Securing access to the Coldfusion / Railo administrator is probably one of the first tasks you should tackle when you setup a new server. This guide details how to do this on a machine running the Apache webserver.
Updated 31-feb-2012: Added note on requiring SSL
This technique works on the principle that we allow anyone who has direct user access to the machine (physical, remote desktop, VNC) as trusted, and everyone else is denied. This is my preferred method.
To accomplish this we add the following location directive to the apache httpd.conf file.
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Note: I have not tested this but theoretically it should work.
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
At this stage the railo control panel is blocked. However we do need to be able to access certain files still. The best example is the graph.cfm file which is used by the graphing and image components. So we need to reopen this file by adding the following under the previous Location directive.
Order Deny,Allow
Allow from all
Order Deny,Allow
Allow from all
Alternatively if you must give access to the Admin for external users then the best alternative is to add an extra authentication layer. You can either use 'basic authentication' or even better 'Digest Authentication'.
If you use 'Basic Authentication' it is important the the users authentication for this layer should differ from their admin panel password.
To use basic authentication add a user using htpasswd (located in your apache bin directory) and ensure the path to that file is set in the 'AuthUserFile' directive. Finally add/alter the location directive for your admin panel in your httpd.conf file and restart Apache.
AuthName "railo"
AuthType Basic
AuthUserFile /etc/httpd/admin.passwords
Require valid-user
AuthName "cfusion"
AuthType Basic
AuthUserFile /etc/httpd/admin.passwords
Require valid-user
For more information of how to setup basic authentication visit http://httpd.apache.org/docs/2.0/programs/htpasswd.html.
Using the 'Digest' authentication method is similar to using the 'Basic' method, the difference being you use htdigest to generate the password file and set the AuthType to 'Digest' as shown below.
AuthType Digest
AuthName "railo"
AuthDigestFile /etc/httpd/admin.passwords
Require valid-user
AuthType Digest
AuthName "cfusion"
AuthDigestFile /etc/httpd/admin.passwords
Require valid-user
Note: As with the localhost only method you must ensure that the graph.cfm file is accessable for non authenticated users, otherwise graphing will not work.
Another good step to take is to force encryption of your communication between the admin console and your browser with ssl. To turn this on do the following.
SSLRequireSSL
SSLRequireSSL