Inspiring

Question

Cold Fusion 2023 Restrict access to SOLR web app to localhost on server with IPV6

Forum|Forum|6 months ago
September 3, 2025
2 replies
1125 views

I need to limited access to the SOLR web application to localost. The server it is running on has both IPv4 and IPv6 and in the jerrty/etc/jetty-ipaccess.xml in this section:

<Item>::1</Item>

</Array>

</Set>

When I add IPV6 I get a error when I try to restart jetty. So I cannot lock it down.

Any ideas?

BKBK

Community Expert

Hi @iclark3509 and @Charlie Arehart ,

I attempted to reproduce the error you are talking about, but was unable to.
Here are the steps I followed (on ColdFusion 2025 Update 3 installed on Windows 10):

In the file jetty/etc/jetty-ipaccess.xml replace the default element

<Set name="white">
		  <Array type="String">
			<Item></Item>
		  </Array>
		</Set>

with

<Set name="white">
		  <Array type="String">
		   <Item>127.0.0.1</Item>
		   <Item>::1</Item>
		  </Array>
		</Set>

Restart the ColdFusion 2025 Add-On service.
Restart ColdFusion 2025.
In the ColdFusion Administrator, navigate to the 'Solr Server' page and confirm the Solr port number (8997).
Open the URL http://127.0.0.1:8997/solr/ in a browser. The result is as expected:
Check ColdFusion's logs and jetty/logs/ and confirm there are no errors.

BKBK

Community Expert

Suggestions:

Test with 0:0:0:0:0:0:0:1 in place of ::1 in the above jetty/etc/jetty-ipaccess.xml setting.
After the chnage, make sure you restart both the Add-On service and the ColdFusion service.

BKBK

Community Expert

Keep digging.

The intention of the solution that I proposed was to solve the problem of:

whitelisting both the IPv4 (127.0.0.1) and the IPv6 (::1) for localhost;
ensuring that Jetty (in the Add-On service) will restart afterwards.

The solution makes use of the configuration files \jetty\etc\jetty-inetaccess.xml and \jetty\etc\jetty-http.xml. For the purposes of the solution, it is not necessary, let alone required, to explicitly enable any Jetty modules. I shall explain why.

A Jetty module consists of the various components that are wired to work together to implement a Jetty feature. For example, the HTTP module consists of the components that are wired to work together to implement an HTTP connection in Jetty. Here the feature is an HTTP connection and the HTTP module provides the HTTP-relevant Java components for host, port, connection-timeout, queue-size, acceptedTcpNoDelay, buffer-size, and so on.

The modules are therefore one level of abstraction higher than the features. Since a module consists of different components wired to work together, the interaction within a module and between modules can be quite complex. Therefore, if you explicitly enable a module, you will have to map out all the possible dependencies within it and between it and other modules. Failure to do so may lead to errors. For example, when Charlie explicitly enabled the InetAccess module prior to testing the solution I had proposed, the file jetty-inetaccess.xml apparently failed to load.

There is yet another reason for caution when explicitly enabling Jetty modules: security. Best-practice from modular architecture says:

Explicitly enable only the modules you need. Don't just enable modules out of convenience. Audit your application's requirements and enable only the bare minimum.

When Adobe's ColdFusion engineers integrated Jetty in ColdFusion, they made sure of the following:

all the modules that ColdFusion applications would likely need are enabled;
each enabled module is configured with the appropriate default settings.

This ensures that the ColdFusion developer would rarely have any need to tinker with the modules. After all, it is preferable for the physician to test for the knee-jerk reflex by tapping on the knee, rather than by tinkering with the synapses in the brain. How then would the ColdFusion developer have some control of the implemented Jetty feaures?

Answer: by means of Jetty's XML configuration files! (location: /jetty/etc/)

These XML configuration files ensure that you usually won't need to explicitly enable Jetty modules. For example, my solution uses jetty-inetaccess.xml and jetty-http.xml without needing to explicitly enable Jetty's InetAccess module. The configuration files themselves, jetty-inetaccess.xml and jetty-http.xml, already contain the necessary instructions and configuration settings to enable and use the features provided by the InetAccess module.

When you specify XML configuration files in your Jetty server setup, you are essentially providing the configuration that the module would otherwise provide when explicitly enabled. The ColdFusion Add-On Service's architecture handles the integration of these configuration files, making the explicit module command redundant. In this context, the XML files serve as the primary configuration method, and they inherently pull in the required functionality for the feature or features you wish to implement.

Charlie Arehart

Community Expert

Yep, I'd experienced the same. And when I looked into it some weeks ago, it seemed this was an unfortunate limitation in Jetty, not something of Adobe's doing. There are a couple of potential workarounds.

First, since you're wanting to define ::1, is it that localhost on the cf machine resolves to that? If so, had you considered just changing the "Solr Server" page in the cf admin? While the "Solr Host Name" field there does DEFAULT to localhost, note that despite the name of the field you CAN change that "solr host name" specify an ip address instead, such as 127.0.0.1. That would work for some folks.

As for the related "pdf service" page in the CF admin, while it has a pre-defined "localhost" service, note that it's "host name" field is configured by default to a value of 127.0.0.1 (this despite the field's name implying that it might accept only host names). That one works with the default jetty-ipaccess.xml file, since that is the IP address that's whitelisted (and it's ipv4).

Finally, if one somehow needed to, they could use a hosts file on the cf machine to define some hostname that resolved to an ipv4 address. But that should be unnecessary.

Update since posting: I want to refine that last statement. When I wrote it, I was falling into the mistaken presumption (easy to make) that the whitelist and blacklist were about the IP being CALLED, when instead they are about the IP FROM WHICH THE CALL is made.

But it so happens that when you DO make a call TO an IPv6 address (or use a host/domain that resolves to one), the destination IS given the IPv6 address for the machine FROM which the call was made. So technically using a hosts file that defined some host that resolved to 127.0.0.1 WOULD change the request to come from the machine's ipv4 address...which for many would resolve to 127.0.0.1

But the rest of what I said above still applies: the problem is that if in your environment, your CF server might be on some machine that presents to the add-on service an ipv6 address, which would fail to meet the whitelist above--and the challenge is how to allow for that. (Besides the workarounds above, see more I later discovered in subsequent replies below.)

Let us know, Ian, if the suggestion above works for you, or not.

/Charlie (troubleshooter, carehart. org)

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded