Oct 1, 2017

Lock Down your ColdFusion Connector

On my production servers I like to lock down all the Tomcat Connectors to only use a local address.

Each ColdFusion server has a file located in <servername>\runtime\conf\server.xml

In that file you will find Connector definitions,  for AJP or HTTP.  The AJP connectors are for your web server to communicate to ColdFusion.  The HTTP version are for in internal web server, typically used as a means to access the ColdFusion Administrator.

According to Tomcat documentation if you do not specify an address for the Connector, Tomcat will bind to all available IP addresses.

So if your web server is local there is no need to bind to anything other then localhost or 127.0.0.1.

The default Connector looks like the following:

 <Connector  port="8016" protocol="AJP/1.3" redirectPort="8449" tomcatAuthentication="false" maxThreads="500" connectionTimeout="60000"/>

I like to add address="127.0.0.1" so the end result looks like this:

 <Connector  address="127.0.0.1" port="8016" protocol="AJP/1.3" redirectPort="8449" tomcatAuthentication="false" maxThreads="500" connectionTimeout="60000"/>

This locks the port 8016 to only 127.0.0.1.

I would recommend this for all the Connector tags in the server.xml.

If you are using a remote web server, you can still use this feature to only bind to the actual IP the web server will be talking too.

Your ports will most likely be different and your maxthreads may be different.





No comments: