diff --git a/docs/04.guides/12.deploying-lucee-server-apps/02.lockdown-guide/page.md b/docs/04.guides/12.deploying-lucee-server-apps/02.lockdown-guide/page.md index 811d4d6e8..9d1734f3c 100644 --- a/docs/04.guides/12.deploying-lucee-server-apps/02.lockdown-guide/page.md +++ b/docs/04.guides/12.deploying-lucee-server-apps/02.lockdown-guide/page.md @@ -34,13 +34,13 @@ If using Tomcat, then also restrict access to the following URIs that are instal An Apache directive that restricts access to /lucee, as an example, is given below: - + Order Deny,Allow Deny from all Allow from 127.0.0.1 -In the above example, only the localhost IP address, 127.0.0.1, would be allowed to navigate to any url that contains /lucee. This directive effectively blocks access to URL's that begin with /lucee/ from any other IP address, cutting off any exploits that attempt to use resources located under /lucee. +In the above example, only the localhost IP address, 127.0.0.1, would be allowed to navigate to any url that contains /lucee. This directive effectively blocks access to URL's that begin with /lucee/ from any other IP address, cutting off any exploits that attempt to use resources located under /lucee. A regular expression match `~` is required to match any URL's that use a semi-colon to try and bypass the directive (e.g. /;/lucee/... would bypass a directive without the regular expression match and pass the /lucee/... URL to Tomcat with path parameters, thus allowing requests from any IP to access /lucee URL's. So far, so good. But then how can admins access the admin panels such as /lucee/admin/server.cfm if they don't have physical access to the server???