Marcos Placona Blog

Programming, technology and the taming of the web.

CFML 101 – Protecting Railo admin folder

Reading time: 4 – 6 minutes

I have seen people asking this question more than two times now, so I decided it’s about time I write a blog post about it. In ColdFusion it was really easy to solve this problem, as CFIDE is a physical folder, so you could simply move it away from the webroot, and it wouldn’t be accessible to the entire world.

On Railo it’s a bit trickier, as the admin and server folders are virtual directories, hence you can’t simply “move it away”. Obviously it’s password protected, so people won’t simply have access to it and screw up with your configuration, but a more will powered person could easily brute force into it.

I have to reinforce here that a really will powered lad would probably break into anything, or even log into your server and make it a real mess. It’s always good to have this false security sensation though, so I’ll post here how I do my own security.
I use Apache HTTPD as my webserver, so all the steps described here will be related to it, and placed on the httpd.conf (/etc/httpd(or apache2)/conf on Linux and {apache_dir}Apache2.2conf)
We’ll start by creating a new location on the bottom of httpd.conf

<Location /railo-context/admin>
  Order deny,allow
  Deny from all
  Allow from 123.456.78 127.0.0.1 100.200.300.400
</Location>

We use location, because we can’t refer to a directory, as railo-context/admin IS NOT a physical directory. We then “say” we want this directory to be forbidden to every single IP except for a list we specify (delimited by a space for each IP).

Notice that the first IP I specified does not have the last part of it. for apache it means anything starting with 123.456.78 will pass. Something like (123.456.78.*). This is normally used by companies, where you will have a range of IP’s that need to access the admin.
On the second one I specify that I want my own server to be able to see it, in case I want to login to Railo admin from the local computer itself.
The third one is just a simple IP. Put as many as you find necessary.

We now have our administrative folders restricted to only a range f IP’s. Any other IP get’s a message saying it’s forbidden, and will never resolve, as the IP’s won’t match.

Time to reload our configuration so the changes get applied:

sudo /etc/init.d/httpd reload

Now for the security freaks:

If you are like me, and can never have enough, you can go even further by applying directory security to it, so anyone that even tries to hit the page will be prompted for login and password. Should they guess your login and passwords, they’re IP will still need to match and they will need to know your Railo’s password.
That’s how we do it:
Create a .htpasswd file anywhere you fancy. in this example we’ll create it on our dummy user’s home folder:

htpasswd -c /home/dummy/.htpasswd jane

and

htpasswd /home/dummy/.htpasswd peter

For each other user you want to create inside this same file. notice I don’t use -c on the second example, as I don’t need to create the file anymore, but simply append it with a new user and password. You can read more about it here.
We now go back to out httpd.conf and change our recently created location:

<Location /railo-context/admin>
Order deny,allow
Deny from all
Allow from 123.456.78 127.0.0.1 100.200.300.400
AuthUserFile /home/dummy/.htpasswd
AuthGroupFile /dev/null
AuthName "You must have a valid login and password to access this page."
AuthType Basic
<Limit GET>
require valid-user
</Limit>
</Location>

Same old thing until we reach AuthUserFile, as this “tells” Apache where to look for the password file we’ve just created, so when someone tried to login, it’ll go to the file and see if the values match. You can put any authentication message and limit the number of requests that can be made to this page, so brute force won’t break it, as it’ll error after a few attemtps.
Now, when you try to hit this folder, you will be prompted for login and password. If your login and password satisfy the server, it will then check if you IP matches with the range previously specified. If the server “is happy” with all that, you will then be able to see Railo’s admin page, but will still have to type your pasword to be able to see it. Once authenticated you no longer need to type the login and password for that session.
Don’t forget to reload your configurations again:

sudo /etc/init.d/httpd reload

I by no means think this is the best way to go, but it’s one way. There’s hundreds of ways to secure your folder, but this one is the one i found to be the easiest and most bullet proof.
Feel free to use the comments to post different ways, and I might update this post with it.

2 Comments

  1. Thanks Marcos – works a treat :)

  2. I’d like to point out that by wrapping the require valid-user directive within the LIMIT GET tag, you are allowing POST and other request types to ignore the directive. See http://httpd.apache.org/docs/2.2/mod/core.html#limit

    This is a common mistake I see. I think people incorrectly (though intuitively, I’ll grant) interpret the LIMIT directive as restricting access to only the listed HTTP methods, when in fact it does the reverse; it restricts the directives it contains to the listed methods.

    Don’t believe me? Make sure you’re logged out then make a POST request and you’ll see that you get right in without being asked for a password. Easy enough to do in a simple html file

Leave a Reply

Your email address will not be published.

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>