Pete Freitag Pete Freitag

Using Railo, Secure The railo-context

Updated on November 17, 2023
By Pete Freitag
coldfusion

If you are using Railo you will want to make sure you have locked down the uri /railo-context/ - this is Railo's equivilent to ColdFusion's /CFIDE/ directory. It contains the Railo Administrator, as well as some other supporting files and mappings.

Running Lucee?

If you are running Lucee you can follow the same procedure, just replace /railo-context with /lucee.

Note: This is one issue that HackMyCF.com CF security scanner will look for.

One of the features of Railo / Lucee is that each web site can have its own administrator and settings. The first time you access the web administrator eg: /railo-context/admin/web.cfm it prompts you to set the administrator password. The drawback to this approach is that if you have multiple virtual hosts you have to go through and setup a password for each one. If you don't set the password, and the railo-context is wide open, anyone can go and set the password and access the railo administrator. It would be nice if you could specify a default password for all web contexts in the server wide Railo administrator. (Update See Todd's comment, you can set a server wide password)

So how do you go about this, James Allen has written up a guide (link no longer works, was: jamesallen.name/index.cfm/2009/8/1/How-to-Secure-Railo-31-Admin-in-IIS-6) for securing Railo Administrator on IIS. Here's how you can easily do it on Apache httpd.conf using basic authentication:

<Location /railo-context>
    AuthName "railo"
    AuthType Basic
    AuthUserFile /etc/httpd/admin.passwords
    Require valid-user
</Location>

You will want to setup a password file using htpasswd (located in your apache bin directory) and place the path to that file in AuthUserFile directive.

Using Digest Authentication (better) your config will look as shown below, and you create the password file using htdigest:

<Location /railo-context>
    AuthType Digest
    AuthName "railo"
    AuthDigestFile /etc/httpd/admin.passwords
    Require valid-user
</Location>

Another approach you can take is limit access by IP. For example to limit it localhost:

<Location /railo-context>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Location>

You could also use mod_rewrite to block railo-context uri on all sites but one:

RewriteEngine ON
RewriteCond %{HTTP_HOST} !^admin\.example\.com$ [NC]
RewriteRule ^/railo-context.* [F,L]

Note: By password protecting or blocking the entire /railo-context you are blocking access to things like cfform, keep that in mind, you may want to be more selective about the uri's that you password protect. If you aren't using any features that require the railo-context it's best to block the entire thing.

Do you have any other Railo Security Tips? I plan on writing a few more articles on Railo Security in the future.



railo security

Using Railo, Secure The railo-context was first published on September 30, 2009.

If you like reading about railo, or security then you might also like:

Fixinator

The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.


Try Fixinator

CFBreak
The weekly newsletter for the CFML Community


Comments

Also, the "default password for all web context" can be set in the server. Log into: http://{host}/railo-context/admin/server.cfm

Click on the left navigation is "Passwords" - then, right there is a section called "Set default password"
by Todd Rafferty on 09/30/2009 at 12:31:59 PM UTC
Thanks for pointing that out Todd, I'll update my entry.
by Pete Freitag on 09/30/2009 at 12:36:59 PM UTC
The reason why I say not to block railo-context/ is because for example, cfimage's write to browser uses the temp directory inside it, etc. Same with the <cfchart> png file. If you're just trying to keep the site secure, then blocking /railo-context/admin/ is acceptable.

Gert posted the information of the contents of what's in the WEB-INF folder here ( http://www.getrailo.org/index.cfm/documentation/configuration/webinf-folder/ ). Including tips on how to move the WEB-INF folder outside of the web root.
by Todd Rafferty on 09/30/2009 at 12:42:33 PM UTC
Thanks Pete, important stuff!

I believe there was a thread on the Railo Google Group on this topic. I use Apache proxy/rewrite tricks (as suggested by Sean Corfield, I believe) to access the Railo admin at a random/non-standard URL. You can also access it only on a non-standard port. The proxy sends it to Tomcat on port 8080 in the end, but port 8080 is not accessible at all to the outside world, only the internal proxy. To fully secure this setup, you might also want to work SSL into the mix.
by Jamie Krug on 09/30/2009 at 12:45:02 PM UTC
@Todd - I prefer to block the entire /railo-context/ providing I am not using any features that require it. I take the same approach to /CFIDE/ - most of the security issues CF8 has had would be exploitable if /CFIDE was not accessible.

@Jamie, thanks - do you have a link to that thready handy, sound good.
by Pete Freitag on 09/30/2009 at 12:50:57 PM UTC
As I mentioned on Twitter. Blocking /railo-context/ is not the same as blocking /CFIDE. There's no /CFIDE/scripts directory to be concerned about in Railo because none of the ajax tags are implemented. So, you're being a little draconian about what you're blocking.

Out of all the directories that I'd be concerned about locking down, it would be the WEB-INF/Railo/temp directory and even then, there's an .htaccess blocking the WEB-INF anyway. IIS(all) users have the option of moving the WEB-INF elsewhere through the provided URL that I listed above.
by Todd Rafferty on 09/30/2009 at 1:10:37 PM UTC
@Pete: Oddly, I can't seem to find that thread I mentioned, but here's a "template" of my basic Apache VirtualHost portion regarding blocking Railo admin access and proxying CF requests to Railo/Tomcat:

ProxyPreserveHost On
ProxyPassReverse / ajp://railotest1:8009/

RewriteEngine On

# Custom/app-specific rewrite rules would go here...

# Forbid public access to Railo admins:
RewriteRule ^/railo-context/admin/(.*) - [F]

# Proxy a hard-to-guess URL base to the Railo Admin base (could also use a separate virtual host and put this on a non-standard port and/or force SSL):
RewriteRule ^/some-secret-way-to-access-railo-context/admin/(.*) ajp://%{HTTP_HOST}:8009/railo-context/admin/$1 [P]

# Proxy CFML requests to Tomcat:
RewriteRule ^/(.*\.cf[cm]/?.*)$ ajp://%{HTTP_HOST}:8009/$1 [P]
by Jamie Krug on 09/30/2009 at 1:11:08 PM UTC
Doh! Looks like my line breaks were escaped in prior comment. Here's a double-spaced version, so it will hopefully read more clearly:

ProxyPreserveHost On

ProxyPassReverse / ajp://railotest1:8009/

RewriteEngine On

# Custom/app-specific rewrite rules would go here...

# Forbid public access to Railo admins:

RewriteRule ^/railo-context/admin/(.*) - [F]

# Proxy a hard-to-guess URL base to the Railo Admin base (could also use a separate virtual host and put this on a non-standard port and/or force SSL):

RewriteRule ^/some-secret-way-to-access-railo-context/admin/(.*) ajp://%{HTTP_HOST}:8009/railo-context/admin/$1 [P]

# Proxy CFML requests to Tomcat:

RewriteRule ^/(.*\.cf[cm]/?.*)$ ajp://%{HTTP_HOST}:8009/$1 [P]
by Jamie Krug on 09/30/2009 at 1:13:07 PM UTC
Thanks for giving the information regarding radio context..
by Sanket Panchal on 10/14/2009 at 6:23:37 AM UTC
Just wanted to follow up with my comment on Blocking the entire /railo-context/ I wasn't able to disclose this at the time I posted this blog entry, but I had found a security vulnerability in railo-context that has since been fixed http://www.railo.ch/blog/index.cfm/2009/11/26/Release-notes-Railo-312

So I understand that there is a lot more going on in /CFIDE than in /railo-context but it's still possible that vulnerabilities might pop up in there. Hence my recommendation to block it if you can.
by Pete Freitag on 03/30/2010 at 11:55:35 PM UTC
As of Apache 2.2, Digest authentication has changed slightly:

<Location /railo-context/admin>
AuthName "railo"
AuthType Digest
AuthDigestDomain /railo-context/admin
AuthDigestProvider file
AuthUserFile /etc/apache2/admin.passwords
Require valid-user
</Location>
by Rick O on 08/13/2010 at 6:31:08 PM UTC
@Steve: This isn't just a Railo issue, it's a cfc issue in general

Example:
http://www.coldfusionjedi.com/index.cfm/2010/12/20/Disabling-CFC-auto-documentation

So, either move the cfcs out of the web root and create a mapping to them or disable it via code.
by Todd Rafferty on 02/01/2011 at 5:43:44 PM UTC
@Steve: In the Railo Web Admin, under Archives & Resources/Component, there's a field for Component "dump" template, where you can specify the output for directly requested CFC paths.
by Jamie Krug on 02/01/2011 at 9:00:40 PM UTC