Restricting Jetty Access to Server Only

Report · Dec 02, 2025

I'd like to restrict Jetty access to the server itself only (CF2021). I need to do this because the port, 8993, is coming up on a security scan. I can't use Windows Firewall to block the port (it's complicated, but long story short, it's not an option).

I have found two places to do this, I think:

[cf]\cfusion\jetty\start.ini

## Connector host/address to bind to
# jetty.http.host=0.0.0.0

## Connector port to listen on
jetty.http.port=8993

I'd change the 2nd line to jetty.http.host=127.0.0.1. Would this cause any problems? I did this in my test environment and the server seemed fine. We don't use Solr; we do use PDF generation, and PDFs still generated after I made this change.

[cf]\cfusion\jetty\etc\jetty-ipaccess.xml

<Configure id="Server" class="org.eclipse.jetty.server.Server">
    <Call name="insertHandler">
        <Arg>
            <New id="IPAccessHandler" class="org.eclipse.jetty.server.handler.IPAccessHandler">
                <Set name="white">
                    <Array type="String">
                        <Item>127.0.0.1</Item>
                    </Array>
                </Set>
                <Set name="black">
                    <Array type="String">
                        <Item></Item>
                    </Array>
                </Set>
                <Set name="whiteListByPath">false</Set>
            </New>
        </Arg>
    </Call>
</Configure>

I'm confused about this, as it already looks like it is using a whitelist, and that whitelist is only 127.0.0.1. And yet when this command is run, it outputs JSON data:

curl [server]:8993/solr/admin/info/properties

FYI, this post is a continuation of a convo that was started here:

https://community.adobe.com/t5/coldfusion-discussions/upgrade-or-patch-for-solr-in-coldfusion-2021-t...

Report · Dec 05, 2025

This subject was discussed extensively in a thread posted last September. See https://community.adobe.com/t5/coldfusion-discussions/cold-fusion-2023-restrict-access-to-solr-web-a... .

You will find many ideas and suggestions there.

Report · Dec 08, 2025

Thanks, BKBK. I'll try out your latest solution and let you know how it goes. I'm using CF2021, FYI. A point of clarification in your solution:

"Add two explicit connectors bound to loopback only"

You just add that at the end, right? Like this (I'm using port 8993):

        <Get name="SelectorManager">
          <Set name="connectTimeout"><Property name="jetty.http.connectTimeout" default="15000"/></Set>
        </Get>
      </New>
    </Arg>
  </Call>
  
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server"><Ref refid="Server"/></Arg>
<Set name="host">127.0.0.1</Set>
<Set name="port">8993</Set>
</New>
</Arg>
</Call>

<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server"><Ref refid="Server"/></Arg>
<Set name="host">::1</Set>
<Set name="port">8993</Set>
</New>
</Arg>
</Call>

</Configure>

Report · Dec 08, 2025

Yes, @Dynamic_critic9200 . Remember to:

Verify that 8993 is the correct port. You can do so in the ColdFusion Administrator, on the page Data & Services > PDF Service.
Comment out the existing host and port lines in jetty-http.xml:

<!--<Set name="host"><Property name="jetty.http.host" deprecated="jetty.host" /></Set>-->
<!--<Set name="port"><Property name="jetty.http.port" deprecated="jetty.port" default="8080" /></Set>-->

Restart ColdFusion.

Report · Dec 08, 2025

Not PDF Service but SOLR Service, right? My PDF service runs on 8987. SOLR runs on 8993. The issue is with SOLR's port being open, flagging our security scans. I don't have an issue with port 8987.

Report · Dec 08, 2025

Sorry for the oversight. On my installation it's the same port.
To confirm the correct Solr port, go to the ColdFusion Administrator page Data & Services > Solr Server.

For good measure, verify that http://localhost:8997/solr/#/ (or the equivalent in your system) shows the Solr dashboard

Report · Dec 08, 2025

Guys, here's a clarification that should help: the port numbers for the add on service change (by 2) with each release. So while 8997 would be for the 2025 add-on service (by default), that 8993 would be for cf2021 (and 8995 for CF2021), and so on. That's of course very important as then you'd want to be considering tweaks to the jetty config for the correct version.

And by using OS tools to show listening ports, you can see also not only what process is listening to a given port, but also how that process has identified what IPs it's willing to accept requests from--which will also be useful for the effort critic is undertaking. See "netstat -aon" in Windows and "netstat -tupln" in *nix.

/Charlie (troubleshooter, carehart. org)

Report · Dec 09, 2025

Thanks for the link -- I tried it in my lower environment where I made the change...

HTTP ERROR 500 java.lang.IllegalArgumentException: Invalid IP address: 0:0:0:0:0:0:0:1
URI:	/solr/
STATUS:	500
MESSAGE:	java.lang.IllegalArgumentException: Invalid IP address: 0:0:0:0:0:0:0:1
SERVLET:	-
CAUSED BY:	java.lang.IllegalArgumentException: Invalid IP address: 0:0:0:0:0:0:0:1
CAUSED BY:	java.lang.IllegalArgumentException: Invalid octet: 0:0:0:0:0:0:0:1
Caused by:
java.lang.IllegalArgumentException: Invalid IP address: 0:0:0:0:0:0:0:1
	at org.eclipse.jetty.util.IPAddressMap$IPAddrPattern.match(IPAddressMap.java:230)
	at org.eclipse.jetty.util.IPAddressMap.getMatch(IPAddressMap.java:124)
	at org.eclipse.jetty.util.IPAddressMap.match(IPAddressMap.java:107)
	at org.eclipse.jetty.server.handler.IPAccessHandler.isAddrUriAllowed(IPAccessHandler.java:301)
	at org.eclipse.jetty.server.handler.IPAccessHandler.handle(IPAccessHandler.java:205)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
	at org.eclipse.jetty.server.Server.handle(Server.java:501)
	at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)
	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:556)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
	at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:375)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)
	at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.lang.IllegalArgumentException: Invalid octet: 0:0:0:0:0:0:0:1
	at org.eclipse.jetty.util.IPAddressMap$OctetPattern.match(IPAddressMap.java:334)
	at org.eclipse.jetty.util.IPAddressMap$IPAddrPattern.match(IPAddressMap.java:223)
	... 21 more
Powered by Jetty:// 9.4.31.v20200723

Report · Dec 09, 2025

FYI, if I comment this out:

<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server"><Ref refid="Server"/></Arg>
<Set name="host">::1</Set>
<Set name="port">8993</Set>
</New>
</Arg>
</Call>

Then I don't get an error and SOLR starts just fine. Is this necessary?

Report · Dec 09, 2025

Yes, it is safe and correct to delete the ::1 setting and use only the IPv4 127.0.0.1 binding.

Report · Dec 09, 2025

Thank you so much, BKBK -- port 8993 is closed to the outside world! All good, this worked perfectly.

Report · Dec 10, 2025

My pleasure, @Dynamic_critic9200 . I'm glad to have helped.

Restricting Jetty Access to Server Only

1 Correct answer