Copy link to clipboard
Copied
I ran the CF Auto Lockdown Tool after a new installation of CF 2023 on a Windows 2022 server. Things have stopped working and I can't figure out why.
Does anyone have any ideas? I know I can just uninstall the lockdown tool, but I'd rather try to figure out what went wrong.
Thank you
Copy link to clipboard
Copied
While it's indeed common for people to have problems after running the autolockdown tool (while others love it and have zero issues), you will need to give us more to go on to resolve your issues. The error messages you offer are not uncommon nor are they at ALL unique to your having run the tool. As important, most of those are messages from cf's startup.
So please tell us what errors you get on screen when running your app? And/or what ones appear in any cf log at that very moment? Don't rely on the date modified of files to decide if they may have something useful for you in recent minutes. Look at the application.log (which will have a single line per error) and the exception.log (which may have dozens of lines per error).
Beware also that your app or cf admin config may have an error handler of your own writing that never writes the error to the logs, but instead just emails it to someone or stores it in a db. That's worth supplementing with a cflog or writelog to show the error ALSO in the cf logs.
Finally, it could be that the error is in the web server or web server connector (connecting the web server to cf). That would be reflected in their teeosevrivr) respective logs, not cf's logs folder.
Bottom line: the lockdown could well be the cause of your problem, but we need more diagnostics to know the actual problem to be solved.
Copy link to clipboard
Copied
Thank you very much Charlie. I found the problem. I checked the IIS logs and see that it is logging a 500 error with a 183 subcode. I am seeing a more detailed error if I go in via 127.0.0.1:
Module RequestFilteringModule
Notification BeginRequest
Handler StaticFile
Error Code 0x800700b7
Config Error Cannot add duplicate collection entry of type 'add' with unique key attribute 'url' set to '/jakarta/isapi_redirect.dll'
Config File \\?\C:\inetpub\wwwroot\LLWindows.com\web.config
[web.config file mentioned above]
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<defaultDocument>
<files>
<clear />
<add value="index.cfm" />
<add value="Default.htm" />
<add value="Default.asp" />
<add value="index.htm" />
<add value="index.html" />
<add value="iisstart.htm" />
<add value="default.aspx" />
<add value="index.php" />
</files>
</defaultDocument>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
<security>
<requestFiltering>
<denyUrlSequences>
<add sequence="/Application.cfc" />
<add sequence="/WEB-INF" />
<add sequence="/cfformgateway" />
<add sequence="/flex2gateway" />
<add sequence="/cfform-internal" />
<add sequence="/flex-internal" />
<add sequence="/WSRPProducer" />
<add sequence="/JSDebugServlet" />
<add sequence="/securityanalyzer" />
<add sequence=".svn" />
<add sequence=".git" />
<add sequence="/CFIDE" />
<add sequence="/jakarta" />
</denyUrlSequences>
<alwaysAllowedUrls>
<add url="/jakarta/isapi_redirect.dll" />
</alwaysAllowedUrls>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Interestingly, if I replace the contents of this file with something more along the lines of the default, it all works again--but now I don't know what to do to fix the more secure version:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<defaultDocument>
<files>
<clear />
<add value="index.cfm" />
<add value="Default.htm" />
<add value="Default.asp" />
<add value="index.htm" />
<add value="index.html" />
<add value="iisstart.htm" />
<add value="default.aspx" />
<add value="index.php" />
</files>
</defaultDocument>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
<add name="X-Powered-By" value="ASP.NET" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
Thanks again.
Copy link to clipboard
Copied
Well, at least WRT the error you shared, that's telling you to remove the "add url" line from your original web.config. It's simply redundant, already defined at the server level for you (as an "allowed url" in the "request filtering" feature at the server level in iis).
I realize this may all be greek to you (given how you've presented the info), but it really is that simple. And there's no risk that you're "breaking the security" of things by this.
You'll likely ask "then why didn't the lockdown tool set this right", but my suspicion is that it DID set this right--at the server level, and that it did not consider that your site's web.config file might have that redundancy.
So now if you try that change (to the original file), it may move the error to another line which it says is redumdant. Just keep repeating the process.
Let us know how it goes.
Copy link to clipboard
Copied
Thank you Charlie. I wound up removing all of the denied items and now things all seem to work as they should. I really appreciate your help.
Copy link to clipboard
Copied
Glad to have helped. That said, it might have been wise to remove them one at a time, to make sure they WERE indeed redundantly setting something at the server level. Otherwise, in removing "all", that might have removed a protection NOT done at the server level.
Just being complete.