Copy link to clipboard
Copied
I am using an AWS instance behind a load balancer with NAT. It has its advantages, but one of its disadvantages is the remote_addr coming through is the remote_addr of the ELB.
http://leaguemanager.playerspace.com/test.cfm
What I'm trying to do is trick or configure the CF10 Administrator > Debugging and Logging > Enabled Request Debugging Output to use the x-forwarded-for as opposed to the remote_addr so I can use server debugging without that information being made visible to the public.
Is this possible by, say, modifying a file somewhere, to have the IP addresses set in Debugging and Logging > Debugging IP Addresses to be matched with the true client's personal IP (x-forwarded-for)?
JS
Copy link to clipboard
Copied
Never mind, I figured it out.
c:\coldfusion10\cfusion\runtime\conf\server.xml
Added
Copy link to clipboard
Copied
We want to take this a step further... We'd like to use OneLogin for credentialing and only make CFDebug output shown to people who are logged in with the right credentials. Do you know if there is a way to instead of looking at IP addresses to examine the role of the logged in person?
Copy link to clipboard
Copied
That should be easily done. Are the people logged on with name/password? Or is there a smart card (like a CAC) involved?
I'm Googling OneLogin, now.
What version of CF are you running? Apache, or IIS?
V/r,
^ _ ^
Copy link to clipboard
Copied
Right now we are on IIS CF10, working on moving to Docker containers. Users login with Username/password.
Copy link to clipboard
Copied
I would reach out to OneLogin support and find out how they present authorization after the login (I'm not finding it on their site.) I know nothing of third-party IDaaS methods, nor Dockers. I'm just a CF guy (been coding CF since late 2000.) But where I work, we use CACs to log on to the network, and CF + Apache can access the certs, giving us the ability to control who has access to what in our sites and apps. I'm sure OneLogin can do the same. You can either hard-code the authorized IDs into the application.cfc, or set up a database for the authorized IDs, and go from there.
V/r,
^ _ ^
Copy link to clipboard
Copied
Thanks, my question was less about how to figure out if our Developers are logged in with a developer role, we can already do that. It's more about figuring out how to only output debug info if developers are logged in. We'd like to avoid turn on debug for everyone and then try to programmatically turn it off for everyone who's not a developer, hackers can probably find a way around that by going directly to a cfinclude page or something that might not have debug excluded. What I'd love to find is a cftag that can output the same cfdebug info but only when we choose, so I can check if a Developer is logged in and the server is Development or Stage and then output Debug info. Can't find a way to do that yet...
Copy link to clipboard
Copied
<cfswitch expression="{user is developer}">
<cfcase value="yes">
<cfsetting showdebugoutput="yes"/>
</cfcase>
<cfdefaultcase>
<cfsetting showdebugoutput="no" />
</cfdefaultcase>
</cfswitch>
HTH,
^ _ ^