• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Restricting access to CF Admin

Community Beginner ,
Mar 06, 2024 Mar 06, 2024

Copy link to clipboard

Copied

I believe when we set up CF2018 a couple of years ago, we set it up for CF Admin to be accessed only if index.cfm is present. For example,

http://servername/CFIDE/Administrator/index.cfm - will serve it up

http://servername/CFIDE/Administrator/ - will not serve it up

 

I'm not sure whether this was done as part of lockdown guide but it appears this is no longer working and I don't see anything in the lockdown guide. We're migrating to 2023 and I would like to set this up. Where should I look? CF Admin is not showing up in IIS as of 2016 as it's using built-in web server.

Views

200

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Community Expert , Mar 08, 2024 Mar 08, 2024

Adding to Dave's (always helpful) reply, I'll share that I'd offered an answer with still more detail in a discussion Dmitriy raised on this also on the facebook cf programmers group. 

Votes

Translate

Translate
Community Expert ,
Mar 07, 2024 Mar 07, 2024

Copy link to clipboard

Copied

Once you have multiple web servers, things can get kind of ... weird. I'm not sure how you'd have intentionally set this up in the past - I can think of some ways, but they're kind of kludgy - and I'm not surprised it would break if you upgraded. And I'm not sure what value it provides to set it up that way anyway, although I'm guessing it has some value.

 

Let's say you installed CF in C:\ColdFusion2018 with the built-in web server (Tomcat), the default webroot "cfusion", and the default listening port for the cfusion app as TCP/8500. That means your CFIDE directory should be here:

C:\ColdFusion2018\cfusion\wwwroot\CFIDE

 

You should then be able to access the CF Administrator using this URL:

http://localhost:8500/CFIDE/Administrator/index.cfm


Then, when you run the web server configuration tool to install the webconfig connector, you'll be able to run CF through IIS, but that will have a different configuration than Tomcat's web server. By default, I think, CF 2021 will create an IIS filter that will block the /CFIDE/administrator directory entirely. (I'm not sure of that offhand but it seems reasonable. I don't know when that behavior was introduced, if it was at all.) In any case, the web server configuration tool will fiddle with IIS internals to specify one behavior or another. You can also fiddle with IIS internals after the fact, within the IIS management console or by editing one of the several XML files IIS uses for its configuration.

 

But what it sounds like you want to do is mess around with Tomcat internals. That's ok, but it's not really related to CF that much, so there's no setting in CF Administrator for that. Specifically, you're going to want to remove index.cfm from the list of <welcome-file> items under <welcome-file-list> in:

C:\ColdFusion2018\cfusion\wwwroot\WEB-INF\web.xml


It's near the bottom of the page, in mine it's on line 553. Make sure you keep a backup copy!


SIDEBAR: Let's talk about the lockdown guide and what it's for, for a minute. In general, the idea is to improve the security of your CF install. But what does that mean exactly? For different people it might mean different things. Do you want to expose the CF Administrator via IIS at all? Do you want to expose it via Tomcat to remote machines other than through RDP or explicit firewall rules? There isn't really a right answer to those questions. You have to figure out how security should work within your organization, and implement it accordingly. That's why there's a CF lockdown GUIDE instead of CF lockdown INSTRUCTIONS. If you use the lockdown tool built into the secure profile, someone else is going to make those choices for you, and I've always thought that was a bad idea unless you didn't know how to make those choices yourself. And if you did know how to make those choices yourself, you might be better off doing it manually anyway! A lot of them can be wrapped up in short scripts, etc.

 

Anyway, good luck!

 

Dave Watts, Eidolon LLC

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 08, 2024 Mar 08, 2024

Copy link to clipboard

Copied

Adding to Dave's (always helpful) reply, I'll share that I'd offered an answer with still more detail in a discussion Dmitriy raised on this also on the facebook cf programmers group. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Mar 08, 2024 Mar 08, 2024

Copy link to clipboard

Copied

LATEST

Thanks. I was planning to respond here.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation