3 Replies Latest reply on May 13, 2016 11:27 AM by David Belanger

    CF2016 - Alias for /cf_scripts/scripts in the Built-In Web Server

    bw_bloodletter Level 1

      I'm following the lockdown guide here:

      http://wwwimages.adobe.com/content/dam/acom/en/products/coldfusion/pdfs/coldfusion-2016-lo ckdown-guide.pdf


      The guide suggests moving the /cf_scripts/scripts directory, so I did.

      The guide also suggests using only the built-in web server for accessing ColdFusion Administrator, so that's how I have it set up.

      The guide also states that you should create an alias for the moved directory in the built-in web server.  See page 58 of the PDF.

      If you plan on using the built-in web server to access ColdFusion administrator you may need to create an alias for /cf_scripts/scripts if you changed the Default Script Src setting in ColdFusion administrator.

      To Create a new Alias for /cf_scripts/scripts in the built-in web server

      If you plan to use the built-in web server for accessing ColdFusion administrator then you must also add an alias by adding a Context tag inside the Host tag of server.xml located: /opt/cf11/cfusion/runtime/conf/server.xml

      <Context path="/"



      aliases="/coscripts=/opt/cf11/fusion/wwwroot/CFIDE/scripts" />

      Restart ColdFusion, then test by visiting /cfscripts/cfform.js on your builtin server.


      There are a ton of typos in this (Workie vs WorDir, cone vs conf, tamp vs tmp, coscripts vs cfscripts, etc.

      This also appears to be referencing the cf11 paths (CFIDE/scripts vs cf_scripts/scripts, and /cfscripts/cfform.js vs cf_scripts/scripts/cfform.js).


      Further, coldfusion-error.log notes the following:

      WARNING: A context path must either be an empty string or start with a '/' and do not end with a '/'. The path [/] does not meet these criteria and has been changed to []

      WARNING: [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting property 'aliases' to '/cf_scripts/scripts=/cf_scripts/test_scripts' did not find a matching property.


      The first line isn't an issue, but the second line is.  aliases isn't a valid property of context.

      The server.xml file has an example, and it's as follows:

      <Context path="" docBase="<cf_home>/wwwroot" WorkDir="<cf_home>/runtime/conf/Catalina/localhost/tmp" >


          <PreResources base="docBase1" className="org.apache.catalina.webresources.DirResourceSet" webAppMount="/aliasPath1"/>

          <PreResources base="docBase2" className="org.apache.catalina.webresources.DirResourceSet" webAppMount="/aliasPath2"/>




      This aligns with the Apache docs.


      I have CF installed on Windows, at F:\CF_2016\ .  This is what I've done to alias the scripts directory (renamed to test_scripts for testing) for the built-in web server:

      <Context path="/" docBase="F:/CF_2016/cfusion/wwwroot" WorkDir="F:/CF_2016/cfusion/runtime/conf/Catalina/localhost/tmp">


          <PreResources base="F:/CF_2016/cfusion/wwwroot/cf_scripts/test_scripts" className="org.apache.catalina.webresources.DirResourceSet" webAppMount="/cf_scripts/scripts"/>




      It seems to work.  Is this correct? Should it be aliased as /scripts or /cfscripts instead of /cf_scripts/scripts ?


      Why exactly do I need to alias this for the administrator?



        • 1. Re: CF2016 - Alias for /cf_scripts/scripts in the Built-In Web Server
          David Belanger Level 1



          I was in the same boat (we're setting up a secure profile for testing) and I can see that no one has answered you so I'd like to offer what we did.

          <Context path="/" docBase="{YOUR_DRIVE}:/{CFROOT}/cfusion/wwwroot" WorkDir="{YOUR_DRIVE}:/{CFROOT}/cfusion/runtime/conf/Catalina/localhost/tmp">


              <PreResources base="{YOUR_DRIVE}:/{CFROOT}/cfusion/wwwroot/cf_scripts/scripts"           className="org.apache.catalina.webresources.DirResourceSet"




          You see, I believe the problem you had above was that the base should be the physical directory and the webAppMount should be the Virtual Directory.


          You were correct about the typos in the "official" document.


          I'm not sure if it matters or not but we also created the "tmp" directory (referenced above) within the "{YOUR_DRIVE}:/{CFROOT}/cfusion/runtime/conf/Catalina/localhost/" because it isn't there by default.



          • 2. Re: CF2016 - Alias for /cf_scripts/scripts in the Built-In Web Server
            bw_bloodletter Level 1

            Thanks for the response, it looks like you did basically the same thing we did.

            However, in your answer aren't your base and webAppMount switched?  It looks like you're mapping the physical scripts directory to a new logical name.  You should be moving the physical scrips directory and creating the mapping with the same logical name to the new physical location.  Right?


            See Apache Tomcat 8 Configuration Reference (8.0.33) - The Resources Component



            Identifies where the resources to be used are located. This attribute is required by the org.apache.catalina.WebResourceSet implementations provided by Tomcat and should specify the absolute path to the file, directory or JAR where the resources are located. Custom implementations may not require it.



            Identifies the path within the web application that these resources will be made available. For the org.apache.catalina.WebResourceSet implementations provided by Tomcat, this attribute is required and must start with '/'. Custom implementations may not require it. If not specified, the default value of '/' will be used.

            • 3. Re: CF2016 - Alias for /cf_scripts/scripts in the Built-In Web Server
              David Belanger Level 1

              The snippet I posted is correct.  base is my physical locations (in CF2016) and the webAppMount is my virtual directory (ex. /autumnCFScripts/).  If this were CF11 and below, that default physical location would be:




              For CF2016, that particular part of the "Lockdown Guide" can probably be removed now because the security concern behind remapping your cfscripts directory was that it was located inside the CFIDE and nothing about the CFIDE should be open to the public.  This concern was raised over several versions and now in CF2016, it happily resides in the wwwroot, not the CFIDE which is good enough in my book.


              The secondary reason to change all the default mappings is pretty much to avoid attacks on commonly used virtual directory names.  Changing the mapping for the CF scripts directory makes it harder for a robot to find.  There are still many, many, many CF servers out there with a basic, non-secure install (with CFIDE open to the public!).  That's why Adobe came up with the "secure-profile" AND move move scripts out of the CFIDE in the first place.

              1 person found this helpful