Looking into setup Production Website in Web DMZ

Community Beginner ,
Jan 11, 2021 Jan 11, 2021

Copy link to clipboard

Copied

Team, starting to reseach what it would take down the line to move out internal CF website to allow

public internet access. From previous work, I do understand this server itself would be locked down with no Internet access/FW rules would be needed for internal DB /share connections. etc Any external links/call from Web would also need to pinholed. We are going to CF 2018 this year. Looking for any documentation/gotchas need to consider this new DMZ server.Our SSL Cert also needs allow access ext/internal.

 

ty Jose

 

 

Views

60

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Jan 12, 2021 Jan 12, 2021

Copy link to clipboard

Copied

Well, this is a pretty broad question and doesn't have that much to do with CF itself.

 

In general, servers in a DMZ are typically set up as "bastion hosts", independent of your larger network. They're not part of your domain (if you're using Windows) and they're not going to have connections to anything they don't need to. They're not going to access any content in your LAN. This goes for your web servers and your databases - you'd want to move both to your DMZ as bastion hosts. Sometimes people will try to keep the database in the LAN and allow connections from the DMZ web server to the LAN database. This is a bad idea, don't do it. If your database is compromised, very bad things can happen.

 

As far as CF goes, you'll need to ensure that no admin endpoints are exposed to the outside world. This means testing your /CFIDE URLs and removing any specific connection points between your CF server and your web server other than that used to serve public files (this can be done using a variety of configuration options in your web server). Also, in general, you probably want to restrict CF from writing to your web server's file system by default, and only allow it in specific limited circumstances. (You should be doing this anyway but it's more important when things are public.)

 

Dave Watts, Eidolon LLC

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jan 12, 2021 Jan 12, 2021

Copy link to clipboard

Copied

LATEST

txs for your response. Jose

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines