ModCFML setup with bare web server and port 80/443

Hi everyone,

I’ve been trying to setup ModCFML and have not been able to get it to work.

My setup:

  • MacBook Air m1 with macoS 12 Monterrey
  • Latest version of CommandBox
  • My directory where I placed two of my websites for this test named foo1 and foo2:
  • I placed my server.json file in /Users/Jose/Sites/
  • I also edited my /etc/hosts file to have foo1 and foo2 point to

And i launch CommandBox with the following command inside the /Users/Jose/Sites/ directory (I use sudo to have access to port numbers under 1024): sudo box start

Launching like this seems to launch everything but when I try to access the website at http://foo1 or https://foo1 fails with the string “Unauthorized” showing in the web browser.

Here’s my server.json file:

“equals( %{LOCAL_SERVER_NAME}, ‘foo1’ ) → set(attribute=%{i,X-Tomcat-DocRoot},value=’${serverinfo.webroot}foo1)”,
“equals( %{LOCAL_SERVER_NAME}, ‘foo2’ ) → set(attribute=%{i,X-Tomcat-DocRoot},value=’${serverinfo.webroot}foo2’)”,
“not regex( value=%{LOCAL_SERVER_NAME}, pattern=’^site[123]\.com$’, case-sensitive=false ) → set-error(401)”

As brad asked on Facebook, when you say not working, what do you mean?
Looks like a 401 UnAuthorized error? - If so, it’s probably this RULE

“not regex( value=%{LOCAL_SERVER_NAME}, pattern=’^site[123]\.com$’, case-sensitive=false ) → set-error(401)”

Is says if it is not or or show a 401 error.

Since you are using foo1 and foo2, you should change it.

“not regex( value=%{LOCAL_SERVER_NAME}, pattern=’^foo[123]$’, case-sensitive=false ) → set-error(401)”

That would work, I think.

1 Like

Yep, what Gavin said. The last rule which was meant to reject any traffic coming into unrecognized domains is firing!

If this is just for local dev, then simply remove the last rule entirely! If this is for production, you can force all unknown hosts to just hit the default web root if you remove the last rule and add this rule as the first rule:


which basically just defaults the header so any malicious headers sent in from a hacker wouldn’t be used. That won’t be as brittle since you can add additional hosts as you wish without needing to keep another rule in sync.

Also, for anyone coming across this thread, there’s a bunch of additional context and answers here in the facebook “ColdFusion Programmers” group where the question originated. (I asked Jose to move it here so we could better help!)

Guys thanks for the help, you are the best!!! I appreciate your valuable time a lot.

1 Like