How to Secure Railo 3.1 Admin in IIS 6

Posted At : August 1, 2009 12:53 PM | Posted By : James Allen
Related Categories: Railo

I recently setup my new VPS with the awesome Railo 3.1 on Server 2003 and I soon started thinking about the security of the admin URL. With Adobe Coldfusion it's good practice to either move the administrator so it only runs on a non-standard port with IP filtering or protect it with a username and password via web server security.

I decided that I would go the route of securing the Railo admin path via IIS directory security, however I soon realised that in Railo the admin URL is not a physical path. I.E. It is not created as either a virtual directory or a real directory within the webroot of each website hosted on the server.

The Railo admin URL is as follows:

http://www.mysite.com/railo-context/admin/index.cfm

The way this URL is processed is that the ISAPI filter which Railo uses looks out for any call to railo-context and forwards it to the correct place within the Railo system. This is all done outside of IIS.

So how do we protect the URL?

The answer is actually pretty simple although you will have to do it on every virtual site setup on the server.

All we have to do is to create two physical folders within the webroot of the website we want to protect as follows:

railo-context/admin

Once this is created we can then go into the IIS 6 manager, locate the 'admin' folder, right click and select 'properties'. Within 'Directory Security' it is then possible to either restrict accces via IP or via authentication and access control.

If using username and password security go into the 'Authentication Methods' panel and uncheck 'Enable anonymous access' and leave 'Integrated Windows authentication' ticked.

Now, whenever you access the railo admin URL you can log in via an account on the server (e.g administrator). It's recommended that you create a special windows account that will only be used for admin access. You could then only give that user permissions to access the '/railo-context/admin' - though this would need to be done on each folder in each web root. In a hosted scenario this would be a good idea anyway as each customer should really have their own web user account to ensure they can only access their resources on the system.

Note: If you do decide to just log in using the administrator account on the server I recommend you do this over SSL ONLY. If you do it over http:// it would be possible for a user on the same network (e.g wifi access point) to sniff your http packets and determine your admin password - not good.

Comments (7) |

Send |

del.icio.us |

Digg It! |

Linking Blogs | 3400 Views

Comments (Comment Moderation is enabled. Your comment will not appear until approved.)

[Add Comment]

Thanks for this post James, it is exactly what I was looking for!

However, I do have one question. When you create the railo-context/admin directories in IIS, do you use virtual directories to point them to the actual Railo admin directories on the server or is it just a matter of IIS intercepting the request, enforcing security, then the ISAPI filter taking over and doing its thing?

# Posted By Eric Cobb | 10/23/09 8:50 PM

Hi Eric,

I don't use virtual directories but actual physical directories within the web root of the site. I create railo-content/admin and then secure railo-context using IIS directory permissions. Just thinking about it, it might just be enough to create railo-context and secure that (I can't remember if I tested that or not).

Your right in your thinking that IIS deals with the initial access to the folder but then the ISAPI filter kicks in to actually handle the request.

Quite a nice way to sort out securing the Railo admin although slightly hackish.

# Posted By James Allen | 10/27/09 1:30 AM

Anyone done this with IIS7? It was straightforward with IIS6 but now I'm finding it difficult to do this.

# Posted By Ed | 4/18/10 5:29 PM

Thanks for posting this, I've been struggling for hours to get the admin secured with resin and windows 2008 (IIS7)..... using resin (ip-constraint) and could not make it work, however you gave me a brainwave!

In Information Services Manager I downloaded the module "IPv4 address and domain restrictions", created an empty directory "railo-context" in root and then using the module allow "127.0.0.1" and disallow all others. This works because all requests are handled by IIS before being passed to resin/railo.

andrew.

# Posted By andrew | 2/10/11 1:08 AM

Hey there Andrew,

Thanks for posting that. I haven't used IIS 7 yet but heard that it uses quite a different setup to IIS 6 in many ways. Great that you used a similar technique to what I'm using to get it to work.

It's not something that seems that obvious until you do it and feels odd to create a directory that is only a mapping in Railo. But like you say, as IIS handles that URL request first then passes it to Railo - which still treats it as a mapping - you can secure it using an IIS configuration.

Sorted. :)

# Posted By James Allen | 3/1/11 12:02 AM

Sorry to resurrect an old article but I thought that this might be useful for securing the admin on IIS7 (since it's linked from hackmycf).

Just add the following into the <configuration> node of web.config in your webroot. I've set it up for basic authentication (a popup login box) but it can be easily changed to others.

<location path="railo-context/admin">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<basicAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>

# Posted By Steve Chandler | 1/10/12 2:37 PM

Ah that's brilliant - thanks Steve.
Elegant solution and easy to implement. I'll be looking at that myself when I move to IIS7.

# Posted By James Allen | 1/10/12 2:40 PM

[Add Comment]