Secure CFIDE Virtual Directory
Hello Guys, Looking for your advice on the best way to create a secure IIS virtual directory to /CFIDE. My understanding is that certain folders within that need to web accessible for cfchart,cfform,cfdocument to work, is that correct? However I don't want to expose my /cfide/administrator and /cfide/adminapi to the wide world :-) or anything else which might post a security risk for that matter. What is the best way of doing this? I'm thinking about creating a copy of the CFIDE folder and calling it SecureCFIDE (or something to that effect), it contains only the required elements and not the admin panel etc, then creating a Virtual Directory link to that in the IIS sites that require it, does that sound like a fair idea? Which files are required? Cheers all, Rob ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322784 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Secure CFIDE Virtual Directory
FYI, you can move/copy the js files out of cfide and configure CF to reference them from the new location. See http://kb2.adobe.com/cps/000/3e56e2e5.html, and probably other docs too. To answer your original question, I lock down the IP addresses that can access /cfide to prevent anyone from outside of the company from hitting any of those pages. Thanks Mark -Original Message- From: Robert Rawlins [mailto:robert.rawl...@thinkbluemedia.co.uk] Sent: Tuesday, May 26, 2009 12:18 PM To: cf-talk Subject: Secure CFIDE Virtual Directory Hello Guys, Looking for your advice on the best way to create a secure IIS virtual directory to /CFIDE. My understanding is that certain folders within that need to web accessible for cfchart,cfform,cfdocument to work, is that correct? However I don't want to expose my /cfide/administrator and /cfide/adminapi to the wide world :-) or anything else which might post a security risk for that matter. What is the best way of doing this? I'm thinking about creating a copy of the CFIDE folder and calling it SecureCFIDE (or something to that effect), it contains only the required elements and not the admin panel etc, then creating a Virtual Directory link to that in the IIS sites that require it, does that sound like a fair idea? Which files are required? Cheers all, Rob ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322788 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Secure CFIDE Virtual Directory
Looking for your advice on the best way to create a secure IIS virtual directory to /CFIDE. My understanding is that certain folders within that need to web accessible for cfchart,cfform, cfdocument to work, is that correct? However I don't want to expose my /cfide/administrator and /cfide/adminapi to the wide world :-) or anything else which might post a security risk for that matter. What is the best way of doing this? I'm thinking about creating a copy of the CFIDE folder and calling it SecureCFIDE (or something to that effect), it contains only the required elements and not the admin panel etc, then creating a Virtual Directory link to that in the IIS sites that require it, does that sound like a fair idea? Which files are required? Actually, you'll typically have to do a bit more than that. Here's a rough guide to what I usually do. First, when I install CF, I tend to use the built-in JRun web server. After the install, I use the web server configuration utility to connect CF to the public web server, but leave the JRun web server running solely for administration. I also configure the server to only allow access to the JRun web server from localhost or from specific trusted IP addresses. Second, I do create a separate copy of CFIDE for public use. It includes everything except Administrator and adminapi, and the loose files in the root of the CFIDE directory itself. I actually keep the Administrator and adminapi directories, and just set very restrictive permissions on those two directories, to prevent any user from accessing them. The reason I do this is that the web server can be configured to check the validity of requests before forwarding them to CF, but by default doesn't do this if there's no matching file corresponding to the requested URL pattern. Third, I map the public CFIDE directory as a virtual directory within each public virtual web server. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322789 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4