Hide the Admins

This morning after reviewing the hackmycf.com* scan results foransble.com I noticed that the only major security issue that turned up was that the railo admin was accessible from a public IP address. “Hmm...” I thought, “I wonder how you lock that down properly, using thereverse proxy setup I am running.” I figured I could do it in tomcat, but that would get ugly fast if when I start scaling out my application servers. So after some googling I found several other posts on securing the railo admin.

Particularrly after reading Marcos Placona’s post on doing this in Apache, I figured that something similar could be done in Cherokee. Turns out it can and here is how you do it:

  1. Login to your server and start up the cherokee admin server (I only allow my IP through the firewall on port 9090 so I use cherokee-admin -b).
  2. Use the login credentials that the startup process generates to login to the cherokee-admin http://yoursite.com:9090.
  3. Now that you are logged in go to the ‘Virtual Servers’ section and click on the ‘default’ link under the behavior tab.
  4. What you want to look for is the new button in the top of the left column. It’s right next to the behavior heading. Click it.
  5. Go with Manual and select ‘directory’ from the rule type dropdown.
  6. Enter ‘/railo-context/admin’ in the Web Directory box that appears
  7. Click Add.
  8. Setup the handler like you did for the default when you created your box. If you followed the directions in my last article you can use them again.
  9. Click the security tab
  10. Under access restrictions enter your IP address (your internet facing IP address(whatismyip.org) not your local one in most cases) and any other IPs you want to have access to the admin panels.
  11. Hit save and choose graceful restart.
  12. Check and make sure you still have access from your computer and that other IPs don’t. I used my iPhone on it’s 3G connection to check that.
  13. The last thing is to shutdown the Cherokee admin you started, unless you are doing other stuff. No reason to leave it around.

That’s all there is to it. Your admin panels have now been hidden for all your railo servers, and any you might add in the future. You are on your way to a more secure server setup. Good luck out there!

* If you aren't checking your servers with hackmycf.com, why not? You should be. It's an awesome service and has a free option. Go try it out.

Published: 13 Sep 2011 | Tags: security , ansble , aws , railo , cfml