Securing the Coldfusion/Railo Administrator in Apache

Author: Steven Neiland
Published:

Warning: This blog entry was written two or more years ago. Therefore, it may contain broken links, out-dated or misleading content, or information that is just plain wrong. Please read on with caution.

Securing access to the Coldfusion / Railo administrator is probably one of the first tasks you should tackle when you setup a new server. This guide details how to do this on a machine running the Apache webserver.

Updated 31-feb-2012: Added note on requiring SSL

Limit Access to Localhost Users Only

This technique works on the principle that we allow anyone who has direct user access to the machine (physical, remote desktop, VNC) as trusted, and everyone else is denied. This is my preferred method.

To accomplish this we add the following location directive to the apache httpd.conf file.

For Railo

<Location /railo-context>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Location>

For Adobe Coldfusion

Note: I have not tested this but theoretically it should work.

<Location /CFIDE/administrator>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Location>

Opening Access to Graph.cfm

At this stage the railo control panel is blocked. However we do need to be able to access certain files still. The best example is the graph.cfm file which is used by the graphing and image components. So we need to reopen this file by adding the following under the previous Location directive.

For Railo

<Location /railo-context/graph.cfm>
Order Deny,Allow
Allow from all
</Location>

For Adobe Coldfusion

<Location /CFIDE/graph.cfm>
Order Deny,Allow
Allow from all
</Location>

Limiting Access To Admin By Adding an Extra Authentication Layer

Alternatively if you must give access to the Admin for external users then the best alternative is to add an extra authentication layer. You can either use 'basic authentication' or even better 'Digest Authentication'.

If you use 'Basic Authentication' it is important the the users authentication for this layer should differ from their admin panel password.

Basic Authentication

To use basic authentication add a user using htpasswd (located in your apache bin directory) and ensure the path to that file is set in the 'AuthUserFile' directive. Finally add/alter the location directive for your admin panel in your httpd.conf file and restart Apache.

Basic Authentication For Railo Admin

<Location /railo-context>
AuthName "railo"
AuthType Basic
AuthUserFile /etc/httpd/admin.passwords
Require valid-user
</Location>

Basic Authentication For Adobe Coldfusion Admin

<Location /CFIDE>
AuthName "cfusion"
AuthType Basic
AuthUserFile /etc/httpd/admin.passwords
Require valid-user
</Location>

For more information of how to setup basic authentication visit http://httpd.apache.org/docs/2.0/programs/htpasswd.html.

Digest Authentication

Using the 'Digest' authentication method is similar to using the 'Basic' method, the difference being you use htdigest to generate the password file and set the AuthType to 'Digest' as shown below.

Digest Authentication For Railo Admin

<Location /railo-context>
AuthType Digest
AuthName "railo"
AuthDigestFile /etc/httpd/admin.passwords
Require valid-user
</Location>

Digest Authentication For Adobe Coldfusion Admin

<Location /CFIDE>
AuthType Digest
AuthName "cfusion"
AuthDigestFile /etc/httpd/admin.passwords
Require valid-user
</Location>

Note: As with the localhost only method you must ensure that the graph.cfm file is accessable for non authenticated users, otherwise graphing will not work.

Require SSL

Another good step to take is to force encryption of your communication between the admin console and your browser with ssl. To turn this on do the following.

Force SSL for Railo

<Location /railo-context>
      SSLRequireSSL
</Location>

Force SSL for CFIDE

<Location /CFIDE/administrator>
      SSLRequireSSL
</Location>

Related Blog Postings

Reader Comments

  • Please keep comments on-topic.
  • Please do not post unrelated questions or large chunks of code.
  • Please do not engage in flaming/abusive behaviour.
  • Comments that contain advertisments or appear to be created for the purpose of link building, will not be published.

Archives Blog Listing