Marcos Placona Blog

Programming, technology and the taming of the web.

Month: May 2009 (page 1 of 2)

CFML 101 – Protecting Railo admin folder

Reading time: 4 – 6 minutes

I have seen people asking this question more than two times now, so I decided it’s about time I write a blog post about it. In ColdFusion it was really easy to solve this problem, as CFIDE is a physical folder, so you could simply move it away from the webroot, and it wouldn’t be accessible to the entire world.

On Railo it’s a bit trickier, as the admin and server folders are virtual directories, hence you can’t simply “move it away”. Obviously it’s password protected, so people won’t simply have access to it and screw up with your configuration, but a more will powered person could easily brute force into it.

I have to reinforce here that a really will powered lad would probably break into anything, or even log into your server and make it a real mess. It’s always good to have this false security sensation though, so I’ll post here how I do my own security.
I use Apache HTTPD as my webserver, so all the steps described here will be related to it, and placed on the httpd.conf (/etc/httpd(or apache2)/conf on Linux and {apache_dir}Apache2.2conf)
We’ll start by creating a new location on the bottom of httpd.conf

<Location /railo-context/admin>
  Order deny,allow
  Deny from all
  Allow from 123.456.78 100.200.300.400

We use location, because we can’t refer to a directory, as railo-context/admin IS NOT a physical directory. We then “say” we want this directory to be forbidden to every single IP except for a list we specify (delimited by a space for each IP).

Notice that the first IP I specified does not have the last part of it. for apache it means anything starting with 123.456.78 will pass. Something like (123.456.78.*). This is normally used by companies, where you will have a range of IP’s that need to access the admin.
On the second one I specify that I want my own server to be able to see it, in case I want to login to Railo admin from the local computer itself.
The third one is just a simple IP. Put as many as you find necessary.

We now have our administrative folders restricted to only a range f IP’s. Any other IP get’s a message saying it’s forbidden, and will never resolve, as the IP’s won’t match.

Time to reload our configuration so the changes get applied:

sudo /etc/init.d/httpd reload

Now for the security freaks:

If you are like me, and can never have enough, you can go even further by applying directory security to it, so anyone that even tries to hit the page will be prompted for login and password. Should they guess your login and passwords, they’re IP will still need to match and they will need to know your Railo’s password.
That’s how we do it:
Create a .htpasswd file anywhere you fancy. in this example we’ll create it on our dummy user’s home folder:

htpasswd -c /home/dummy/.htpasswd jane


htpasswd /home/dummy/.htpasswd peter

For each other user you want to create inside this same file. notice I don’t use -c on the second example, as I don’t need to create the file anymore, but simply append it with a new user and password. You can read more about it here.
We now go back to out httpd.conf and change our recently created location:

<Location /railo-context/admin>
Order deny,allow
Deny from all
Allow from 123.456.78 100.200.300.400
AuthUserFile /home/dummy/.htpasswd
AuthGroupFile /dev/null
AuthName "You must have a valid login and password to access this page."
AuthType Basic
<Limit GET>
require valid-user

Same old thing until we reach AuthUserFile, as this “tells” Apache where to look for the password file we’ve just created, so when someone tried to login, it’ll go to the file and see if the values match. You can put any authentication message and limit the number of requests that can be made to this page, so brute force won’t break it, as it’ll error after a few attemtps.
Now, when you try to hit this folder, you will be prompted for login and password. If your login and password satisfy the server, it will then check if you IP matches with the range previously specified. If the server “is happy” with all that, you will then be able to see Railo’s admin page, but will still have to type your pasword to be able to see it. Once authenticated you no longer need to type the login and password for that session.
Don’t forget to reload your configurations again:

sudo /etc/init.d/httpd reload

I by no means think this is the best way to go, but it’s one way. There’s hundreds of ways to secure your folder, but this one is the one i found to be the easiest and most bullet proof.
Feel free to use the comments to post different ways, and I might update this post with it.

New version of Railo released

Reading time: 2 – 4 minutes

This is only a point release ( for Railo, but it addresses many bugs we reported in the last couple of weeks. Moreover, when I say last couple of weeks, it really is it. It is breath taking to see how quickly the Railo team nails down all of our requests and bug reports. Railo is still in beta, but according to Gert, it will soon have its final version released (Gert says it is sometime in June 2009).
Updating could not be any easier if you are on Railo 3.1x already. Simply go to your server admin, click on updates in the left menu, and click the button execute update. It’s all done via admin interface, and there’s no need to move *.jar files or anything.
Here is a list (from the official changelog) of what’s included within this update:

  • add support for HTTPS Resource
  • fixed several issues with FusionDebug integration
  • add flag to disable timserver (not in admin frontend yet)
  • add support for build in tag based on cfc custom tags
  • add support for metadata for cfc based custom tags
  • add support for flesystem placeholder {railo-config}
  • optimize check if a open datasource connection still is valid
  • fixed bug in tag dump (format classic and html) “when attribute label is defined and attribute expand is set to false the dump disappears”
  • fixed bug in tag cfcatch/cfscript-catch “can not handle native exception names”
  • fixed bug in tag LSCurrencyFormat/LSEuroCurrencyFormat “empty string should be returned as 0”
  • struct function now also can handle query objects
  • optimized image processing
  • add support for constanr “NULL” to json serialization
  • add support for load escaped characters in json serialized text
  • improve performance loading application.cfc
  • add support for handling complex object types to BalzeDS Caster
  • improve performance in handling of java.util.Map Objects in Railo.
  • add support fpr pausing scheduled tasks
  • add support for type “url” to cfindex
  • add support for action “getPluginDirectory” to tag admin
  • add support for action “list” to tag index
  • fixed bug in tag invoke “can not forward argumentcollection with tag invoke”
  • fixed bug in tag queryparam “can not handle empty list”
  • fixed bug in tag storedproc “missing returncode when more data are popuated in cfstoredproc”
  • fixed bug in tag table “missing last row from query”
  • fixed bug in tag thread “initialization when parent thread is finalized fails”
  • fixed bug in Arguments Scope “if a value is defined but not set, it has to return null”
  • fixed bug in CGI Scope “structKeyExists does not work with CGI Scope”
  • improve performance in Undefined Scope
  • improve performance in Component Loader
  • improve performance of function ListFindNoCase
  • fixed bug in tag case “empty value as part of a list can not be handled”

Apache 101 – Avoiding duplicate content on your domain.

Reading time: 2 – 3 minutes

Did you know that search engines consider things like and as duplicate content? It might sound like a wise thing to do, as your site would be accessible by whichever URL related to your domain. I’ll say here it’s not, as search engines like Google consider this an offense and will penalize you should they think you’re doing it on purpose.
Google normally are very strict and harsh with people trying to “play” with their search engine, or people who try to black hat SEO. And content duplication might be just what will put your domain on the bottom of their search.

I then thought about a very slick way of getting rid of content duplication. You can simply create a rule on your .htaccess (or httpd.conf as that’s what I use), and will will take care of redirecting any request to non-www to a www version of your website.

This is how I do it:

RewriteEngine on
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^(.*)$$1 [R=301]

Basically I’m, telling my server that every single call to a non-www version of my domain will be redirected (in a proper way as it uses 301) to the www version.

One then could ask what to do in case you have parked domains, which are simple alias used to redirect the user to another domain. You can simply add them all to your rules as such:

RewriteCond %{HTTP_HOST} ^ [OR]
RewriteCond %{HTTP_HOST} ^ [OR]
RewriteCond %{HTTP_HOST} ^
RewriteRule ^(.*)$$1 [R=301]

Obviously this is only the tip of the iceberg, but it sure helps to put your site up.
If you would like to read more about duplicate content, you might take a look at this link.

Apache 101 – Case insensitive URL’s

Reading time: 1 – 2 minutes

This is only a quick Apache tip for when you are using mod_rewrite.

I’ve been working on some rewriting lately, and noticed that when you use them, the pattern applied must match exactly, otherwise you will either get error, or your pattern will never find a match.

Obviously you have a few options when writing your rewrite rules to make it case insensitive, but that means you will have to use it on every single rule.

In my case, I simply want everything to come though as lower case, so even if you hit any of my pages with an upper case URL, it will automatically be rewritten to the same thing, but in lower case, and return 301, so the search engines know the page was permanently moved.

This is how I do it:

#Make URL's lower case
RewriteEngine On
RewriteMap  lc int:tolower
RewriteCond %{REQUEST_URI} [A-Z]
RewriteRule (.*) ${lc:$1} [R=301,L]

The RewriteMap directive needs to be placed on your httpd.conf or VHOST, as it won’t work on directory level or .htaccess. Everything else can go on your directory or .htaccess.

Installing YUM on CentOS 5

Reading time: 2 – 2 minutes

This is really for my future reference, but I thought someone would bump into that any time. I’m configuring a new CentOS 5 server and for my surprise it didn’t come with yum installed.

rpm -Uvh
rpm -Uvh
rpm -Uvh
rpm -Uvh
rpm -Uvh
rpm -Uvh
rpm -Uvh
rpm -Uvh
rpm -Uvh
rpm -Uvh
rpm -Uvh
rpm -Uvh
rpm -Uvh
rpm -Uvh
rpm -Uvh
rpm -Uvh
rpm -Uvh
yum -y update
Older posts