Read the full post here:
https://www.ortussolutions.com/blog/commandbox-web-server-lockdown-example
This is really helpful so thank you!
My first post here! Great job this community site @bdw429s !
I have a question: Are there any pre-built lockdown urlRewrite rules for Apache2 and IIS when fronting coldbox/contentbox documented somewhere? I’m doing some tests on Tomcat/Lucee and static files like server.json or box.json are being served directly. Just asking before building it myself. Thanks!!!
@Andreas Not that I know of. You can reverse engineer the rules CommandBox uses which are documented here:
That should do the job for apache2 mod_rewrite. Translated these from brads blog post. Posting it here for posterity and others:
#Block requests to possible static sensitive files
RewriteCond %{REQUEST_URI} .*/(box\.json|server\.json|web\.config|urlrewrite\.xml|package\.json|package-lock\.json|Gulpfile\.js|CFIDE/multiservermonitor-access-policy\.xml|CFIDE/probe\.cfm)$ [NC]
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^(.*)$ - [L,R=404]