To that I will propose two things.

First, I could propose you change the ip address in your whitelist to something that would never be correct. But second I'd propose you change the xml file to have entirely invalid xml...such as removing half of the file contents. Then save it and restart the add-on service. Does it restart? Are there no errors in the jetty stderr log? If so, that's proving that ketty simply is NOT loading that file (because again, you have not enabled the inetaccess module. And even if you do, your XML will fail as it does for me when I enabled the module. So I will offer the correct xml in my next reply.)

4) So finally, you would reasonably ask "why then am I now able to successfully run the request either way"? I will assert that's because of the OTHER change you made, in the jetty-http.xml. And what you did there is controlling what IP or hostname jetty is willing to LISTEN ON. That's different than this whole whitelist matter, which is instead about what IP address is MAKING THE REQUEST TO JETTY. 

So in conclusion, again, all these are things I had planned to address already in my post. And indeed that's why I had not posted it quickly after my previous note. There's a lot to cover, and it is taking care to explain it correctly. I will now get back to doing it.

I hope you'll wait for that before you may reply. I think what I have to say will be beneficial for you about what you offered, in addition to being beneficial to Ian and others who may be following along. We're all in this together, advancing understanding for the CF community.

OK, this is what I was originally writing before BKBK's last respond and my reply to him. 

I have new info report--and I DO believe it will be the solution for anyone (like the OP, Ian) who needs to support calling into the add-on service from some IPV6 address--which the "ipaccess" feature (and that jetty-ipaccess.xml file) does not allow you to whitelist. Apologies that it's a long reply. Lot's to cover/clarify.

TLDR; 1) in the jetty/start.ini file, add to the end a new line (--module=inetaccess, which enables that module) and comment out the existing ipaccess line (#--module=ipaccess, which we will no longer use), and 2) define a jetty-inetaccess.xml (in the \jetty\etc\ folder) with the contents I show below--which WILL allow whitelisting/blacklisting ipv6 or ipv4 addresses (and more). You may find you need to also 3) modify the jetty start.ini to comment out the jetty.http.host line (for reasons I will explain) or use the approach BKBK offered just above to modify the jetty-http.xml). I will explain the relationship of this last point to this whitelist matter, which is not obvious.

1) Indeed, let me point out first that in my initial reply to the OP, Ian, I added as one workaround how an alternative might be to use a hosts file to have the localhost resolve to an ipv4 address. I have since updated that first reply, as there's more to that than meets the eye., and I think it's worth a moment of our time here also.

To be clear, the issue of the jetty whitelist feature we're discussing is NOT about the IP address (or host name) used on a URL to call INTO the add-on service. Instead it's about the IP address FROM WHICH such request is made. That's a key distinction to keep in mind when testing things related to this! 🙂 It's also easy to lose track of even when you're aware of it, as happened to me more than once today.

1b) And as some may need to hear it: let's clarify that all this discussion of whitelisting IPs has NOTHING to do with the ip address of the clients making calls to your CFML code which may then use CF features to call upon the jetty/add-in service, like cfsearch/cfindex/cfcollection for Solr and cfhtmltopdf for pdfG. We're talking about the ip address of the CF server that is connecting to that jetty/add-on service.

That said, as has been shown in previous replies here, you can also DEMONSTRATE calling into the jetty service using a URL that names the server running the jetty service and uses its port. See BKBK's previous replies and screenshots for examples of that.

2) Here's another important point before I discuss the "solution". When it comes to wanting to investigate "what's happening" (when things fail related to this whitelisting), note that there is an available "request log" in the jetty logs folder (formally with the name format of [yyyy_mm_dd]_request.log).. And in that log you can see in its first column the ip address FROM WHICH a request is made. That's key.

And it's when THAT shows an ipv6 address , such as pehaps [0:0:0:0:0:0:0:1], that the default whitelist feature would fail--because that would not match the 127.0.0.1 there by default.  As important, note that this jetty request line will also show the STATUS code returned to this request--which will be a 403 for requests that fail this whitelist check (or due to the blacklist check).

2a) I suspect in Ian's situation (as for many), it's that his machine which is running CF had on the CF Admin "Solr" page its "Solr Server" value set to the default of "localhost"--but his machine resolves that hostname to ::1. Why is that important? As I noted in my revision to the first reply today, I find that when a request is made TO an ipv6 address, the receiving server sees the request as coming FROM an ipv6 address. And so his request would be sent to the add-on service as if it's from his ipv6 address (that 0:0:0:0:0:0:0:1 I mentioned). 

And I confirmed this in my own jetty request log--along with it getting a 403, because that "from address" doesn't match the 127.0.0.1 that Adobe puts into that jetty-ipaccess.xml file's whitelist value by default. Yet if one tries to modify that whitelist to add either 0:0:0:0:0:0:0:1 or ::1, the add-on sevice won't start (as discussed earlier today) because this jetty ipaccess module simply does NOT allow ipv6 addresses. 

3) And before I offer the new solution, I'll remind readers that I had proposed a couple of alternatives to Ian originally. He's not yet confirmed if he tried them.

One is simply changing the "solr server" value in the CF admin (Solr page) from "localhost" to 127.0.0.1 (when CF and the add-on service are on the same machine). Again I am finding that if you make the call TO an ipv4 address, that causes the recipient to see the request come FROM an ipv4 address, in this case 127.0.0.1--which matches the default whitelist. (Again, you can prove it yourself looking in the jetty request log.

4) But there may well be folks who will be setting up the CF and Solr (add-on) service on different machines, and those may use IPV6, such that they will really PREFER to somehow allow use of ipv6 addresses to be whitelisted. And it seems I have come up with the solution for that. (It was hard-going, as I didn't readily find it discussed ANYWHERE, with regard to Jetty--except in the context of writing java code to cause Jetty to allow it, which most here would NOT want to do. Or now I can add that, like BKBK, I found discussions of XML that looked like what he offered--but it didn't work.)

So what's the solution? Change from using the jetty "ipaccess" module to the jetty "inetaccess" module, which DOES support whitelisting or blacklisting ipv4 and IPV6 files. Then configure the associated xml file for that. How does one do these? Pretty easily, actually. There are just two steps.

5) Step 1: In the jetty/start.ini file, go to the end of the file and add a new line:

--module=inetaccess

That is key to enables that different module (and it's a step BKBK was missing in his last reply.

I wouild also recommend commenting out the existing ipaccess line, so that all access is controlled by this module. That's easily done. You should find it listed as the current final line in the start.ini file. Just put a hash/pound sign in front of it:

#--module=ipaccess

While it makes sense to have only one module in control of this access, the only negative to this is that some will read Adobe and other resources that propose changing that jetty-ipaccess.xml file...and such changes will be ignored once this ipaccess module is disabled (just like I reported to BKBK that his proposed new inetaccess xml file was being ignored by Jetty because he'd not yet enabled the module that uses it.)

I think the benfits will outweigh the risk--at least for those who want/need ipv6 control of whitelist/blacklisting. And who knows, perhaps Adobe will see the value in this and switch to using this instead. That could take time to happen, of course.

6) Step 2: Then define a new jetty-inetaccess.xml (in the \jetty\etc\ folder) with contents like I show below--which WILL allow whitelisting/blacklisting ipv6 or ipv4 addresses (and more).  Of course, change it to use the IP addresses you need, for the originating servers that will be calling into your jetty/add-on service (remember to use the jetty request log to confirm what values are coming int and getting 403's). Here is a version of the file that worked for me:

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://jetty.org/configure_10_0.dtd">

<Configure id="Server" class="org.eclipse.jetty.server.Server">
  <Call name="insertHandler">
    <Arg>
      <New id="InetAccessHandler" class="org.eclipse.jetty.server.handler.InetAccessHandler">
        <Call name="include">
          <Arg>
            <Array type="java.lang.String">
              <Item>127.0.0.1</Item>
              <Item>::1</Item>
            </Array>
          </Arg>
        </Call>
        <Call name="exclude">
          <Arg>
            <Array type="java.lang.String">
              <!--<Item></Item>-->
            </Array>
          </Arg>
        </Call>
      </New>
    </Arg>
  </Call>
</Configure>

And BKBK, note how different that is from the one you proposed.  I'll repeat: I had found one like you did, but I got the error which I said (in my reply to you) that I got when trying yours. This one does not get errors. More important, if you make any "incorrect" change (like incorrect xml, or changing the name of some element), you would find this one WOULD get errors when the add-on service started.

And of course you do need to restart the add-on service for these changes to take effect.

6a) Before moving on, you'll notice that I have commented out the element for the blacklist (what is referred to in this file and the inetaccess module as an "exclusion" rather than a blacklisting--perhaps a nod to changing norms regarding such terminology). I showed this in case one does not want to blacklist/exclude but only whitelist/include. To be clear, once you list an include, then ONLY requests from the listed ip addresses will be allowed. Others would get that 403 error in the log and on-screen.

6b) Of course, if you wanted to allow calls into jetty from some other IP address, you could add them as another "item" in the first "include" list. For example, I was testing calling into one machine running the add-on service from another, and for that to work I had to add its ip address, in my case:

<Item>192.168.68.58</Item>

As for how to know the ip address of that other server, course you could just do a command-line ipconfig (or the *nix equivalent, ifconfig) to get that (for whatever network device makes the connection), but I'll remind you again that you can find it just as easily being reported in that first column of that jetty request log, if you make a request to this add-on service from that other server and it's rejected with a 403.

6c) But what if you do NOT see your request (from another server) showing up in the jetty request log--as a 403, or even at all? Well, you may have found that when you ATTEMPTED the request from the other server, you didn't get any 403 error shown but instead the request just hung.

That would be because you probably have to open the firewall on the add-on service to ALLOW such a call in to the add-on service port from another server. That's beyond the scope of this disucssion, but I share it before someone says "I made all these changes and it's still not working for me". Of course, if there's some other problem with anything I reported, I welcome feedback.

6d) But what if it was indeed that the address for that other server was an ipv6 address? Indeed, we would want to add another "item" element...but in terms of what to put in as the value, well, this is where things can get tricky, especially for those not familiar with ipv6 addresses. (Things were easy with the "::1" for a localhost/loopback address.)

Here again, one may be tempted to just go to that other server and do an ipconfig/ifconfig to get the ipv6 address (for whatever network device made the connection). But beware, if you put that into the xml file it may fail to be allowed as you'd expect. Let me share an example. 

I went to the other server from which I was making the request (and I had used in the call to the solr server the ipv6 ip address of the CF add-on service server), and I did an ipconfig and found the ip address reported to be: 

fe80::4115:17a4:6371:7229%6

And I put that into the xml file as another "item"...but the request still was blocked (with a 403, as tracked in that jetty request log).

So I'll say again: the best thing to do to get the ip address FROM WHICH a request is made is to look in the jetty request log at that first column. When I did that, it showed the ip address instead as:

That's quite different from the one above that I got from the ipconfig. It's similar, butnotice for instance the ":0:0:0:" where before there was just "::". Then of course the closing % values are different. I'll note elaborate on ipv6 details. But I AM saying that until I put the SECOND value into the XML file, it was NOT properly whitelisted:

<Item>fe80:0:0:0:4115:17a4:6371:7229%27</Item>

Hope that helps folks.

6f) Before wrapping up discussion of the inetaccess module, I will point out that there are indeed other things you can specify in these "item" values, including ip address CIDR values and ranges. I'll leave it with pointing you to the docs for more, as this is already a blog-length reply!

Note that these address values are technically instances of an "InetAddressSet" java class, and the (brief) docs showing examples of other kinds of item values are available here, for the Jetty 9 version that recent CF versions have included.

7) Finally, before wrapping up there's another thing some may readers may find helpful with regard to a DIFFERENT aspect of how the CF Jetty service (or any jetty service) may be configured. (Again, I had already started writing this before BKBK's note, and what I offer will be a bit different than his proposal to tweak the jetty-http.xml file, which is of course a workable option.)

When it comes to calls into the jetty (add-on) service, note that there is YET ANOTHER configuration aspect which relates to what ip address (and port) jetty LISTENS on, meaning what IP addresses you can CALL INTO the service--which is quite different from the whitelist feature, which is instead to control what IP addresses you can CALL FROM.

This is important to understand because sometimes when you may be testing various URLs used to call into the jetty service, the ip addresses or domain names will ultimately reach the server using some ip address (or a hostname that resolves to one), and whether the jetty service is willing to "listen" for requests to that ip address depends on this other configuration. Let me explain with examples.

jetty.http.host=127.0.0.1

#jetty.http.host=127.0.0.1

7c) Now, could someone contend/ask, "well isn't this then the only solution that someone needs" to solve the original problem?

Well, maybe.

First, note that the currently implenented ipaccess module still limits where requests can come FROM. Remember, the original problem Ian presented was wanting to whitelist an ipv6 address--which that module can't do. And I surmised it was because indeed the localhost value on his CF machine resolved to ::1. And the ipaccess whitelist would block that.

So could he instead JUST comment out both this jetty.http.host and the ipaccess module?

Well, yes.

But then you'd be leaving yourself open to relying SOLELY on your firewall to protect you...and you could conceivably have bad-guy calls come into jetty (and solr and pdfg) from somewhere INSIDE your network.

And in fact THAT is why the default value for this jetty.http.host is 127.0.0.1--the presumption is that you ONLY want to allow requests that come INTO that ip address...and generally one can only request that ip address if they are ON the server where jetty is installed.

I realize all this can make your head swim. I hope it makes sense if you read this post carefully, perhaps a couple of times. 🙂

8) Like I said, it's taken me a long time (hours) just to write this up (carefully), not to mention the hours I spent exploring the problem and finding the solution (when it was really hard to find). Of course, now the AI agents will soon find this thread and offer to people THIS XML as the solution to the problem. OK, I'll have done my job.

And you who have read through to this point get to be like explorers of a cavern who get to say you were there when it was discovered. Of course, it's an arduous journey descending into a new cavern. Hope it was worth the trip. Future folks will find the answer presented more succeinctly by the AI agents. And sure, I could have made this far more brief, but as is my wont I wanted to explain things, to try to help others who would take this ball and run with it. I love challenges like this!

And as always, if I have made any mistakes, let me know. Soon I would want to turn this into a blog post--to help those who don't read this forum, and may need the info before the AI bots consume and regurgitate it.

Looking forward to what Ian, BKBK, and anyone else may have to say. 

Sadly, no. You were on the right track, but I think I will demonstrate to you why this is not doing what you propose.

 

By @Charlie Arehart

Charlie, you have just said what you think. That is not a demonstration; you're just supposing.

I have not quoted the rest of your post for a reason. From what I can see, it is not relevant to the solution I propose.

What I propose does in fact work. Before publishing, I did test it to confirm. 

As they say, the proof of the pudding is in the eating. So, after reading your naysaying just now, I restarted the three services: ColdFusion Server, ColdFusion Add-On and ColdFusion .NET.

Here are the results:

1.  After launching the URL http://127.0.0.1:8997/solr/#/ in a browser
   
2.  After launching the URL http://[::1]:8997/solr/#/ in a browser
   
3.  The logs: 
        C:\ColdFusion2025Add-onServices\logs\2025_09_05.stderrout.log (Timezone: Central European Summer Time = GMT+2Hours)

   2025-09-05 10:48:13.995:INFO:oejsh.ContextHandler:main: Started o.e.j.w.WebAppContext@2f217633{solr,/solr,file:///C:/ColdFusion2025Add-onServices/work/jetty-0_0_0_0-0-solr_war-_solr-any-/webapp/,AVAILABLE}{C:\ColdFusion2025Add-onServices\webapps\solr.war}
   2025-09-05 10:48:14.060:INFO:oejsh.ContextHandler:main: Started o.e.j.w.WebAppContext@a530d0a{AdminServlet,/AdminServlet,file:///C:/ColdFusion2025Add-onServices/work/jetty-0_0_0_0-0-AdminServlet_war-_AdminServlet-any-/webapp/,AVAILABLE}{C:\ColdFusion2025Add-onServices\webapps\AdminServlet.war}
   2025-09-05 10:48:14.062:INFO:oejs.RequestLogWriter:main: Opened C:\ColdFusion2025Add-onServices\logs\2025_09_05.request.log
   2025-09-05 10:48:14.083:INFO:oejs.AbstractConnector:main: Started ServerConnector@ca2cd5e{HTTP/1.1, (http/1.1)}{0.0.0.0:63305}
   2025-09-05 10:48:14.093:INFO:oejs.AbstractConnector:main: Started ServerConnector@a120b9{HTTP/1.1, (http/1.1)}{127.0.0.1:8997}
   2025-09-05 10:48:14.105:INFO:oejs.AbstractConnector:main: Started ServerConnector@ac417a2{HTTP/1.1, (http/1.1)}{::1:8997}
   2025-09-05 10:48:14.106:INFO:oejs.Server:main: Started @7232ms

   
        C:\ColdFusion2025Add-onServices\logs\2025_09_05.request.log (Timezone: GMT)

   127.0.0.1 - - [05/sep/2025:09:04:27 +0000] "GET /solr/ HTTP/1.1" 200 17145 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"
   127.0.0.1 - - [05/sep/2025:09:04:28 +0000] "GET /solr/admin/cores?_=1757063068406&indexInfo=false&wt=json HTTP/1.1" 200 484 "http://127.0.0.1:8997/solr/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"
   127.0.0.1 - - [05/sep/2025:09:04:28 +0000] "GET /solr/admin/info/system?_=1757063068406&wt=json HTTP/1.1" 200 2380 "http://127.0.0.1:8997/solr/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"
   127.0.0.1 - - [05/sep/2025:09:04:28 +0000] "GET /solr/admin/info/system?_=1757063068406&wt=json HTTP/1.1" 200 2381 "http://127.0.0.1:8997/solr/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"
   [0:0:0:0:0:0:0:1] - - [05/sep/2025:09:04:44 +0000] "GET /solr/ HTTP/1.1" 200 17145 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"
   [0:0:0:0:0:0:0:1] - - [05/sep/2025:09:04:44 +0000] "GET /solr/admin/cores?_=1757063084803&indexInfo=false&wt=json HTTP/1.1" 200 484 "http://[::1]:8997/solr/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"
   [0:0:0:0:0:0:0:1] - - [05/sep/2025:09:04:44 +0000] "GET /solr/admin/info/system?_=1757063084804&wt=json HTTP/1.1" 200 2379 "http://[::1]:8997/solr/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"
   [0:0:0:0:0:0:0:1] - - [05/sep/2025:09:04:44 +0000] "GET /solr/admin/info/system?_=1757063084804&wt=json HTTP/1.1" 200 2379 "http://[::1]:8997/solr/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"
   

Your logs don't disprove what I said. Why must it always be this way between us? Dude, I gave you the specific steps to show why what you offered in your jetty-inetaccess.xml is NOT the solution AND IS NOT WORKING, at least with respect to the problem of supporting requests FROM an ipv6 address.

Again, try blacklisting that ipv6 address (shown in your log) using your xml. Is it blocked? Until you do that, your offered xml is more confusing to matters than helpful.

I tried to be very clear and helpful in my reply to you. I explained why your jetty-http.xml alone was allowing what you're seeing. (But that's NOT proving the ipb6 whitelist/blacklist you propose is working.)

And I feared that despite my best efforts there, you'd only see red at my temerity to question you. Read it again, or don't. I'm done with this, regarding your proposed jetty-inetaccess.xml solution. Hell, you even posted your reply after my very long response with the working jetty-inetaccess.xml (including proof that it's working), but you make no reference or comment on it here. 

I just hope discerning readers carefully consider all that's been said. 

Charlie, it's not just about my logs. It's about a whole demonstration of the whitelisting solution I proposed:

• Jetty restarting without any issues;
• URL access to Solr via 127.0.0.1;
• URL access to Solr via ::1;
• request.log showing the Solr requests were successful;
• stderrout.log showing there were no errors.

Let me recap.

The original post from @iclark3509 reported that he had attempted to whitelist 127.0.0.1 and ::1 using a setting in jetty-ipaccess.xml. As a result, he couldn't restart Jetty.

You replied, saying that you had had the same experience. Namely, that Jetty wouldn't start when you attempted to whitelist 127.0.0.1 and ::1 in jetty-ipaccess.xml. Hence, the problem at hand was how to whitelist 127.0.0.1 and ::1, and get Jetty to start.

The solution I proposed does two things:

1.  It points out that jetty-ipaccess.xml (the configuration file you and @iclark3509 had used) is not the correct XML file for the job.
2.  It provides two correct configuration files to use, namely, jetty-inetaccess.xml and jetty-http.xml.

 It is in my solution that the files jetty-inetaccess.xml and jetty-http.xml appear for the very first time in this thread. Hours later, you posted suggestions that expanded on the methods I had used. You took the idea and ran with it in different directions, including blacklisting (besides the original whitelisting) and the use of Jetty's module system. 

That can only be a good thing for the forum. In fact, as I have often said, I appreciate and encourage the exchange and cross-fertilization of ideas. Very much so.

However, unfairness, backhandedness and insincerity may rub me the wrong way. In this forum, at least, you have the habit of unfairly dragging down or decrying the opinion of others, and then to provide what you consider the authoritative opinion. On occasion you've even gone as far as to ask participants to refrain from posting until you do so.
(I shall respond to your points about the use of Jetty modules in a separate post.)

I strive to be tolerant, respectful and professional. What I won't stand is someone being condescending, unfair and disingenuous.

Let's see what you find. 

And no, it is NOT at all that I "took the idea and ran with it in different directions". Before you wrote your first note with an offered jetty-inetaccess.xml file, I'd already SAID I had a working solution. It was taking me a long time to write about it (which is now clear why, if you read it).

Your jetty-inetaccess.xml FAILED TO LOAD when the inetAccess module was correctly implemented. Hopefully your testing will show that.

I had already acknowledged (twice) that the other jetty-http.xml change could help Ian a different way. I also tried to explain why.

Finally, my mention of blacklisting was merely as a way he or you or anyone in the future could confirm if the jetty-inetaccess.xml file was working at all (since most could not easily change what ipv6 address their request would come FROM.)

Again, I'm trying to help here. So like I said, let's see what your next steps find. 

And no, it is NOT at all that I "took the idea and ran with it in different directions". Before you wrote your first note with an offered jetty-inetaccess.xml file, I'd already SAID I had a working solution. It was taking me a long time to write about it (which is now clear why, if you read it).

By @Charlie Arehart

Yes, you said. With zero mention of what solution you had in mind. As they say, hindsight is 20/20.

Your jetty-inetaccess.xml FAILED TO LOAD when the inetAccess module was correctly implemented. Hopefully your testing will show that.

You misinterpret me, apparently purposely. Not for the first time. It is a recurring pattern between us. I suggest X. You interpret it as XY. Then you proceed to point out, usually elaborately, how incorrect "my suggestion" XY is. 

Case in point: I mentioned nothing about the setting --module=inetaccess in the solution that I proposed. The reason I did not explicitly implement it will follow in a separate post. You are the one who did a test with the setting --module=inetaccess. After which you tell me, "Your jetty-inetaccess.xml FAILED TO LOAD".
Your interpretation, your setting and your test, but you then attribute the error to me.

Keep digging. 

The intention of the solution that I proposed was to solve the problem of:

• whitelisting both the IPv4 (127.0.0.1) and the IPv6 (::1) for localhost;
• ensuring that Jetty (in the Add-On service) will restart afterwards.
   

The solution makes use of the configuration files \jetty\etc\jetty-inetaccess.xml and \jetty\etc\jetty-http.xml. For the purposes of the solution, it is not necessary, let alone required, to explicitly enable any Jetty modules. I shall explain why.

A Jetty module consists of the various components that are wired to work together to implement a Jetty feature. For example, the HTTP module consists of the components that are wired to work together to implement an HTTP connection in Jetty. Here the feature is an HTTP connection and the HTTP module provides the HTTP-relevant Java components for host, port, connection-timeout, queue-size, acceptedTcpNoDelay, buffer-size, and so on.

The modules are therefore one level of abstraction higher than the features. Since a module consists of different components wired to work together, the interaction within a module and between modules can be quite complex. Therefore, if you explicitly enable a module, you will have to map out all the possible dependencies within it and between it and other modules. Failure to do so may lead to errors. For example, when Charlie explicitly enabled the InetAccess module prior to testing the solution I had proposed, the file jetty-inetaccess.xml apparently failed to load.

There is yet another reason for caution when explicitly enabling Jetty modules: security. Best-practice from modular architecture says: 

• Explicitly enable only the modules you need. Don't just enable modules out of convenience. Audit your application's requirements and enable only the bare minimum.

When Adobe's ColdFusion engineers integrated Jetty in ColdFusion, they made sure of the following:

• all the modules that ColdFusion applications would likely need are enabled;
• each enabled module is configured with the appropriate default settings.

This ensures that the ColdFusion developer would rarely have any need to tinker with the modules. After all, it is preferable for the physician to test for the knee-jerk reflex by tapping on the knee, rather than by tinkering with the synapses in the brain. How then would the ColdFusion developer have some control of the implemented Jetty feaures? 

Answer: by means of Jetty's XML configuration files! (location: /jetty/etc/)

These XML configuration files ensure that you usually won't need to explicitly enable Jetty modules. For example, my solution uses jetty-inetaccess.xml and jetty-http.xml without needing to explicitly enable Jetty's InetAccess module. The configuration files themselves, jetty-inetaccess.xml and jetty-http.xml, already contain the necessary instructions and configuration settings to enable and use the features provided by the InetAccess module.

When you specify XML configuration files in your Jetty server setup, you are essentially providing the configuration that the module would otherwise provide when explicitly enabled. The ColdFusion Add-On Service's architecture handles the integration of these configuration files, making the explicit module command redundant. In this context, the XML files serve as the primary configuration method, and they inherently pull in the required functionality for the feature or features you wish to implement.

Bkbk, I realize you're insistent that your xml is "working". My experience is that it's not. But I've be saying from the outset: let's not debate it with words.

Just prove it for yourself: change your jetty-inetaccess.xml to name in its whitelist only one ipv4 and ipv6 address that DOESN'T exist. Don't worry about the blacklist for now. Then in your start.ini, comment out the ipaccess module (so it's not in play, since @iclark3509 's goal was to block ipv6, which that module can't do.) 

Now restart your add on service, and do your url test. Does it fail? It should, if your jetty-inetaccess.xml is working, but you only whitelist non-existent ip address as the caller.

If it does not fail, check what ip address is reported in that first column of the jetty request log. If it gets a 200 the clearly the whitelist (which should only allow what you name) IS NOT working.

And if that's not proof enough, NOW add that ip address to the black list (whatever one was reported in the log for your working test request). The restart the add on service and test again. Does it NOW block your request?

It doesn't for me, for your xml. It does for me, for my version I offered--as long as enable the inetaccess module. Finally, if I put your xml in instead (with that module enabled), then jetty won't start.

Does that make sense for you? Will you please take a few mins to test things, as I'd done for yours? Then you can test if mine DOES so the job (allowing control by ipv6 addresses). .

Again, I'm not here to win points or win arguments. I'm trying to help you and Ian and other readers, who may want to leverage the jetty-inetaccess.xml to whitelist or blacklist ipv6 addresses.

So far you and I seem to be about the only people IN THE WORLD considering this matter. (We're not even hearing from Ian since his original post.) You can help advance the knowledge base by offering just this few more minutes of your time. 

On reviewing the solution I proposed, I got a new idea worth checking out. If your only goal were “localhost only access”, you could achieve it by using a connector-binding-only method. This method would restrict Solr to localhost only via Jetty connector binding. Plus, it would do so without involving the InetAccess module at all. That is, no jetty-inetaccess.xml needed.

If this method works, then it will be simpler and cleaner. The steps are:

1.  Stop the three ColdFusion 2025 services:

• .NET Service
• Add-On Service
• Application Server

2.  Edit jetty-http.xml in both locations:

• C:\ColdFusion2025\cfusion\jetty\etc\jetty-http.xml
• C:\ColdFusion2025Add-onServices\etc\jetty-http.xml

Edit as follows:

    -  Comment out the existing host and port lines:

<!--<Set name="host"><Property name="jetty.http.host" deprecated="jetty.host" /></Set>-->
<!--<Set name="port"><Property name="jetty.http.port" deprecated="jetty.port" default="8080" /></Set>-->

    -  Add two explicit connectors bound to loopback only:
    (I have been using the port 8997 all along. That is specific to my ColdFusion 2025 installation. To see the port for your case, proceed as follows: open the ColdFusion Administrator and go to Data & Services > Solr Server. You should see the Solr port under Advanced Settings. )

<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server"><Ref refid="Server"/></Arg>
<Set name="host">127.0.0.1</Set>
<Set name="port">8997</Set>
</New>
</Arg>
</Call>

<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server"><Ref refid="Server"/></Arg>
<Set name="host">::1</Set>
<Set name="port">8997</Set>
</New>
</Arg>
</Call>

3.  Restart the services in order:

• ColdFusion 2025 Application Server
• ColdFusion 2025 Add-On Service
• ColdFusion 2025 .NET Service

4. Test

• http://127.0.0.1:8997/solr/ (Does it work?)
• http://[::1]:8997/solr/ (Does it work?)

Note: Any external IP connection will be refused (because Jetty isn’t listening externally).