Request Filtering should be working in the final CF11 build, that note you are seeing was pertaining to a Beta build of CF11.
On page 17 of the Lockdown Guide it shows locking down from the root of the
server. I tried that, then on page 24 where it shows to remove the blocks
for individual site, that did not work. CF ignored them. I tried recycling
the services on CF and on the web server, even rebooting. I could not get
it to work. If the root said to deny, it was ignored at the site,
regardless if I removed it from the site itself.
I was able to go to the website itself, and add filtering, that worked. In
fact, you can cut and paste from the web.confiig file found on the
individual websites and copy the text to a new site.
It works for a single website but according to the documentation you apply
the filtering to the web server, then give remove the filtering as needed
per website. I was not able to get this to work. I was, though, able to
give it to an individual site.
On Wed, Jun 25, 2014 at 12:15 PM, Peter Freitag <email@example.com>
If you block /CFIDE globally (server wide) you cannot then allow the URI /CFIDE/administrator/ for the admin site - is that what you were trying to do? If you block /CFIDE globally, you have to remove allow /CFIDE and then add blocks for each sub folder in /CFIDE besides administrator to setup the admin site. If you globally block each sub folder (eg /CFIDE/administrator, /CFIDE/adminapi, etc on the root node) then you should be able to just remove /CFIDE/administrator for the admin site.
I totally understand the blocking globally, which is what I wanted. I was going to create a local site for the administrator. The 'unblocking' is the part I was not able to get to work.
Sample: Create a new site in IIS7 (testsite). Add a virtual directory to /CFIDE
1. Navigate to testsite/CFIDE/administrator/ = works as expected.
2. GLOBALLY BLOCK /CFIDE/administrator, navigate to testsite/CFIDE/administrator/ = fails as expected.
3. UNBLOCK testsite/CFIDE/administrator, navigate to testsite/CFIDE/administrator/ = fails??? Should this not work?
4. DELETE GLOBAL BLOCKl /CFIDE, BLOCK testsite/CFIDE/administrator, navigate to testsite/CFIDE/administrator/ = fails as expected.
If I block /CFIDE/administrator at the global level, there is nothing i can do to create a site to make it work. No sites will work to administrator, no matter what I do in the local site.
Tried flushing cache, start/stop IIS7 and CF11. Finally figured I could accomplish what I wanted by going to the site and blocking directories.
If you are blocking the URI "/CFIDE" globally then step 3 would fail because of that, even if you unblock /CFIDE/administrator or say allow uri /CFIDE/administrator You have to remove the block for /CFIDE at the testsite level as well.