Highlighted

iprestriction.properties removed from CF11 Update 3?

Participant ,
Dec 18, 2014

Copy link to clipboard

Copied

In CF11, Update 1, & Update 2 in the CF11\config\wsconfig\#\ folder there was a file called iprestriction.properties that contained the following;

*/CFIDE/main/ide.cfm=*

*/CFIDE/adminapi/*=*

*/CFIDE/administrator/*=*

*/CFIDE/componentutils/*=*

*/CFIDE/wizards/*=*

*/CFIDE/ServerManager/*=*

After updating to CF11 Update 3 and then rebuilding one of the connectors that file has been removed along with the reference to it in the isapi_redirect.properties file.

Was this done on purpose or was this a regression because it looks to contain security related settings?

@Leith, removal of the IP Restrictions file does not pose any security concerns.

In my previous comment, I mention that IPRestrictions (if your environment requires its use), must be defined in Apache Web Server (NOT the one inside ColdFusion), or IIS.

Views

733

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

iprestriction.properties removed from CF11 Update 3?

Participant ,
Dec 18, 2014

Copy link to clipboard

Copied

In CF11, Update 1, & Update 2 in the CF11\config\wsconfig\#\ folder there was a file called iprestriction.properties that contained the following;

*/CFIDE/main/ide.cfm=*

*/CFIDE/adminapi/*=*

*/CFIDE/administrator/*=*

*/CFIDE/componentutils/*=*

*/CFIDE/wizards/*=*

*/CFIDE/ServerManager/*=*

After updating to CF11 Update 3 and then rebuilding one of the connectors that file has been removed along with the reference to it in the isapi_redirect.properties file.

Was this done on purpose or was this a regression because it looks to contain security related settings?

@Leith, removal of the IP Restrictions file does not pose any security concerns.

In my previous comment, I mention that IPRestrictions (if your environment requires its use), must be defined in Apache Web Server (NOT the one inside ColdFusion), or IIS.

Views

734

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Dec 18, 2014 0
Adobe Community Professional ,
Dec 21, 2014

Copy link to clipboard

Copied

Leith, the same question was asked on the Adobe blog, and Immanuel Noel (from Adobe) replied saying: “the IPRestriction file has been removed. The best way to have IP restrictions in place, is to follow the "Access Control" workflows in Apache, and "IP Restrictions" in IIS.”

Comment at: http://blogs.coldfusion.com/post.cfm/coldfusion-11-update-3-and-coldfusion-10-update-15-are-available-now#comment-95EA1295-A1CA-AD70-F8457D10A0C256A7

I’ve not had a chance to investigate this any further (for instance, it’s not clear whether the security controls were simply moved elsewhere, which could make sense because this file like others in the connector directory were removed if the connector was rebuilt).

But I took note of his comment when I saw it, and so am passing it along to you.

/charlie

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Dec 21, 2014 0
Participant ,
Jan 05, 2015

Copy link to clipboard

Copied

Thank you for the information, I had not come across that reply in my searching for the answer to this.

Charlie Arehart wrote:

The best way to have IP restrictions in place, is to follow the "Access Control" workflows in Apache, and "IP Restrictions" in IIS.”

My only issue to this is I'm not an Apache admin, I don't run it, I've never run it, I don't know how to run it.  It also leaves me confused because is he referring to Apache Tomcat inside CF11 or Apache the web server as we run IIS and not Apache.  So I still view this as an issue because there's no documentation instructing me what I need to do to emulate this removed functionality.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 05, 2015 0
Explorer ,
Jan 06, 2015

Copy link to clipboard

Copied

@Leith, removal of the IP Restrictions file does not pose any security concerns.

In my previous comment, I mention that IPRestrictions (if your environment requires its use), must be defined in Apache Web Server (NOT the one inside ColdFusion), or IIS.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 06, 2015 0
Participant ,
Jan 06, 2015

Copy link to clipboard

Copied

Thank you, it was just disconcerting to see what looked like security related configuration vanish.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 06, 2015 0
Adobe Community Professional ,
Jan 06, 2015

Copy link to clipboard

Copied

Just to be clear, Leith, you quote me below, but I was clear that I was quoting “i Noel”. That’s lost in how you’ve replied below so I just wanted to clarify for any interested.

Anyway, you say you use IIS so his references to Apache are lost on you, but he did also say you could use “"IP Restrictions" in IIS.”

I see he’s also offered other answers to you, so hopefully you are ok with things for now?

/charlie

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 06, 2015 0
brentil LATEST
Participant ,
Jan 07, 2015

Copy link to clipboard

Copied

Yes, once it was made clear the difference between restricting IPs (which we do do in IIS) and the block configuration from the file were made it answered my questions.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jan 07, 2015 0