In CF11, Update 1, & Update 2 in the CF11\config\wsconfig\#\ folder there was a file called iprestriction.properties that contained the following;
After updating to CF11 Update 3 and then rebuilding one of the connectors that file has been removed along with the reference to it in the isapi_redirect.properties file.
Was this done on purpose or was this a regression because it looks to contain security related settings?
Leith, the same question was asked on the Adobe blog, and Immanuel Noel (from Adobe) replied saying: “the IPRestriction file has been removed. The best way to have IP restrictions in place, is to follow the "Access Control" workflows in Apache, and "IP Restrictions" in IIS.”
Comment at: http://blogs.coldfusion.com/post.cfm/coldfusion-11-update-3-and-coldfusion-10-update-15-are-available-now#comment-95EA1295-A1CA-AD70-F8457D10A0C256A7
I’ve not had a chance to investigate this any further (for instance, it’s not clear whether the security controls were simply moved elsewhere, which could make sense because this file like others in the connector directory were removed if the connector was rebuilt).
But I took note of his comment when I saw it, and so am passing it along to you.
Thank you for the information, I had not come across that reply in my searching for the answer to this.
Charlie Arehart wrote:
The best way to have IP restrictions in place, is to follow the "Access Control" workflows in Apache, and "IP Restrictions" in IIS.”
My only issue to this is I'm not an Apache admin, I don't run it, I've never run it, I don't know how to run it. It also leaves me confused because is he referring to Apache Tomcat inside CF11 or Apache the web server as we run IIS and not Apache. So I still view this as an issue because there's no documentation instructing me what I need to do to emulate this removed functionality.
@Leith, removal of the IP Restrictions file does not pose any security concerns.
In my previous comment, I mention that IPRestrictions (if your environment requires its use), must be defined in Apache Web Server (NOT the one inside ColdFusion), or IIS.
Thank you, it was just disconcerting to see what looked like security related configuration vanish.
Just to be clear, Leith, you quote me below, but I was clear that I was quoting “i Noel”. That’s lost in how you’ve replied below so I just wanted to clarify for any interested.
Anyway, you say you use IIS so his references to Apache are lost on you, but he did also say you could use “"IP Restrictions" in IIS.”
I see he’s also offered other answers to you, so hopefully you are ok with things for now?
Yes, once it was made clear the difference between restricting IPs (which we do do in IIS) and the block configuration from the file were made it answered my questions.