Thanks for your response. On the clustering piece... are you saying
that you are able to connect to an individual JRUN instance with an
external webserver (Apache, iPlanet, etc) after the JRUN instance has
been added to a cluster?
For example, lets say I've got a cluster called "cluster1" which has 2
members "cfusion1" and "cfusion2". I can connect an apache instance
to cluster1 directly (using the wsconfig.jar utility) but can NOT
connect Apache directly to cfusion1 or cfusion2 (after they've been
added to the cluster, if I remove them from the cluster this works
just fine). Macromedia tells me that I can't connect to a single
JRUN instance once its been added to a cluster, and instead, I need to
use the JRUN http server to serve the CF administrator.
I've only tried this with Apache & MX 6.1 on Solaris, so I'd be
curious to know if your experiences on IIS were different. Were you
using the graphical utility, or the wsconfig.jar utility from the
command line?
Thanks,
-Ben
----- Original Message -----
From: Dave Watts <[EMAIL PROTECTED]>
Date: Tue, 20 Jul 2004 16:41:32 -0400
Subject: RE: securing CF Administrator
To: CF-Talk <[EMAIL PROTECTED]>
> To meet the requirement, we've been using web server
> directory-based security (like an .htaccess file - ours
> actually points to an ldap server) to lock down the
> CFIDE/administrator directory. However, this can only
> be accomplished by serving the CF administrator through an
> enterprise web server (Apache, SunOne, etc), rather than the
> built-in Jrun HTTP server. Without hacking the CF administrator
> app and rewriting it, or removing CF Administrator all together,
> is there any other way to wrap security around it? What are
> others doing? Surely I'm not the only one to face this issue(?)
If you want to limit access to the CF Administrator, you can either run it
through an external web server, or limit the IP addresses from which the
JRun web server will accept connections.
> To make matters even more tricky, the use of JRUN clustering
> requires that the CF administrator be served through the JRUN
> http server (instead of Apache or SunOne) There's no way to
> connect a web server to a single JRUN instance inside a cluster
> :-) Since I can't use clustering w/out JRUN http server, and
> jrun http server has no security mechanism (that I know of),
> I'm up a creek.
You can connect each instance to a separate external virtual web server, and
connect the cluster itself to another external virtual web server. At least,
I've done this with CFMX on IIS. Generally, though, I use the JRun web
server to manage cluster members, and limit access to each CF Administrator
to the server console.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444________________________________
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
