HTTP Status 403 – Forbidden after ColdFusion upgrade on Apache

NOTE: This post is relevant for the Apache-based servers. For IIS-based servers, see https://handyman.dulare.com/http-status-403-forbidden-after-coldfusion-upgrade/

I noticed that this issue occurs on ColdFusion 2016 and 2018 after the ColdFusion server update. The symptoms are rather strange:

HTTP Status 403 – Forbidden. And – it comes from Tomcat, not the Apache server itself.

The connector-based solution

The first thing to do is to update the connector between Apache and ColdFusion. This is a must-have for most of the ColdFusion updates nowadays.

On Linux, it is rather simple. Find your wsconfig application (it is typically located in:

/opt/coldfusion[2016|2018]/config/wsconfig

and you can simply run:

./wsconfig -upgrade

The connector is upgraded but the site still shows 403

If the site is still not working, try to remove .htaccess file for a while (or rename it). If the error is gone, it means that you have an additional issue, which is related to the headers sent to Tomcat.

Most likely, you have a rule in your .htaccess file that comes with the “.*” expression. This leads to the issue with Tomcat server.

In such a case, locate server.xml file which is typically located here:

/opt/coldfusion[2016|2018]/cfusion/runtime/conf/server.xml

In the file, find the line that starts with:

<Connector connectionTimeout="60000" maxThreads="100"

And inside this configuration line add this statement:

allowedRequestAttributesPattern=".*"

As the last step, save the file and restart ColdFusion server. It should now work properly.

Leave a Reply

Your email address will not be published. Required fields are marked *