A ready‑to‑use IIS URL Rewrite template tailored for Adobe ColdFusion and Lucee apps is available below. It gives you sane defaults for HTTPS enforcement, host canonicalization, SEO‑friendly URLs, ColdFusion Admin hardening, ACME exclusions for Let’s Encrypt, and optional reverse proxying via ARR. By dropping this into web.config, you can standardize deployments, improve Performance, and reduce misconfigurations across environments.
—–
## Overview
This resource is a production‑oriented IIS URL Rewrite Configuration optimized for ColdFusion applications running behind Microsoft IIS 8.5+ (commonly on Windows Server 2016, 2019, 2022). It helps you:
– Implement 301 redirects to enforce HTTPS and host canonicalization (e.g., www to non‑www).
– Route pretty URLs to index.cfm without breaking static assets.
– Harden sensitive paths such as /CFIDE/administrator.
– Exclude ACME challenge requests when using Let’s Encrypt.
– Optionally Reverse proxy to a ColdFusion engine (Adobe ColdFusion 2021/2023 or Lucee) via ARR, useful for multi‑tier or containerized setups.
It’s aimed at developers, sysadmins, and DevOps teams who manage ColdFusion apps under IIS and want a trusted, repeatable baseline.
—–
## What You’ll Get
– web.config template (XML), fully commented
– Minimal web.config variant (stripped comments)
– README with quick-start notes and Troubleshooting Checklist
– Sample test URLs to verify redirects and rewrites
– Optional snippets for:
– HSTS and Security headers
– WWW/non‑WWW canonicalization variants
– ARR Reverse proxy to localhost:8500
File list and purpose:
– /web.config: Main URL Rewrite Configuration
– /web.min.config: Minimal, production‑ready version
– /docs/QuickStart.pdf: 1‑page install guide with screenshots
– /snippets/arr-proxy.xml: Example ARR reverse proxy rule
– /snippets/headers.xml: Optional Security headers
– /tests/urls.txt: Handy endpoints to test after Deployment
—–
## Supported Environments
– IIS: 8.5, 10, 10.5
– Windows Server: 2012 R2, 2016, 2019, 2022
– ColdFusion: Adobe ColdFusion 11–2023; Lucee 5.x (rules are engine‑agnostic)
– Modules:
– Required: Microsoft URL Rewrite Module 2
– Optional: Application Request Routing (ARR) for reverse proxy
Prerequisites:
– IIS Manager access and permission to write web.config in the site root
– Ability to recycle the application pool
– If using reverse proxy: ARR + “Proxy” feature enabled
—–
## How to Install and Use
### Step-by-step
1) Install dependencies
– Install Microsoft URL Rewrite Module 2 on the server.
– If you plan to reverse proxy to a backend CF engine, install ARR and enable proxy.
2) Download and extract
– Place web.config at the site’s root folder (e.g., C:\inetpub\wwwroot\yourapp).
3) Choose your canonical host policy
– Non‑WWW primary (example.com) is default. If you prefer www, swap the provided canonical host rule variant.
4) Adjust optional settings
– Enable/disable the reverse proxy rule if your ColdFusion runs on a different port or host.
– Confirm ACME challenge allowance if you use Let’s Encrypt.
5) Recycle the app pool
– In IIS Manager, recycle the application pool to apply changes.
6) Test
– Visit http://yourdomain → confirm redirect to https://
– Try http://www.yourdomain → confirm redirect to your canonical host
– Hit /about (or another non‑file path) → confirm it routes to index.cfm
– Confirm /CFIDE/administrator returns 404 (or is otherwise protected)
– Validate Let’s Encrypt path: /.well-known/acme-challenge/test → must not redirect
### Configuration tips
– Use 301 for permanent SEO redirects (HTTPS, host). Use 302 when testing to avoid cached redirects.
– For ColdBox, FW/1, or custom routers, the “Pretty URLs to index.cfm” rule should work as-is. If your app’s front controller has a different name, change index.cfm accordingly.
– Behind a load balancer or CDN, ensure X-Forwarded-* headers are preserved.
### Reverse proxy with ARR (optional)
– Enable the “Reverse proxy to CF” rule when IIS should proxy requests to a backend CF engine (e.g., localhost:8500).
– Adjust the match URL path (e.g., ^app/(.*)$) and the backend target URL to match your topology.
– Ensure serverVariables set X-Forwarded-Proto and X-Forwarded-For to retain client and scheme info.
—–
## The Template: Key Rules
Below is the standard, commented web.config template. Copy it into your site root and tailor as needed.
H5 Notes:
– If you prefer WWW canonicalization, replace the “Canonical host (non-www)” rule with a version that redirects from example.com to www.example.com.
– For apps not using index.cfm as a front controller, change the rewrite target accordingly.
– To avoid redirect loops behind a load balancer or TLS terminator, verify {HTTPS} reflects the client scheme or rely on X-Forwarded-Proto with an alternate condition.
—–
– Order matters: Canonical redirects (HTTPS and host) should run before rewrites to index.cfm.
– Use 301 for SEO‑relevant redirects and switch to 302 when testing to avoid cache stickiness.
– Exclude /.well-known/acme-challenge from redirects to support Let’s Encrypt.
– Don’t rely only on rewrite rules to secure /CFIDE; add IP restrictions or move the admin to a separate, non‑public binding.
– Keep rules minimal; every extra rule adds processing overhead.
– Log rewrite traces during setup: IIS Manager > URL Rewrite > View Tracing.
– In multi‑site environments, store a per‑site web.config to keep canonical rules specific to each hostname.
—–
## Benefits and Use Cases
– SEO and canonicalization: Permanent redirects unify your preferred host and enforce HTTPS, improving ranking signals and avoiding duplicate content.
– Clean URLs: Rewrite to index.cfm supports framework routers (ColdBox, FW/1) and makes human‑friendly paths without exposing .cfm extensions.
– Security hardening: Blocking sensitive ColdFusion paths reduces attack surface. Pair with IP allowlists or Windows Authentication for stronger control.
– Reverse proxy flexibility: Serve your ColdFusion app from a backend JVM container or separate port using ARR, ideal for blue‑green deployments and containers.
– Reliability at scale: Consistent, versionable web.config makes it easy to replicate environments across dev, staging, and production.
– Compatibility: Works with Adobe ColdFusion 2021/2023 and Lucee, IIS 8.5+, and common Windows Server versions.
Related terms you might search for:
– URL Rewrite for IIS, web.config rewrite rules, mod_rewrite equivalents on IIS, ARR reverse proxy, CFIDE hardening, HTTPS redirect, www to non‑www, canonical URLs, SEO‑friendly URLs, ColdFusion under IIS, load balancer and X‑Forwarded headers.
—–
## Key Takeaways
– Use the template to standardize HTTPS, host canonicalization, and front‑controller routing for ColdFusion apps under IIS.
– Keep the ACME challenge path open to avoid SSL renewal failures.
– Harden /CFIDE and related paths; consider stronger controls than 404 alone.
– Enable ARR reverse proxy only when needed and verify X‑Forwarded headers.
– Test redirects thoroughly to avoid loops and unintended 404s.
—–
## FAQ
#### How do I switch from non‑WWW to WWW canonicalization?
Replace the “Canonical host (non‑www)” rule with a variant that checks for a non‑www host and redirects to www.yourdomain.com. Only one canonical host rule should be active to avoid loops.
#### Will these rules work with Lucee as well as Adobe ColdFusion?
Yes. The rewrite logic is engine‑agnostic. If your front controller isn’t index.cfm, update the rewrite target accordingly.
#### Do I need ARR if my ColdFusion runs on the same IIS worker?
No. ARR is only required if IIS proxies to a backend service (e.g., localhost:8500 or a container). If ColdFusion is integrated directly (ISAPI or built‑in connector), keep the ARR rule disabled.
#### How can I prevent redirect loops behind a load balancer?
Ensure the {HTTPS} variable reflects the client scheme. If TLS terminates upstream, use conditions based on X-Forwarded-Proto or configure the load balancer to pass HTTPS on to IIS, then adjust the rule logic accordingly.
#### Can I add caching or compression via web.config?
Compression (gzip/deflate) is managed by IIS Dynamic/Static Compression Features. Caching headers can be added via
