Using Railo, Secure The railo-context
If you are using Railo you will want to make sure you have locked down the uri /railo-context/ - this is Railo's equivilent to ColdFusion's /CFIDE/ directory. It contains the Railo Administrator, as well as some other supporting files and mappings.
One of the features of Railo is that each web site can have its own administrator and settings. The first time you access the web administrator eg: /railo-context/admin/web.cfm it prompts you to set the administrator password. The drawback to this approach is that if you have multiple virtual hosts you have to go through and setup a password for each one. If you don't set the password, and the railo-context is wide open, anyone can go and set the password and access the railo administrator. It would be nice if you could specify a default password for all web contexts in the server wide Railo administrator. (Update See Todd's comment, you can set a server wide password)
So how do you go about this, James Allen has written up a guide for securing Railo Administrator on IIS. Here's how you can easily do it on Apache httpd.conf using basic authentication:
<Location /railo-context>
AuthName "railo"
AuthType Basic
AuthUserFile /etc/httpd/admin.passwords
Require valid-user
</Location>
You will want to setup a password file using htpasswd (located in your apache bin directory) and place the path to that file in AuthUserFile directive.
Using Digest Authentication (better) your config will look as shown below, and you create the password file using htdigest:
<Location /railo-context>
AuthType Digest
AuthName "railo"
AuthDigestFile /etc/httpd/admin.passwords
Require valid-user
</Location>
Another approach you can take is limit access by IP. For example to limit it localhost:
<Location /railo-context> Order Deny,Allow Deny from all Allow from 127.0.0.1 </Location>
You could also use mod_rewrite to block railo-context uri on all sites but one:
RewriteEngine ON
RewriteCond %{HTTP_HOST} !^admin\.example\.com$ [NC]
RewriteRule ^/railo-context.* [F,L]
Note: By password protecting or blocking the entire /railo-context you are blocking access to things like cfform, keep that in mind, you may want to be more selective about the uri's that you password protect. If you aren't using any features that require the railo-context it's best to block the entire thing.
Do you have any other Railo Security Tips? I plan on writing a few more articles on Railo Security in the future.
add to del.icio.us
Trackbacks
Trackback Address: 715/40623B3A881A18F0991F1AAAE9060189
Comments
On 09/30/2009 at 12:31:59 PM EDT Todd Rafferty wrote:
1
Also, the "default password for all web context" can be set in the server. Log into: http://{host}/railo-context/admin/server.cfm
Click on the left navigation is "Passwords" - then, right there is a section called "Set default password"
On 09/30/2009 at 12:36:59 PM EDT Pete Freitag wrote:
2
Thanks for pointing that out Todd, I'll update my entry.
On 09/30/2009 at 12:42:33 PM EDT Todd Rafferty wrote:
3
The reason why I say not to block railo-context/ is because for example, cfimage's write to browser uses the temp directory inside it, etc. Same with the <cfchart> png file. If you're just trying to keep the site secure, then blocking /railo-context/admin/ is acceptable.
Gert posted the information of the contents of what's in the WEB-INF folder here ( http://www.getrailo.org/index.cfm/documentation/configuration/webinf-folder/ ). Including tips on how to move the WEB-INF folder outside of the web root.
On 09/30/2009 at 12:45:02 PM EDT Jamie Krug wrote:
4
Thanks Pete, important stuff!
I believe there was a thread on the Railo Google Group on this topic. I use Apache proxy/rewrite tricks (as suggested by Sean Corfield, I believe) to access the Railo admin at a random/non-standard URL. You can also access it only on a non-standard port. The proxy sends it to Tomcat on port 8080 in the end, but port 8080 is not accessible at all to the outside world, only the internal proxy. To fully secure this setup, you might also want to work SSL into the mix.
On 09/30/2009 at 12:50:57 PM EDT Pete Freitag wrote:
5
@Todd - I prefer to block the entire /railo-context/ providing I am not using any features that require it. I take the same approach to /CFIDE/ - most of the security issues CF8 has had would be exploitable if /CFIDE was not accessible.
@Jamie, thanks - do you have a link to that thready handy, sound good.
On 09/30/2009 at 1:10:37 PM EDT Todd Rafferty wrote:
6
As I mentioned on Twitter. Blocking /railo-context/ is not the same as blocking /CFIDE. There's no /CFIDE/scripts directory to be concerned about in Railo because none of the ajax tags are implemented. So, you're being a little draconian about what you're blocking.
Out of all the directories that I'd be concerned about locking down, it would be the WEB-INF/Railo/temp directory and even then, there's an .htaccess blocking the WEB-INF anyway. IIS(all) users have the option of moving the WEB-INF elsewhere through the provided URL that I listed above.
On 09/30/2009 at 1:11:08 PM EDT Jamie Krug wrote:
7
@Pete: Oddly, I can't seem to find that thread I mentioned, but here's a "template" of my basic Apache VirtualHost portion regarding blocking Railo admin access and proxying CF requests to Railo/Tomcat:
ProxyPreserveHost On ProxyPassReverse / ajp://railotest1:8009/
RewriteEngine On
# Custom/app-specific rewrite rules would go here...
# Forbid public access to Railo admins: RewriteRule ^/railo-context/admin/(.*) - [F]
# Proxy a hard-to-guess URL base to the Railo Admin base (could also use a separate virtual host and put this on a non-standard port and/or force SSL): RewriteRule ^/some-secret-way-to-access-railo-context/admin/(.*) ajp://%{HTTP_HOST}:8009/railo-context/admin/$1 [P]
# Proxy CFML requests to Tomcat: RewriteRule ^/(.*\.cf[cm]/?.*)$ ajp://%{HTTP_HOST}:8009/$1 [P]
On 09/30/2009 at 1:13:07 PM EDT Jamie Krug wrote:
8
Doh! Looks like my line breaks were escaped in prior comment. Here's a double-spaced version, so it will hopefully read more clearly:
ProxyPreserveHost On
ProxyPassReverse / ajp://railotest1:8009/
RewriteEngine On
# Custom/app-specific rewrite rules would go here...
# Forbid public access to Railo admins:
RewriteRule ^/railo-context/admin/(.*) - [F]
# Proxy a hard-to-guess URL base to the Railo Admin base (could also use a separate virtual host and put this on a non-standard port and/or force SSL):
RewriteRule ^/some-secret-way-to-access-railo-context/admin/(.*) ajp://%{HTTP_HOST}:8009/railo-context/admin/$1 [P]
# Proxy CFML requests to Tomcat:
RewriteRule ^/(.*\.cf[cm]/?.*)$ ajp://%{HTTP_HOST}:8009/$1 [P]
On 10/14/2009 at 6:23:37 AM EDT Sanket Panchal wrote:
9
Thanks for giving the information regarding radio context..
Post a Comment
Recent Entries
- Cache Template in Request Setting Explained
- What Version of Java is ColdFusion Using?
- ColdFusion 9 Performance Brief from Adobe
- Request Filtering in IIS 7 Howto
- J2EE Session Cookies on ColdFusion / JRun
- Hands on ColdFusion Security Training
- ColdFusion 9 Solr Vulnerability - Are you at Risk?
- FCKEditor Year 2010 Bug for Firefox 3.6 with ColdFusion
Click on the left navigation is "Passwords" - then, right there is a section called "Set default password"
Gert posted the information of the contents of what's in the WEB-INF folder here ( http://www.getrailo.org/index.cfm/documentation/configuration/webinf-folder/ ). Including tips on how to move the WEB-INF folder outside of the web root.
I believe there was a thread on the Railo Google Group on this topic. I use Apache proxy/rewrite tricks (as suggested by Sean Corfield, I believe) to access the Railo admin at a random/non-standard URL. You can also access it only on a non-standard port. The proxy sends it to Tomcat on port 8080 in the end, but port 8080 is not accessible at all to the outside world, only the internal proxy. To fully secure this setup, you might also want to work SSL into the mix.
@Jamie, thanks - do you have a link to that thready handy, sound good.
Out of all the directories that I'd be concerned about locking down, it would be the WEB-INF/Railo/temp directory and even then, there's an .htaccess blocking the WEB-INF anyway. IIS(all) users have the option of moving the WEB-INF elsewhere through the provided URL that I listed above.
ProxyPreserveHost On ProxyPassReverse / ajp://railotest1:8009/
RewriteEngine On
# Custom/app-specific rewrite rules would go here...
# Forbid public access to Railo admins: RewriteRule ^/railo-context/admin/(.*) - [F]
# Proxy a hard-to-guess URL base to the Railo Admin base (could also use a separate virtual host and put this on a non-standard port and/or force SSL): RewriteRule ^/some-secret-way-to-access-railo-context/admin/(.*) ajp://%{HTTP_HOST}:8009/railo-context/admin/$1 [P]
# Proxy CFML requests to Tomcat: RewriteRule ^/(.*\.cf[cm]/?.*)$ ajp://%{HTTP_HOST}:8009/$1 [P]
ProxyPreserveHost On
ProxyPassReverse / ajp://railotest1:8009/
RewriteEngine On
# Custom/app-specific rewrite rules would go here...
# Forbid public access to Railo admins:
RewriteRule ^/railo-context/admin/(.*) - [F]
# Proxy a hard-to-guess URL base to the Railo Admin base (could also use a separate virtual host and put this on a non-standard port and/or force SSL):
RewriteRule ^/some-secret-way-to-access-railo-context/admin/(.*) ajp://%{HTTP_HOST}:8009/railo-context/admin/$1 [P]
# Proxy CFML requests to Tomcat:
RewriteRule ^/(.*\.cf[cm]/?.*)$ ajp://%{HTTP_HOST}:8009/$1 [P]
