Using Railo, Secure The railo-context

September 30, 2009
coldfusion

If you are using Railo you will want to make sure you have locked down the uri /railo-context/ - this is Railo's equivilent to ColdFusion's /CFIDE/ directory. It contains the Railo Administrator, as well as some other supporting files and mappings.

Running Lucee?

If you are running Lucee you can follow the same procedure, just replace /railo-context with /lucee.

Note: This is one issue that HackMyCF.com CF security scanner will look for.

One of the features of Railo / Lucee is that each web site can have its own administrator and settings. The first time you access the web administrator eg: /railo-context/admin/web.cfm it prompts you to set the administrator password. The drawback to this approach is that if you have multiple virtual hosts you have to go through and setup a password for each one. If you don't set the password, and the railo-context is wide open, anyone can go and set the password and access the railo administrator. It would be nice if you could specify a default password for all web contexts in the server wide Railo administrator. (Update See Todd's comment, you can set a server wide password)

So how do you go about this, James Allen has written up a guide for securing Railo Administrator on IIS. Here's how you can easily do it on Apache httpd.conf using basic authentication:

<Location /railo-context>
    AuthName "railo"
    AuthType Basic
    AuthUserFile /etc/httpd/admin.passwords
    Require valid-user
</Location>

You will want to setup a password file using htpasswd (located in your apache bin directory) and place the path to that file in AuthUserFile directive.

Using Digest Authentication (better) your config will look as shown below, and you create the password file using htdigest:

<Location /railo-context>
    AuthType Digest
    AuthName "railo"
    AuthDigestFile /etc/httpd/admin.passwords
    Require valid-user
</Location>

Another approach you can take is limit access by IP. For example to limit it localhost:

<Location /railo-context>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Location>

You could also use mod_rewrite to block railo-context uri on all sites but one:

RewriteEngine ON
RewriteCond %{HTTP_HOST} !^admin\.example\.com$ [NC]
RewriteRule ^/railo-context.* [F,L]

Note: By password protecting or blocking the entire /railo-context you are blocking access to things like cfform, keep that in mind, you may want to be more selective about the uri's that you password protect. If you aren't using any features that require the railo-context it's best to block the entire thing.

Do you have any other Railo Security Tips? I plan on writing a few more articles on Railo Security in the future.



Related Entries

This entry was:

Comments

Also, the "default password for all web context" can be set in the server. Log into: http://{host}/railo-context/admin/server.cfm

Click on the left navigation is "Passwords" - then, right there is a section called "Set default password"
Thanks for pointing that out Todd, I'll update my entry.
The reason why I say not to block railo-context/ is because for example, cfimage's write to browser uses the temp directory inside it, etc. Same with the <cfchart> png file. If you're just trying to keep the site secure, then blocking /railo-context/admin/ is acceptable.

Gert posted the information of the contents of what's in the WEB-INF folder here ( http://www.getrailo.org/index.cfm/documentation/configuration/webinf-folder/ ). Including tips on how to move the WEB-INF folder outside of the web root.
Thanks Pete, important stuff!

I believe there was a thread on the Railo Google Group on this topic. I use Apache proxy/rewrite tricks (as suggested by Sean Corfield, I believe) to access the Railo admin at a random/non-standard URL. You can also access it only on a non-standard port. The proxy sends it to Tomcat on port 8080 in the end, but port 8080 is not accessible at all to the outside world, only the internal proxy. To fully secure this setup, you might also want to work SSL into the mix.
@Todd - I prefer to block the entire /railo-context/ providing I am not using any features that require it. I take the same approach to /CFIDE/ - most of the security issues CF8 has had would be exploitable if /CFIDE was not accessible.

@Jamie, thanks - do you have a link to that thready handy, sound good.
As I mentioned on Twitter. Blocking /railo-context/ is not the same as blocking /CFIDE. There's no /CFIDE/scripts directory to be concerned about in Railo because none of the ajax tags are implemented. So, you're being a little draconian about what you're blocking.

Out of all the directories that I'd be concerned about locking down, it would be the WEB-INF/Railo/temp directory and even then, there's an .htaccess blocking the WEB-INF anyway. IIS(all) users have the option of moving the WEB-INF elsewhere through the provided URL that I listed above.
@Pete: Oddly, I can't seem to find that thread I mentioned, but here's a "template" of my basic Apache VirtualHost portion regarding blocking Railo admin access and proxying CF requests to Railo/Tomcat:

ProxyPreserveHost On
ProxyPassReverse / ajp://railotest1:8009/

RewriteEngine On

# Custom/app-specific rewrite rules would go here...

# Forbid public access to Railo admins:
RewriteRule ^/railo-context/admin/(.*) - [F]

# Proxy a hard-to-guess URL base to the Railo Admin base (could also use a separate virtual host and put this on a non-standard port and/or force SSL):
RewriteRule ^/some-secret-way-to-access-railo-context/admin/(.*) ajp://%{HTTP_HOST}:8009/railo-context/admin/$1 [P]

# Proxy CFML requests to Tomcat:
RewriteRule ^/(.*\.cf[cm]/?.*)$ ajp://%{HTTP_HOST}:8009/$1 [P]
Doh! Looks like my line breaks were escaped in prior comment. Here's a double-spaced version, so it will hopefully read more clearly:

ProxyPreserveHost On

ProxyPassReverse / ajp://railotest1:8009/

RewriteEngine On

# Custom/app-specific rewrite rules would go here...

# Forbid public access to Railo admins:

RewriteRule ^/railo-context/admin/(.*) - [F]

# Proxy a hard-to-guess URL base to the Railo Admin base (could also use a separate virtual host and put this on a non-standard port and/or force SSL):

RewriteRule ^/some-secret-way-to-access-railo-context/admin/(.*) ajp://%{HTTP_HOST}:8009/railo-context/admin/$1 [P]

# Proxy CFML requests to Tomcat:

RewriteRule ^/(.*\.cf[cm]/?.*)$ ajp://%{HTTP_HOST}:8009/$1 [P]
Thanks for giving the information regarding radio context..
Just wanted to follow up with my comment on Blocking the entire /railo-context/ I wasn't able to disclose this at the time I posted this blog entry, but I had found a security vulnerability in railo-context that has since been fixed http://www.railo.ch/blog/index.cfm/2009/11/26/Release-notes-Railo-312

So I understand that there is a lot more going on in /CFIDE than in /railo-context but it's still possible that vulnerabilities might pop up in there. Hence my recommendation to block it if you can.
As of Apache 2.2, Digest authentication has changed slightly:

<Location /railo-context/admin>
AuthName "railo"
AuthType Digest
AuthDigestDomain /railo-context/admin
AuthDigestProvider file
AuthUserFile /etc/apache2/admin.passwords
Require valid-user
</Location>
Railo lacks proper documentation in almost every area despite its age, and consequently cannot be a viable replacement for Adobe Coldfusion on any significant level.

Avoid frustration dealing with an app managed poorly by amateurs, and stick with Adobe Coldfusion for any mission critical apps. At least its consistent and well documented and supported.
Erm... It's free

I'm new to railo but I'm loving it so far.
Hi, I switched to Railo from Coldfusion and at the moment works great with 6 domains on one tomcat/railo server (even with the tricky messagebroker IDs :). I'm concerned a bit because everyone can explore my cfc components if typed them in the browser. You know what I mean: type exampledomain.com/mycfc.cfc in your browser and you get all functions headers with params displayed! how can I turn this off? The debugging is turned off on server admin but still get this. Please help. Thanks
@Steve: This isn't just a Railo issue, it's a cfc issue in general

Example:
http://www.coldfusionjedi.com/index.cfm/2010/12/20/Disabling-CFC-auto-documentation

So, either move the cfcs out of the web root and create a mapping to them or disable it via code.
@Steve: In the Railo Web Admin, under Archives & Resources/Component, there's a field for Component "dump" template, where you can specify the output for directly requested CFC paths.
@Jamie & Todd: thanks for that. There's still the issue with the ?wsdl , if I code-block it I'm no longer able to invoke from flex.

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?