Deny URL Patterns With FW/1

Seeing that someone was trying to hit wp-login.php (WordPress login) a few times a minute on one of our servers at CF Webtools we decided to block any PHP requests since this is a ColdFusion server. It wasn’t as easy as I thought. This is a Windows 2008 R2 server running IIS 7.5 and ColdFusion 11.

Sample URL:
http://www.mysite.com/index.cfm/main/mypage/id/68249/id2/wp-login.php

At first I tried using Request Filtering under the “Rules”, “URL” and “Query Strings” tabs. These had no effect.

I then went to URL Rewrite where there was a custom rule to allow index.cfm to be absent from the URL.

<rewrite>
    <rules>
        <clear />
        <rule name="Rewrite FW/1 SES index.cfm">
            <match url="^(?!css|js|fonts)(.*)$" />
            <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                <add input="{REQUEST_URI}" pattern="^.*\.(bmp|css|gif|htc|html?|ico|jpe?g|js|pdf|png|swf|txt|xml|ttf|woff|eot)([/?].*)?$" negate="true" />
            </conditions>
            <action type="Rewrite" url="/index.cfm/{R:1}" logRewrittenUrl="true" />
        </rule>
    </rules>
</rewrite>

I then tried adding a rule using the default settings of wildcards. While the test responded okay, the actual page kept processing the URL.

Thanks to Wil Genovese, after switching the regular expressions and enclosing those in parenthesis, “.php” requests were finally denied.

<rule name="No PHP" stopProcessing="true">
    <match url="(.*)" />
    <conditions>
        <add input="{PATH_INFO}" pattern="(\.php)" />
    </conditions>
    <action type="AbortRequest" />
</rule>

2015-05-26_1538

#iis, #rewrite, #wordpress

ColdFusion 11 Will Not Start After Enabling J2EE Session Variables

Update 1/20/2015: Fix is available in the refreshed Full installers. More information on this is available here at:
http://blogs.coldfusion.com/post.cfm/coldfusion-11-installers-refreshed-has-fix-for-server-fails-to-start-on-enabling-j2ee-session-variables-and-installation-on-japanese-os

After some wicked process of elimination at CF Webtools I found out that I was unable to start/restart ColdFusion 11 after enabling J2EE Session Variables in the ColdFusion Administrator.

I went through almost all types of installs thinking it was an issue with the Amazon EC2 server it was on. Thinking this because we have CF11 servers running with J2EE enabled already.

The difference, and the the issue it turns out, is the updated installer that includes update 3 for Windows x64. The original installer doesn’t seem to have this issue.

The underlying issue is whether or not Tomcat persistent sessions were turned on or off. This apparently keeps a session alive during a restart. ColdFusion apparently doesn’t like this if it’s on.

To turn off Tomcat persistent sessions (this seems a little backwards though):

  1. Open {cf instance}/runtime/conf/context.xml
  2. Uncomment <Manager pathname=”” />
  3. Save file and close
  4. Start ColdFusion

This seems to have been an issue on ColdFusion 10 that somehow made its way back to 11.

Thanks to Derrick Anderson with BigTeams for finding this old issue at we3geeks.

I have opened bug ticket 3923565 with Adobe.

#coldfusion-2, #j2ee, #session-variables, #tomcat

IIS URL Rewrite Config for FW/1 SES

SES_Screen_ShotAfter a bit of research, I was never able to find a definitive answer as how to properly set up SES (Search Engine Safe URL’s) to work with FW/1 (Framework 1) using IIS 7.5 and IIS URL Rewrite 2.0.

SES makes turns your URL’s from this:

http://www.mysite.com/index.cfm?action=main.default&ID=0

Into this:

http://www.mysite.com/main/default/ID/0

First of all you may need to install URL Rewrite 2.0 using Microsoft Web Platform Installer. There are other options out there, but I’m using this since it’s simple and nicely integrated.

From the URL Rewrite options screen, add a new rule and select “User-friendly URL” under the “Inbound and Outbound Rules”.

The requested URL should match the pattern using regular expressions. The pattern being:

^(.*)$

Add the conditions that the type is not a file or a directory.

The action type is rewrite and the rewrite URL is:

/index.cfm/{R:1}

Be sure to check “Append query string” and “Stop processing of subsequent rules”

Continue reading

#coldfusion-2, #fw1, #iis, #microsoft-web-platform-installer

Installing Blue Dragon 9.0 Alpha

I have a new project that requires Blue Dragon 9.0 Alpha (.NET). I never used Blue Dragon before and it ended up taking me a few days to get up and running.

First of all there is no documentation and there is practically no discussion around it. So I’m writing this in hopes it helps someone out.

The files I’m using are located at ftp://ftp.newatlanta.com/public/bluedragon/9_0/ .

 

The first step is to install IIS and ASP.NET. You may need to have .NET Framework 3.5 turned on as well.

Windows_Features

 

The second step is to make sure you have .NET Framework v4.0 installed.

 

The third step is to make sure you have an IIS site setup and using the .NET Framework v4.0 in the Application pools.

Application_Pools

 

The fourth step is to run BlueDragon_NET_90_alpha.exe in administrator mode.

At that point in time you’ll find an error message when you run the site:

Example: “Access to the path ‘C:\inetpub\wwwroot\BD Test\App_Data\bluedragon\config’ is denied.”

You will need to create a directory structure underneath your website directory:

App_Data
-bluedragon
–config
—bluedragon.xml
–work
—cfchart
—cfcollection
—cfdocument
—cflog
—cfschedule
—temp

The bluedragon.xml file is the following:

<?xml version="1.0" encoding="UTF-8"?>
<server>
</server>

 

After you create the directories and file, you will then get the following error:

Object reference not set to an instance of an object.
ConfigurationErrorsException: Could not create NewAtlanta.BlueDragon.Diagnostics.LogTraceListener, NewAtlanta.BlueDragon, Version=9.0.0.0, Culture=neutral, PublicKeyToken=7551335de9fc3c36.

To fix this, you will need to add the app pool’s user and grant is modify or full permissions.

When you add the user, use your machine’s location  (as opposed to the domain), then enter the object name “IIS AppPool\[app pool name]”. For example “IIS AppPool\BD Test”. Then click “Check Names”. This will resolve the name to the app pool name.

App_Pool_User

 

 

This should get you up and running with BlueDragon.NET 9.0 Alpha.

There are currently two patch files in the FTP site. If you run them, you may end up with an error “Could not load type ‘System.ServiceModel.Activation.HttpModule'”. To correct this run this to re-register ASP.NET:

c:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -iru

#net, #9, #alpha, #application-pools, #bluedragon, #coldfusion-2, #windows

ColdFusion Console Display Terminal Style

One thing I loved about ColdFusion Builder was the console view. But I recently switched from ColdFusion Builder to Sublime Text 2, which doesn’t have that feature. So I needed a solution.

It seemed that running ColdFusion via a local service wouldn’t do the job, but running it from the command line would.

One approach was a simple batch file located on my desktop:

\ColdFusion9\runtime\bin\jrun -start coldfusion

You would then see a scrolling console display and press Crtl-C to stop ColdFusion. It was kind of annoying you’d have to press Y and enter afterwards too when prompting if you wanted to abort the batch file. I would always end up re-sizing the window as well to fit in with my email, Skype and TweetDeck on one dedicated screen.

On option I took note of after installing the Sublime Terminal plugin, was to run it inside Windows PowerShell with a default set of options. This works great and you don’t have to confirm aborting the batch file. I can even label the window.

I have the shortcut link and settings file in a Gist at https://gist.github.com/CFJSGeek/5498377

2013-05-01_1624

#coldfusion-2, #console, #powershell, #terminal

Missing ColdFusion 9 Solr Collections List

After trying to track down a slow server issue, I noticed that the Solr Collections list in the ColdFusion Administrator did not have the usual list including “core0”. I’m not sure if this list ever existed as this is a new multi-server instance setup by another person. However I did know something was wrong.

So my first step was to locate the collections directory for this instance and delete everything. Wrong thing to do.

Taking a look at the “C:\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\solr\logsstderr-????_??_??.log” I see I’m now getting “SEVERE: java.lang.RuntimeException: Can’t find resource ‘solrconfig.xml’ in classpath or ‘C:\JRun4\servers\…\cfusion.ear\cfusion.war\WEB-INF\cfusion\collections\…’, cwd=C:\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\solr” when I run my page script. The script detects if the collection exists; if not then create it; then populate the collection.

So now I’m thinking that the collection list probably exists in an XML config file somewhere, but is somehow corrupted as the ColdFusion Administrator can’t read it.

After doing some searching I find the “core” list in “C:\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\solr\multicore\solr.xml”. The XML has multiple core children elements under the “solr\cores” path which include the standard “core0” and my missing collections. Because I can just delete those collections, recreating them problematically later, I decide to delete all core elements except “core0/”. Not sure if I need to restart anything or not, I restart the SOLR service and the ColdFusion instance.

I now see “core0” in the ColdFusion Collections list as normal and am able to create collections normally as well.

#coldfusion-2, #collection, #solr

Notes on Installing Local ColdFusion 10 Beta, ColdFusion Builder 2.0.1 Beta and IIS 7

I recently did a clean install with ColdFusion 10 Beta and ColdFusion Builder 2.0.1 Beta on a Windows 7 SP1 64-bit machine. (This is for a local development environment)

IIS

After installing IIS 7 with defaults and turning on ISASPI filters, I noticed ColdFusion would not initialize. After reading through some notes be sure to turn on these options for IIS 7:

  • .NET Extensibility
  • ASP.NET
  • CGI
  • ISAPI Extensions
  • ISAPI Filters

Web Root

I noticed when installing ColdFusion, the option for where the web root is located has been removed. It’s kind of complicated, so I’ll give you an example of how I changed mine to c:\wwwroot.

  1. I pointed my default IIS site to c:\wwwroot. This is probably not necessary as long as you have another site setup with virtual directory for /CFIDE (C:\wwwroot\CFIDE) and /jakarta (C:\ColdFusion10\config\wsconfig\1). Notice the new jakarta requirement in addition to the standard CFIDE alias.
  2. Copy (or perhaps move) the contents of “C:\ColdFusion10\cfusion\wwwroot” to “C:\wwwroot”. This should include the folders CFIDE and WEB-INF.
  3. Edit the file “C:\ColdFusion10\cfusion\runtime\conf\server.xml”
  4. Copy the “<Context…” open and close element that is currently commented out to the next line uncommented.
  5. You will need to change the docBase to your new webroot, the WorkDir to the absolute path, and the aliases for CFIDE and WEB-INF. Why the aliases are needed in both IIS and this config you’ve got me. But if you leave them out you’ll end up with an error from Apache. Not sure what this is about yet.
    <Context path=”/” docBase=”C:\wwwroot” WorkDir=”C:\ColdFusion10\cfusion\runtime\conf\Catalina\localhost\tmp” aliases=”/CFIDE=C:\wwwroot\CFIDE,/WEB-INF=C:\wwwroot\WEB-INF” ></Context>
  6. Restart your ColdFusion server service.
Thanks to Ryan Anklam’s Blog for providing me with a starting point on this.

ColdFusion Builder 2.0.1 Beta

After I installed ColdFusion Builder 2.0.1 Beta (running as Administrator), I attempted to add the server to the server view. However I ran into the issue where only ColdFusion version 9 was available. After a post to the discussion groups I learned:

  • The Application Server setting should be “CF+Tomcat Bundle” instead of Jrun.
Also there is a difference for enabling the console view on ColdFusion Builder.
  • Be sure to install the ColdFusion Jetty Service during the ColdFusion 10 install to be able to start and stop your ColdFusion service.
  • You no longer need to set the ColdFusion Application Server service to manual.
  • ColdFusion Builder 2.0.1 will now control the service instead of its own instance.
  • Console view works with the service started instead of its own instance.

I still have a lot of playing around to do with this combination, but I hope this helps a few of you out in the mean time.

#coldfusion-application-server, #jetty, #jrun, #server-service, #server-view, #web-root