• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Weirdness After CF Auto Lockdown Tool

Explorer ,
Sep 25, 2023 Sep 25, 2023

Copy link to clipboard

Copied

I ran the CF Auto Lockdown Tool after a new installation of CF 2023 on a Windows 2022 server. Things have stopped working and I can't figure out why.

 

  • I followed almost all of the prerequisites before running; the only one I didn't follow was the recommendation to put CF on its own drive. I can't do that in this case. I haven't proceeded with the lockdown guide after the part where I ran the auto lockdown tool.

  • The CF Admin seems to work just fine. And the public-facing site works to some extent but hits errors on certain pages. The errors are cryptic to me. Some examples are:

    - Sep 25, 2023 3:07:45 PM org.apache.catalina.core.StandardContext setPath
    WARNING: A context path must either be an empty string or start with a '/' and do not end with a '/'. The path [/] does not meet these criteria and has been changed to []

    -INFO: The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [C:\CF2023\cfusion\lib;C:\CF2023\cfusion\jintegra\bin;C:\CF2023\cfusion\jintegra\bin\international;C:\\CF2023\\jre\bin]
    Sep 25, 2023 3:07:46 PM org.apache.coyote.AbstractProtocol init

    - Sep 25, 2023 15:08:45 WARN [main] - Unable to determine dialect of the StAX implementation at jar:file:/C:/CF2023/cfusion/lib/bundleaxis/wstx-asl-3.2.9.jar!/
    Sep 25, 2023 15:08:45 PM Warning [main] - Unable to determine dialect of the StAX implementation at jar:file:/C:/CF2023/cfusion/lib/bundleaxis/wstx-asl-3.2.9.jar!/

    And also this one:
    Connect to 127.0.0.1:8989 [/127.0.0.1] failed: Connection refused: no further information http://127.0.0.1:8989/PDFgServlet/
    Sep 25, 2023 15:08:37 PM Error [Thread-17] - Cannot invoke "String.equalsIgnoreCase(String)" because the return value of "coldfusion.document.webkit.PDFgServiceManager.getEngine()" is null
    java.lang.NullPointerException: Cannot invoke "String.equalsIgnoreCase(String)" because the return value of "coldfusion.document.webkit.PDFgServiceManager.getEngine()" is null
    at coldfusion.pdfg.jetty.PDFGServiceImpl.initializePDFGService(PDFGServiceImpl.java:247)
    at coldfusion.pdfg.jetty.PDFGServiceImpl.access$000(PDFGServiceImpl.java:76)
    at coldfusion.pdfg.jetty.PDFGServiceImpl$1.run(PDFGServiceImpl.java:169)

Does anyone have any ideas? I know I can just uninstall the lockdown tool, but I'd rather try to figure out what went wrong.  

 

Thank you

Views

1.3K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 25, 2023 Sep 25, 2023

Copy link to clipboard

Copied

While it's indeed common for people to have problems after running the autolockdown tool (while others love it and have zero issues), you will need to give us more to go on to resolve your issues. The error messages you offer are not uncommon nor are they at ALL unique to your having run the tool. As important, most of those are messages from cf's startup.  

 

So please tell us what errors you get on screen when running your app? And/or what ones appear in any cf log at that very moment? Don't rely on the date modified of files to decide if they may have something useful for you in recent minutes. Look at the application.log (which will have a single line per error) and the exception.log (which may have dozens of lines per error).

 

Beware also that your app or cf admin config may have an error handler of your own writing that never writes the error to the logs, but instead just emails it to someone or stores it in a db. That's worth supplementing with a cflog or writelog to show the error ALSO in the cf logs.

 

Finally, it could be that the error is in the web server or web server connector (connecting the web server to cf). That would be reflected in their teeosevrivr) respective logs, not cf's logs folder. 

 

Bottom line: the lockdown could well be the cause of your problem, but we need more diagnostics to know the actual problem to be solved. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 25, 2023 Sep 25, 2023

Copy link to clipboard

Copied

Thank you very much Charlie. I found the problem. I checked the IIS logs and see that it is logging a 500 error with a 183 subcode.   I am seeing a more detailed error if I go in via 127.0.0.1:

Module RequestFilteringModule
Notification BeginRequest
Handler StaticFile
Error Code 0x800700b7
Config Error Cannot add duplicate collection entry of type 'add' with unique key attribute 'url' set to '/jakarta/isapi_redirect.dll'
Config File \\?\C:\inetpub\wwwroot\LLWindows.com\web.config

 

[web.config file mentioned above]
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<defaultDocument>
<files>
<clear />
<add value="index.cfm" />
<add value="Default.htm" />
<add value="Default.asp" />
<add value="index.htm" />
<add value="index.html" />
<add value="iisstart.htm" />
<add value="default.aspx" />
<add value="index.php" />
</files>
</defaultDocument>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
<security>
<requestFiltering>
<denyUrlSequences>
<add sequence="/Application.cfc" />
<add sequence="/WEB-INF" />
<add sequence="/cfformgateway" />
<add sequence="/flex2gateway" />
<add sequence="/cfform-internal" />
<add sequence="/flex-internal" />
<add sequence="/WSRPProducer" />
<add sequence="/JSDebugServlet" />
<add sequence="/securityanalyzer" />
<add sequence=".svn" />
<add sequence=".git" />
<add sequence="/CFIDE" />
<add sequence="/jakarta" />
</denyUrlSequences>
<alwaysAllowedUrls>
<add url="/jakarta/isapi_redirect.dll" />
</alwaysAllowedUrls>
</requestFiltering>
</security>
</system.webServer>
</configuration>

Interestingly, if I replace the contents of this file with something more along the lines of the default, it all works again--but now I don't know what to do to fix the more secure version:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<defaultDocument>
<files>
<clear />
<add value="index.cfm" />
<add value="Default.htm" />
<add value="Default.asp" />
<add value="index.htm" />
<add value="index.html" />
<add value="iisstart.htm" />
<add value="default.aspx" />
<add value="index.php" />
</files>
</defaultDocument>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
<add name="X-Powered-By" value="ASP.NET" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>

Thanks again.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 25, 2023 Sep 25, 2023

Copy link to clipboard

Copied

Well, at least WRT the error you shared, that's telling you to remove the "add url" line from your original web.config. It's simply redundant, already defined at the server level for you (as an "allowed url" in the "request filtering" feature at the server level in iis).

 

I realize this may all be greek to you (given how you've presented the info), but it really is that simple. And there's no risk that you're "breaking the security" of things by this.

 

You'll likely ask "then why didn't the lockdown tool set this right", but my suspicion is that it DID set this right--at the server level, and that it did not consider that your site's web.config file might have that redundancy.

 

So now if you try that change (to the original file), it may move the error to another line which it says is redumdant. Just keep repeating the process.

 

Let us know how it goes. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 26, 2023 Sep 26, 2023

Copy link to clipboard

Copied

Thank you Charlie. I wound up removing all of the denied items and now things all seem to work as they should. I really appreciate your help.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 26, 2023 Sep 26, 2023

Copy link to clipboard

Copied

LATEST

Glad to have helped. That said, it might have been wise to remove them one at a time, to make sure they WERE indeed redundantly setting something at the server level. Otherwise, in removing "all", that might have removed a protection NOT done at the server level.

 

Just being complete. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation