I have a Cold Fusion 2016 at update 3 and I am trying to restrict access to the internal components (adminapi) and the administrator to the server itself so that no one can access it without logging onto the server. I added the IP address of the server and local host. It seems to have saved it but it still allows outside access. The administrator is hosted on the local tomcat server at port 8500.
My security team is insisting to lock this down but this feature isn't working. Do I need to apply an update to fix a bug or do I need to restart cold fusion?
Mary, there would seem to be some unexpected explanation.
First, on the CF Admin "allowed ip addresses" page, note that there are 2 fields, one at the top and one at the bottom. For what you want, you need to be updating the bottom field.
Second, once you add to that list, if you leave and return to the page, are the changes remaining?
Third, you say you are on update 3. As you may know, there is now an update 6. It may be interesting to see if it still happened after that. But even before doing that, you could see if there was perhaps an error during the application of update 3. I have a blog post on that (including how to find the update log, how to make sense of it, and how to fix problems that may have happened in applying the update, that could leave things not working quite right.)
But before I share that, you may find that your CF already came with update 3 applied (due to being a later installer), in which case you will not have an update folder and log for update 3, so what I write here will not apply (for that update 3):
Let us know if any of the above may help.
Thanks for the update. I did apply the IP addresses to the bottom section and I leave the page and go back and they are still there. If I log out and back in it is still there. But if I go to the administrator from another server it still brings it up and you can also get to the scripts that are under adminapi.
it looks like the cold fusion update 3 was embedded I followed your link and found that it was embedded. So it's not a bad update. I haven't had to update cold fusion, I used to use it a long time ago so I was planning on putting the update on and seeing if that works.
It's not a public facing web site so they are going to try and block it with the firewall for now. I'm hoping the updates will work.
It looks like it prevents login to the Cold Fusion Administrator, the site comes up but any attempt to login to it is denied. But it still allows me to get to the adminapi. We only use this as a small web site, how can I determine if I try to actually use adminapi cfc files they will be denied? I don't know how to invoke them, the ?wsdl works though.
Does anyone know?
You can try requesting them through a browser on another machine using ?wsdl, which is fine for your purposes.
Dave Watts, Fig Leaf Software
Ok so the restriction on the cold fusion administrator for these isn't working. I have read the cold fusion lock down guides but they never mention how to block the internal web server and if they do it's not clear.
how do I prevent the built-in web server from allowing the URLs to be browsed?
The internal web server is Apache Tomcat, so you'll have to look at Tomcat documentation to see how this is done. I think this is probably the relevant link:
You can also use your web server's built-in firewall functionality to prevent connections from external servers.
Dave Watts, Fig Leaf Software
I found out how to block outside IP addresses. It's in server.xml under the Connector for the port. I only allow the localhost and now no one can connect to the administrator unless they are on the machine. Thanks for all your help.