Entries Tagged as 'Railo'

How To Block Access to Railo 3/4 Administrators in IIS 7 (security)

We work a lot with Railo over at Vivio. Railo is an open-source CFML processing engine and offers it's users a built-in web-based "Administrator" for the server as a whole and for each web site that is configured to use it. This blog post will review a couple ways to secure those administrators from prying eyes. Yes, the administrators are password-protected by default, but adding the following will provide yet another layer of security for your sites.

Method One: IIS (site-specific)

The first security method we'll review will use the built-in access controls provided by IIS 7. I'll be using Windows 7 and the IIS Default Website. This method will need to be implemented on each separate site you want to secure.

Start out by going to your site's root directory. Since I'm using the "Default Site" in this example I'll go to C:\inetpub\wwwroot. From here, create an empty directory called "railo-context". The directory itself doesn't matter, only it's name and the permissions we will assign to it. In fact, once the rule is in place, you can actually DELETE the physical directory and the permission rule will remain in place in IIS. The rule is in the web.config for the site, so you can edit it there as well if you want.

Now that the directory has been created open the IIS Manager, and select the site that you're securing. You should see your new "railo-context" directory that you just created listed there:

railo-context directory in IIS 7

Next, make sure that the "railo-context" directory is selected and then hit the "Authentication" icon. If you do not see the "Authentication" icon, you will need to go to "programs and features" and make sure that feature is enabled for IIS.

select authentication in IIS

Now we're going to disable "Anonymous Authentication" in IIS. This is what allows interenet users to connect to our sites. Without this authentication enabled for our "railo-context" directory, visitors from the internet will not be able to connect to it.

disable anonymous authentication

Now lets test it. Looks like we're good to go!

iis permission denied

 

Method Two: BonCode Connector (server-wide)

The next method we'll review is securing the administrators by using the BonCode Connector. The BonCode Connector has been used by default since Railo 3.3.2, and is installed "globally" by default. This method will block access to the administrators by any connection made through the BonCode Connector - which is nice because you don't have to worry about it for every site you make. If you installed the BonCode connector on your own and did not install it globally, then you will need to configure the BonCode Connector by way of the site-specific config files in the BIN folder of each site. This negates some of the convenience of this method, but it still gets the job done.

Start out by opening a copy of Notepad as the administrator user. This will give you the permissions you need to edit the file. To do this, find the "Notepad" icon in the start menu and right-click it, then select "Open As Administrator". This will open notepad in administrator mode.

From there, if you installed the BonCode connector "globally", or if you installed Railo using a Railo Installer version 3.3.2 or greater, open the following file: C:\Windows\BonCodeAJP13.settings.

Once you have the file open, change the "EnableRemoteAdmin" value to "False", as illustrated below:

BonCode Connector Enable Remote Admin

Now restart IIS and try to hit the admin URL from a remote machine. Notice how hits from the local IP will pass through this method, but hits from a remote machine will get the "Access from remote not allowed" error message.

access from remote not allowed

IMPORTANT:

It is important to remember that the Railo Administrators will still be available when you use the Tomcat web server on port 8888. To block access to that from remote machines, simply use the built-in Windows Firewall and restrict access to port 8888 to only local access.

Testing For Headless Mode in ColdFusion (CFML)

Just recently I found myself needing to verify if a server I was working on - which required image manipulation - was actually running in headless mode. On Linux servers, graphical user interfaces (GUI's) aren't usually running because they take up additional resources (like memory) and server administrators usually want to give all the resources they can to actual server processes rather then a GUI which they only use occasionally. However, the JRE that ColdFusion engines run on needs the window processing engines in order to perform graphic manipulation - image resizing, rotating, etc - all require image processing libraries.

Java Thumbs Up LogoThe following code bit allows you to see if your CFML engine (Railo, OpenBD, or ACF) is actually running in headless mode. This is useful if you're debugging a pesky image processing problem and you want to make sure your JRE's access to the XORG libraries aren't the problem.

 

<cfobject  
    action=create  
    name=geObj
    type="JAVA"  
    class="java.awt.GraphicsEnvironment">
<cfset geResponse = geObj.isHeadless()>
<cfdump var="#geResponse#">

 

The code calls java directly and returns a true or false response if you're running in headless mode or not.

Hope this helps!

W2K8r2, IIS7.5, Railo/OpenBD Installers, and Plesk

Recently I had the opportunityto work with someone who was trying to use the Vivio Installers for Railo and OpenBD on a W2K8r2 Cloud/VPS system running the Plesk Control Panel and they were having trouble getting the connector to work right. The problem they were encountering was the notorious "Calling LoadLibraryEx on ISAPI filter isapi_redirect-(version).dll failed" error. Usually this error means that you're trying to run a 64-bit connector on a 32-bit machine, but since this was W2K8r2, which ONLY comes in 64-bit, this had me stumped for a little bit.

After some digging, I found that Plesk had updated the IIS7 application pools to actually run in 32-bit mode because Plesk's own DLL's were in 32-bit. I found this out by changing the application pools to disallow 32-bit, and then plesks DLL's stopped working. The IIS7 settings are a bit misleading in this area too. The option in IIS7 is to allow 32-bit DLL's, but when you set that, ONLY 32-bit DLL files can run. Instead of "Allow 32-bit", I think the IIS7 setting should say something along the lines of "run in 32-bit mode. Otherwise it sounds like you can run both 32-bit and 64-bit, which you can't.

The Railo and OpenBD installers use the mod_jk DLL that's provided by the Tomcat project, and both the 64-bit and 32-bit versions are shipped with the installers. During the install process, one of the DLL's is renamed with a generic name and used in the IIS7connect.bat scripts. Those scripts are what run the commands and connect Tomcat to IIS using the mod_jk DLL. This works out in our favor, as it makes the fix for this really easy.

When installing OpenBD or Railo on a Windows 2K8 R2 machine that's running Plesk, here are the steps you will need in order to make it work right:

  1. During the Railo/OpenBD install process, go ahead and select to have the IIS7 connector installed. This will perform the bulk of the work for you.
  2. After the installation, there will be two dll's in the "connector" directory where you installed Railo. The default location to install Railo is c:\railo\ so the connector directory is located by default at c:\railo\connector. The connectors will be named isapi_redirect-1.2.30.dll and isapi_redirect-1.2.30.32-bit.dll
  3. Rename isapi_redirect-1.2.30.dll to isapi_redirect-1.2.30.64-bit.dll
    and
    Rename isapi_redirect-1.2.30.32-bit.dll to isapi_redirect-1.2.30.dll
  4. Now Restart IIS, and restart the Tomcat service that Railo or OpenBD is running on.
  5. Check to see if things are working correctly now.


After things are installed and working, it's important for you to remember that CFML functionality will be available to each and every site that's located on that Server.

Further, a "jakarta" virtual directory will be required in each site as we
ll. You'll more then likely have to add this manually to IIS. Documentation on how to add the Jakarta directory is here:

http://trac.getrailo.org/installers/wiki/VivioInstallerWinAddingSites

Future releases of the Windows installer will probably allow for the manual selection between 64-bit and 32-bit, but the option will defauilt to whatever your system type is. That way it's still easy, but allows for some customization for situations like this.

Hope this helps!

-Jordan

Railo 3.1.2.001 PL1 RC3 Installers Now Available

For those who are not yet members of the Railo-Beta list (http://groups.google.com/group/railo-beta), know that the Patch Level 1 Release Candidate for the 3.1.2.001 Railo installer is now available for testing. Features include full IIS6 support, better IIS7 support, a new OSX beta version, FusionReactor trial install, and many other usability enhancements that should make getting up and running on Railo a snap.

The initial PL1 release was announced here:

http://groups.google.com/group/railo-beta/browse_thread/thread/d0087715afb042a0 and included the following change log:

3.1.2.001-pl1 Patch Notes:
--------------------------
- [NEW] IIS6 Is now fully supported on Windows Server 2003
- [NEW] IIS7 Is now properly supported on Windows 7 machines
- [NEW] IIS7/IIS6 now set "index.cfm" as a default document option
- [NEW] Windows 64-bit is now available
- [BUGFIX] Windows 32-bit Installer will now auto-detect 64-bit machines
and will install the 64-bit connector when being installed on a 64-bit
version of Windows. This is true for both IIS6 and IIS7. This avoids the
  "LoadLibraryEx" failure in IIS if a 32-bit connector has been
installed on a 64-bit version of IIS.
- [UPDATE] The Tomcat connector has been upgraded from version 1.2.28 to
1.2.30 (latest as of this release)
- [UPDATE] The Tomcat Engine has been upgraded from version 6.0.20 to
6.0.26 (latest as of this release)
- [UPDATE] Source code in the Java JDK has been removed in order to
reduce the size of the installers by approximately 20 MB. The installers
now hover around the 100MB range. More rarely-used aspects of the JDK
that ships with the installer may be removed at a later date in order to
reduce the download size even more.
--------------------------

However, beta testers reported several show-stopping problems and incompatibilities with certain set-ups. Like, for example, having the IIS6 compatibility modules installed in IIS7. Those issues have been addressed now, and several additional features have been added to the PL1 release. Many of the additional features were added by Bilal Soylu. Bilal approached Railo offering to help build easy-to-use installers and we began to work together to improve the installers that I had been working on. He's proven to be an extremely valuable assett to the team and we're blessed to have his help.

With the initial PL1 problems fixed, and with some usability features added, I'm hoping the latest PL1 release will finally be ready to go.

If you'd like to help out in testing them, the beta download site is here:
http://clubwheat.viviotech.net/beta/

and the release notes for the latest RC3 release are as follows:

--------------------------
- [NEW] OSX - A new OSX build is now available for BETA testing. (bilal)
- [NEW] All OS's - FusionReactor can now be installed automatically as
part of the install package (jordan)
- [NEW] All OS's - In-Use Port Detection has been added and improved in
for Tomcat and FusionReactor. (bilal,jordan)
- [NEW] All OS's - Multi-Language is now supported (bilal)
- [NEW] All OS's - A German Translation has been added (bilal)
- [NEW] All OS's - The final screen of the installer now prompts you if
you'd like to open up the Railo Administrator. (bilal)
- [NEW] Windows - The installer now tests for required IIS modules and
gives you a notice if you don't have them installed. It still allows you
to *try* to install, but if you want the connector part of the installer
to work, then you need to install the required IIS modules. (jordan)
- [NEW] Windows - 64-bit and 32-bit Windows installers have been merged
into a single installer. The Windows installer will now auto-detect the
OS bit-type that it's being installed on, and run the appropriate
methods for that bit-type. The idea was to make the install simple to
the extreme. The Linux installers will remain separate for the time
being. (bilal)
- [NEW] Windows - A Notice has been included for WinXP installs stating
that it's not officially supported. (bilal)
- [Update] Windows - The JDK has been replaced with a simple JVM for
Windows installs. The JDK was more then most folks needed, and switching
to the simple JVM allowed for a smaller installer. (bilal)
--------------------------

Thank you for your interest and we look forward to hearing your experiences!

Railo Installer

fabian