Seeing that someone was trying to hit wp-login.php (WordPress login) a few times a minute on one of our servers at CF Webtools we decided to block any PHP requests since this is a ColdFusion server. It wasn’t as easy as I thought. This is a Windows 2008 R2 server running IIS 7.5 and ColdFusion 11.

Sample URL:
http://www.mysite.com/index.cfm/main/mypage/id/68249/id2/wp-login.php

At first I tried using Request Filtering under the “Rules”, “URL” and “Query Strings” tabs. These had no effect.

I then went to URL Rewrite where there was a custom rule to allow index.cfm to be absent from the URL.

<rewrite>
    <rules>
        <clear />
        <rule name="Rewrite FW/1 SES index.cfm">
            <match url="^(?!css|js|fonts)(.*)$" />
            <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                <add input="{REQUEST_URI}" pattern="^.*\.(bmp|css|gif|htc|html?|ico|jpe?g|js|pdf|png|swf|txt|xml|ttf|woff|eot)([/?].*)?$" negate="true" />
            </conditions>
            <action type="Rewrite" url="/index.cfm/{R:1}" logRewrittenUrl="true" />
        </rule>
    </rules>
</rewrite>

I then tried adding a rule using the default settings of wildcards. While the test responded okay, the actual page kept processing the URL.

Thanks to Wil Genovese, after switching the regular expressions and enclosing those in parenthesis, “.php” requests were finally denied.

<rule name="No PHP" stopProcessing="true">
    <match url="(.*)" />
    <conditions>
        <add input="{PATH_INFO}" pattern="(\.php)" />
    </conditions>
    <action type="AbortRequest" />
</rule>

2015-05-26_1538

“What is the best IDE for CFM”

Posted: February 11, 2015 in ColdFusion
Tags: ,

I run into the question “What is the best IDE for CFM” here and there. So I thought I’d post my response here as well for others to find:

I personally use ColdFusion Builder and Sublime Text 3 for my projects at CF Webtools.

There are only two IDE’s for ColdFusion: ColdFusion Builder and IntelliJ IDEA. An IDE, as opposed to a code editor, has the ability to communicate with a ColdFusion server instance and debug your code. It can also introspect your code, offering code hints based upon what your code is doing.

  • ColdFusion Builder is actively updated. Versions 1 and 2 had massive footprints that really turned me off. I have found that version 3 is much faster and therefore I find much more useable than the previous two.
  • IntelliJ IDEA has stopped ColdFusion updates from what I’ve read and does not list ColdFusion as a supported language. I do understand that what used to support CF was only the Ultimate Edition. Though Roger commented that he saw a ColdFusion update on February 3rd. I’ve never used this product so it’s hard for me to have good info here.

Everything else is just a code editor such as SublimeText, Brackets, CF Eclipse, and NotePad++. A code editor, as opposed to an IDE, does not debug or introspect your code. All are good products (I really like SublimeText). But none of them keep up to date with ColdFusion language enhancements and again they are not IDE’s.

  • CFEclipse might be the most recent with their 1.4.6 release that “only” took 2 years to come up with.
  • cfbrackets for Brackets is still in Beta and hasn’t been updated since June of 2014. It also doesn’t support cfscript which is a huge negative for me.
  • The CF Plugin for Sublime Text doesn’t support CF11 and you can’t install it on ST3 via the package manager.

Then of course there are outdated code editors such as:

If you’re looking for a true IDE I would stick with ColdFusion Builder for the sole reason is it continues to receive ColdFusion updates. But then again “best” is subjective.

Update 3/11/2015 11:31 CST:

Microsoft has included the fix for AnyConnect and Windows 8.1 in the 3/10/2015 Windows Update. See KB #3040335

Update 2/16/2015 16:11 CST:

Per Cisco: Microsoft has released a fix-it patch providing a workaround for this issue. See KB# 3023607

When you visit the KB page, it appears you have to scroll down to the “Microsoft Fix It” button and install the AppCompat shim which is Microsoft Fix it 51033. This is a bit confusing, so be sure to click that button.

Microsoft is planning to include the fix with the Microsoft March Patch Tuesday release (subject to change)


I run Windows 8.1 and run Cisco AnyConnect Secure Mobility Client version 3.1.03103 to access a VPN.

Today, after I hit connect, it stopped working out of the blue with the error:

Failed to initialize connection subsystem

Thanks to ‘I Think – Therefore “IBM I”‘ blog I was able to quickly resolve the issue. I’m assuming this had to do with a recent Windows Update. Here’s the final solution:

  1. Close the Cisco AnyConnect Window and the taskbar mini-icon
  2. Right click vpnui.exe in the “Cisco AnyConnect Secure Mobility Client” folder. (I have it in “C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\”
  3. Click on the “Run compatibility troubleshooter” button
  4. Choose “Try recommended settings”.
  5. The wizard suggests Windows 8 compatibility.
  6. Click “Test Program”.  This will open the program.
  7. Close
  8. Some people may need to repeat the above steps for vpnagent.exe. That is the local service that supports the client user interface.

If you use group policies, Kim commented using the following for Windows 7 mode:

Make a GPO that added this key:

HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Valuename : C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
Valuedata : ~ WIN7RTM
Update 2/11/2015 13:52 CST:

Cisco has notified me that they have escalated this issue to Microsoft for investigation.

This issue was introduced by KB# 3023607: Secure Channel cumulative update changes TLS protocol renegotiation and fallback behavior (https://support.microsoft.com/kb/3023607)

Included with Microsoft Security Bulletin MS15-009 – Critical Security Update for Internet Explorer (3034682)

This issue should also affect Windows 7 user with IE 11, but no reports of failure have been seen yet.

Update 2/12/2015 10:22 CST:

Cisco recommends that all customers open their own cases with Microsoft since the ultimate fix will need to come from them. You can feel free to reference Cisco’s case #115021112390273 in order to expedite having your ticket properly triaged by their support team. source

Our normal web server consists of a OS and Program File drive (C:) and a data drive to hold website files (E:). This provides an extra layer of security, speed and helpful structure. Sometimes we will also add another data drive (F:) for clients with really large storage needs. For example all user uploaded photos goes onto a 2TB drive array.

So let’s say you have user upload photos dedicated to one drive. You may want to just place the data onto the root of the drive. Simple right?

Well here’s what you may run into: When migrating/copying that drive to a new drive/machine using Robocopy you’ll find a few issues: (robocopy \\OLD-SERVER\UserPhotos F:\Data\UserPhotos /e /copy:DT /MT:8)

  1. If you’re putting the data into a subfolder this time, that root subfolder will become a system-hidden folder. The reason is you are copying the root of a drive. Pretty annoying.
    1. You can fix this by running this after the copy starts: “attrib -H -S F:\Data”
  2. It will try copy “System Volume Information” and “Recycle Bin”. But you’ll find out that your process will just get stuck because it doesn’t have permissions to do so.
    1. You can fix this by not copying any system or hidden files/folders:
      “robocopy \\OLD-SERVER\UserPhotos F:\Data\UserPhotos /e /copy:DT /MT:8 /xd $Recycle.bin “System Volume Information”” FYI: I tried using “/xa:HS” instead of the /xd, but that didn’t work as expected.
    2. If you’ve already gone 8 hours into your copy operation just to find this out, speed things up by syncing things instead using: “robocopy \\OLD-SERVER\UserPhotos F:\Data\UserPhotos /mir /copy:DT /MT:8 /xd $Recycle.bin “System Volume Information” /xo /fft”

So my point is, don’t put your data folder/file structure in the drive root. It’ll get mixed up with hidden-system files and folders and one day throw you for a loop. Instead put that all in a subfolder such as “F:\data”. Another example might be “E:\websites”.

Side-note: There are other copy methods to avoid this situation, however Robocopy is going to be one of your fastest options.

Update 1/20/2015: Fix is available in the refreshed Full installers. More information on this is available here at:
http://blogs.coldfusion.com/post.cfm/coldfusion-11-installers-refreshed-has-fix-for-server-fails-to-start-on-enabling-j2ee-session-variables-and-installation-on-japanese-os

After some wicked process of elimination at CF Webtools I found out that I was unable to start/restart ColdFusion 11 after enabling J2EE Session Variables in the ColdFusion Administrator.

I went through almost all types of installs thinking it was an issue with the Amazon EC2 server it was on. Thinking this because we have CF11 servers running with J2EE enabled already.

The difference, and the the issue it turns out, is the updated installer that includes update 3 for Windows x64. The original installer doesn’t seem to have this issue.

The underlying issue is whether or not Tomcat persistent sessions were turned on or off. This apparently keeps a session alive during a restart. ColdFusion apparently doesn’t like this if it’s on.

To turn off Tomcat persistent sessions (this seems a little backwards though):

  1. Open {cf instance}/runtime/conf/context.xml
  2. Uncomment <Manager pathname=”” />
  3. Save file and close
  4. Start ColdFusion

This seems to have been an issue on ColdFusion 10 that somehow made its way back to 11.

Thanks to Derrick Anderson with BigTeams for finding this old issue at we3geeks.

I have opened bug ticket 3923565 with Adobe.

When tuning the IIS connector for Tomcat in ColdFusion 11, one of the resources said to look at is your “metrics.log” file.

This log is enabled in the ColdFusion Administrator and you can set the number of seconds for each entry.

What you want to see is something like this:

Max threads: 3000 Current thread count: 10 Current thread busy: 5 Max processing time: 420478 Request count: 1882 Error count: 0 Bytes received: 322099 Bytes sent: 55099992 Free memory: 18155664480 Total memory: 21045379072 Active Sessions: 1057

But what if you get this?

Max threads: null Current thread count: null Current thread busy: null Max processing time: null Request count: null Error count: null Bytes received: null Bytes sent: null Free memory: 19788897312 Total memory: 21045379072 Active Sessions: 142

A user notes this as a bug at https://bugbase.adobe.com/index.cfm?event=bug&id=3324126

“Asha K S” notes a fix and closed the bug as “Withdrawn – User Error”:

If you are using an external webserver like IIS or Apache – to enable metrics logging, you need to change the value of the “Connector Port” to AJP port. To know your AJP port, go to server.xml located at ColdFusion10\cfusion\runtime\conf and look for Connector element where protocol is “AJP/1.3″ in the Debugging & Logging > Debug Output Settings page of ColdFusion Administrator

I worked this out with Wil Genovese to determine what this meant.

What we want to look for is the connector port for the “AJP/1.3″ protocol in the file: {coldfusion install dir}/{instance dir}/runtime/conf/server.xml. For example “C:\ColdFusion11\cfusion\runtime\conf”.

The entry will look like this:

<Connector port="8012" protocol="AJP/1.3" redirectPort="8445" tomcatAuthentication="false" maxThreads="3000" connectionTimeout ="60000"/>

We want to take the connector port (8012 in this example) and put the value into the “Connector Port” input located under ColdFusion Administrator > Debugging & Logging > Debug Output Settings.

2014-12-31_1726

Note: You will see about the same issue when running CFSTAT. Most of the values will be at 0 until you update this connector port.

This is my first attempt at IIS connector tuning for ColdFusion 11 (and 10). Most of my career has been spent developing ColdFusion code and is now focusing more on server related activities. Plus CF 10 and 11 were slow to be implemented by our customers.

It seems that most information out there for connector tuning is based around one sole blog post: http://blogs.coldfusion.com/post.cfm/coldfusion-11-iis-connector-tuning (and CF 10’s version).

My post focuses on a three instance approach, using ColdFusion 11 Enterprise, with individual site connectors (as opposed to “all IIS sites”).

The basic concept as I understand it is to set the connection_pool_size to 500 and monitor the site. Add up this number in each site, using the same instance, and use that value for maxThreads for the AJP connector setting. Then gradually increase that value by 100 under load testing conditions until stable. Then give that number some wiggle room for future growth. After that number is set, then set the max_reuse_connections and connection_pool_timeout.

So lets say, as an example, that I use the “All IIS Sites” option for my connector instead of individual connectors. If I use the recommended connection_pool_size of 500 for each site, I’d use 3000. Then based upon the equation of connection_pool_size / # of sites, I’d set “max_reuse_connections = 500″. Example:

worker.list=instance1
worker.instance1.type=ajp13
worker.instance1.host=localhost
worker.instance1.max_reuse_connections=500
worker.instance1.connection_pool_size=3000
worker.instance1.connection_pool_timeout=60

&lt;Connector port=&quot;8013&quot; protocol=&quot;AJP/1.3&quot; redirectPort=&quot;8446&quot; tomcatAuthentication=&quot;false&quot; maxThreads=&quot;3000&quot; connectionTimeout =&quot;60000&quot;/&gt;

Now, when I looked up the workers.properties specs for Tomcat I found that max_reuse_connections is not a standard property. I’m assuming this is one of the customizations made by Adobe. Based upon how the value of this property is a division of the number of sites, that this property is per site. Therefore in conclusion, I have up to 500 connections to reuse for each site in my total pool of 3000.

Now, lets say we’re using individual connectors. Each of the six workers.properties would look like this based upon Adobe’s blog:

worker.list=instance1
worker.instance1.type=ajp13
worker.instance1.host=localhost
worker.instance1.max_reuse_connections=83
worker.instance1.connection_pool_size=500
worker.instance1.connection_pool_timeout=60

&lt;Connector port=&quot;8013&quot; protocol=&quot;AJP/1.3&quot; redirectPort=&quot;8446&quot; tomcatAuthentication=&quot;false&quot; maxThreads=&quot;3000&quot; connectionTimeout =&quot;60000&quot;/&gt;

So, as per Adobe’s blog, connection_pool_size / # of sites rounds down to 83, instead of 500. 6 sites X 500 connection_pool_size = 3000, which is reflected in the instance’s server.xml file.

In the end, the instance still allows for 3,000 connections; 500 coming from each site.

Question: Why am I using the same calculation for max_reuse_connections when combining all sites or connecting them individually? Shouldn’t I be able to use up to the value of each connection_pool_size for each connector? If max_reuse_connections is for each site, shouldn’t that number be the same no matter individual or “All IIS” connector types?

For example:

worker.list=instance1
worker.instance1.type=ajp13
worker.instance1.host=localhost
worker.instance1.max_reuse_connections=500
worker.instance1.connection_pool_size=500
worker.instance1.connection_pool_timeout=60

&lt;Connector port=&quot;8013&quot; protocol=&quot;AJP/1.3&quot; redirectPort=&quot;8446&quot; tomcatAuthentication=&quot;false&quot; maxThreads=&quot;3000&quot; connectionTimeout =&quot;60000&quot;/&gt;