cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

Looking into setup Production Website in Web DMZ

josed56603254
Explorer ,
Jan 11, 2021 Jan 11, 2021

Copy link to clipboard

Copied

Team, starting to reseach what it would take down the line to move out internal CF website to allow

public internet access. From previous work, I do understand this server itself would be locked down with no Internet access/FW rules would be needed for internal DB /share connections. etc Any external links/call from Web would also need to pinholed. We are going to CF 2018 this year. Looking for any documentation/gotchas need to consider this new DMZ server.Our SSL Cert also needs allow access ext/internal.

 

ty Jose

 

 

Views

140

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 2 Replies 2
latest latest Jump to latest reply
Dave Watts Community Expert
Community Expert ,
Jan 12, 2021 Jan 12, 2021

Copy link to clipboard

Copied

Well, this is a pretty broad question and doesn't have that much to do with CF itself.

 

In general, servers in a DMZ are typically set up as "bastion hosts", independent of your larger network. They're not part of your domain (if you're using Windows) and they're not going to have connections to anything they don't need to. They're not going to access any content in your LAN. This goes for your web servers and your databases - you'd want to move both to your DMZ as bastion hosts. Sometimes people will try to keep the database in the LAN and allow connections from the DMZ web server to the LAN database. This is a bad idea, don't do it. If your database is compromised, very bad things can happen.

 

As far as CF goes, you'll need to ensure that no admin endpoints are exposed to the outside world. This means testing your /CFIDE URLs and removing any specific connection points between your CF server and your web server other than that used to serve public files (this can be done using a variety of configuration options in your web server). Also, in general, you probably want to restrict CF from writing to your web server's file system by default, and only allow it in specific limited circumstances. (You should be doing this anyway but it's more important when things are public.)

 

Dave Watts, Eidolon LLC

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
josed56603254
Explorer ,
Jan 12, 2021 Jan 12, 2021

Copy link to clipboard

Copied

LATEST
In Response To Dave Watts

txs for your response. Jose

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2024 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices