IIS and Apache Connectors for ColdFusion 2025
You need to configure web server connectors to proxy requests from IIS or Apache to ColdFusion's Tomcat engine. Proper connector configuration is essential for both security and performance.
IIS Configuration
Use the ColdFusion Web Server Configuration Tool to set up the IIS connector. Follow these steps:
- Launch the Web Server Configuration Tool from the ColdFusion program group in your Start menu
- Select IIS as your web server from the available options
- Choose which IIS sites you want to configure for ColdFusion
- Ensure that the Application Pool is set to "No Managed Code" to prevent conflicts
- Verify that the connector successfully creates the required ISAPI filter in IIS
Apache Configuration
For Apache, you should use mod_jk or the supported AJP connector. It is critical to configure the AJP secret for security to prevent unauthorized access:
# In server.xml (ColdFusion side) <Connector port="8009" protocol="AJP/1.3" secretRequired="true" secret="your-strong-secret-here" redirectPort="8443" />
In your Apache configuration file, you must use the same secret value to authenticate the connection:
# workers.properties worker.cfusion.secret=your-strong-secret-here
Security Hardening
You must restrict access to the ColdFusion Administrator and CFIDE directories to prevent unauthorized access. Implement these security measures:
- Block all public internet access to
/CFIDE/administrator/
- Restrict Administrator access to localhost or VPN connections only
- Implement IP address allowlisting to limit who can access administrative interfaces
- Always enable HTTPS for all administrative traffic to prevent credential interception
IIS Example:
<location path="CFIDE/administrator"> <system.webServer> <security> <ipSecurity allowUnlisted="false"> <add ipAddress="127.0.0.1" allowed="true" /> <add ipAddress="10.0.0.0" subnetMask="255.255.255.0" allowed="true" /> </ipSecurity> </security> </system.webServer> </location>
Apache Example:
<Location /CFIDE/administrator> Require ip 127.0.0.1 Require ip 10.0.0.0/24 </Location>
HTTPS Configuration
Always use HTTPS in production environments to protect data in transit. Configure your web server with these security settings:
- Automatically redirect all HTTP requests to HTTPS to ensure encrypted connections
- Support only TLS 1.2 or 1.3, disabling older, insecure protocol versions
- Enable HTTP Strict Transport Security (HSTS) headers to prevent protocol downgrade attacks
- Configure strong cipher suites and disable weak or deprecated ciphers
Connector Checklist
- HTTPS only in production
- AJP secret configured (Apache)
- Application Pool set to No Managed Code (IIS)
- CF Administrator not internet-exposed
- CFIDE directories restricted
- TLS 1.0/1.1 disabled
- HSTS headers enabled
Gotchas
- A missing AJP secret causes connector authentication failures - always set secretRequired="true" and configure matching secrets
- The IIS Application Pool must be set to "No Managed Code" or all requests will fail with cryptic errors
- Connector updates may be required after applying ColdFusion hotfixes to maintain compatibility
- Load balancer timeout settings must be configured to exceed your ColdFusion request timeout to avoid premature termination
- Check the connector logs in {cf_root}/config/wsconfig/ directory when troubleshooting connection issues
References
Need Help?
Convective can help configure and troubleshoot web server connectors for ColdFusion deployments. Find out more.