coldfusion - Prevent direct web access and only allow RDP
问题描述
We have a billing server on Windows Server 2012 R2, running a coldfusion billing application (CF11 Enterprise), which has a web address (http://billing.blah.com) for administrators to log on and administer accounts, run reports, etc.
We want to "lock down" this website so that the only way you can view it is via Remote Desktop (IP addresses must be whitelisted, which can be handled via the server). We no longer want the site accessible on the open internet.
Note, that when we RDP to the server, we access the site via http://127.0.0.1/blah.
I've asked our server guy whether this is something that can be done via a server rule/routine or whatever. But I am just wondering if there is any way ColdFusion can actually do something like that.
Connector XML Nodes
<!-- internal webserver start -->
<Connector packetSize="65535" port="8500" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8447" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<!-- begin connector -->
<Connector packetSize="65535" port="8014" protocol="AJP/1.3" redirectPort="8447" tomcatAuthentication="false" />
解决方案
要让 Tomcat(ColdFusion 的底层网络服务器/容器)只监听本地 IP 地址,请转到/ColdFusion/cfusion/runtime/conf/server.xml,搜索:
<Connector executor="tomcatThreadPool" maxThreads="50"
port="8500" protocol="org.apache.coyote.http11.Http11Protocol"
connectionTimeout="20000"
redirectPort="8445" />
并添加address="127.0.0.1"到它,像这样:
<Connector executor="tomcatThreadPool" maxThreads="50"
address="127.0.0.1" port="8500" protocol="org.apache.coyote.http11.Http11Protocol"
connectionTimeout="20000"
redirectPort="8445" />
这告诉 Tomcat 只侦听该特定地址,而不是操作系统上的任何地址。重新启动 ColdFusion 服务器,您就完成了。
注意:根据 ColdFusion 版本,<Connector>标签可能具有不同的属性。通常寻找port属性值与您在安装时设置的标签匹配的标签,通常是8500.