Greetings Railo fans,

In this article I will be covering how to setup and configure Railo with the Helicon Zoo module for IIS and then configure various custom settings. I will continue to add to this article as I find out new tricks and learn more about Jetty, so be sure to check back occasionally if you are using Helicon Zoo.

Contents

1. Why Helicon zoo
2. Installing Railo
3. Enable Railo on your website
4. Search engine friendly url's
5. changing the JVM settings
6. How to set the Java Agent
7. Customising the JVM settings on a per site basis

Why Helicon Zoo

While Railo is a brilliant alternative to ColdFusion and has many benefits right out of the box, one of the problems it does suffer from is that like ColdFusion it runs as a service which means that every website is running inside the same instance of Java/tomcat and thus all websites can affect each other.
If you are only running a single website this is not a problem, but if you run multiple websites on the same server then this can present a couple of problems.

1. Security
   While Railo does offer built in sandboxing which restricts file access to the web root, this only applies to CFML code. If you drop in some Java then this completely overrides any Railo security and allows you to do pretty much anything you like. Your code will have the same level of access as the Tomcat service.
   Sure you can disable direct Java access, but doing this will break virtually every modern app or framework, all of which use Java in some fashion.
2. Stability and performance
   If you run multiple websites then you also run the risk that any one of those sites will kill Tomcat by coming all its resources and thus take down all your other sites in the process.
3. Custom configuration
   As all sites share the same JVM settings, there is no way to configure each site separate out of the box, you would need a custom multiple instance Tomcat setup/installation to do this.

Enter Helicon Zoo, which uses Jetty as the Java servlet container for Railo and runs it as a process inside IIS and thus works in the same way that PHP, ASP etc work with all the advantages.
What this basically means is that every single Railo site is by default running a dedicated instance of Java/Jetty, which runs as the application pool identity. As a result you do not have the same security issues as any Java code that is executed runs in the context of your application pool identity, so you can fully control what Railo can and cannot  do with standard windows permissions in the same way as you would with PHP.
Using Helicon Zoo also provides better performance and stability as well, because each site is a completely isolated Java process,  it cannot affect your other Railo sites. Because each site is running as a separate process, this also means that each site has its own memory heap all to itself, which can either be defined globally (e.g. 256mb for every site) or you can create completely a separate JVM config settings for each individual site if you prefer.

One other advantage you get with running Railo as a process is that it shuts down when not in use to conserve system resources, as defined by your application pool settings. 
what this means is that if you have a site that is not very busy then Java/Jetty/Railo will only be loaded when required, if there is no further activity on your site for say 1 hour (depending on what you have defined in your app pool) then the Java process for this site will be unloaded.
The only caveat to this is that initial load time will be considerably slower each time Java has to load again, plus of course you use more memory as each site will require at least 128MB to run Railo.

cont......

Read more...

Last week while answering some coding questions on a discussion list I needed to post some example code, which meant if I wanted to test the code first then I needed access to a cf server. As I tend to do most of my list replies etc on my mobile device, I do not have a local CF installation to test with. 
With PC sales dropping and mobile devices sales far exceeding PC sales these days, I would imagine most other people are doing most of their community activity on their mobile device as well.

I then considered how often I have seen other devs posting code snippets and saying "this is not tested code as I do not have access to a cf/Railo  server right now", or the question is about Railo and you only have CF or vice versa, so it must be a fairly common scenario.

This made me think to myself "wouldn't it be handy if there was a web page I could go to where I could quickly just type some code into a form, submit it and the code would be executed and tell me if there were any errors and give me some debug output, surely someone has written such a tool ? 
So I Googled it and was surprised that such a tool did not exist, that I could find, at least not for CF.

Well it seemed like such a simple app to write and it has been a long time since I did any coding as I simply do not get the time these days, so I thought I would do it  myself, and here it is.

www.cflive.net

You can test code against both ColdFusion 9 and Railo simultaniously.
You can selectivenable debug output
You can use virtually all CFML tags and functions, excluding file read/write and Java for obvious seurity reasons.
Your code is saved into a session and form automatically re-populated so you don;t have to keep re-typing code.

Please give it a try and leave me some feedback, feel free to try and hack it and find any vulnerabilities or bugs, as long as you let me know about them.

Ever get the above error when trying to use CFIMAGE to resize images?

The cause is related to running security sandboxes and not running CF under the SYSTEM account.

If you are running a standard out of the box installation of ColdFusion which is running under the SYSTEM account by default, then CFIMAGE will use c:\windows\temp for creating its temp files, and that is the path you would need to put in your sandboxes.
But if you are running ColdFusion under a dedicated user account (as you should be) then CF will instead use that users temp folder.

e.g.

If your ColdFusion service runs under a user called "coldfusion", then the temp path will be

c:\users\coldfusion\AppData\Local\Temp

So if you use security sandboxes then you need to add the following paths to your security sandbox.

c:\users\coldfusion\AppData\Local\Temp\
c:\users\coldfusion\AppData\Local\Temp\-

<cfscript> 
writeoutput("Temp Dir : " & createobject("java","java.lang.System").getProperty("java.io.tmpdir") ); 
</cfscript>

Obviously we use security sandboxes on our servers and we also lock down ColdFusion, if you do not do either of those things then you probably will never have this issue, bit then you will probably have a hacked server anyway, so this would be the least of your worries

This week I needed to renew the SSL certificate for our OpenVPN server. the process according to the docs required using OpenSSL to generate a private key, which will then be used to generate a CSR, which will then be used to register your SSL, and you then need to get the certificate (CRT) file, a CA bunble (crt) file, and a private key (pem) file to install on the OpenVPN server.

Now I am used to dealing with Windows and IIS, and dealing with SSL is a breeze on windows, but as is usually the case when it comes to Linux, simple tasks like this suddenly become 10 x more work and as my Linux skills are almost zero that made the task even more arduous.

I had a go at doing everything with OpenSSL but ended up generating invalid SSL certs that did not work, so I then thought to myself, why not just use IIS to generate the CSR and get the SSL cert and then just export it from there into a format I can use on Linux, this seemed like it would be a much quicker solution and it was, here are the steps.

Using IIS7 on any machine, generate your CSR in the usual way, I did this on my local Windows 7 machine.

Now take your CSR and register your SSL certificate in the usual way, when you get it back, install it on IIS from above section using "complete certificate request"

Once you have your SSL installed in IIS, you now need to export the SSL and the private key as a pfx file.

Open MMC.exe and add the certificates snap-in, now browse to the personal>certificates and export your SSL cert

choose to export the private key and include all certificates

Your private key password is your windows password that you are current logged in with.

For Windows systems this PFX file will be everything you need, however on Linux systems (such as open VPN) you will need  separate private key files.

This is where you need to use OpenSSL.

Using command line.

Export the private key file from the pfx file

openssl pkcs12 -in filename.pfx -nocerts -out key.pem

Export the certificate file from the pfx file

openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

Remove the passphrase from the private key

openssl rsa -in key.pem -out server.key

Using XCA GUI

XCA is a handy GUI for open SSL, you can download it here http://sourceforge.net/projects/xca/

On the Private Keys tab choose "Import PFX", this will import everything from your PFX file.

Now select your newly imported private key, and click export to get your PEM file.

Now select your certificate and export that in required format, although in most cases the certificate file you received from the CA will be sufficient.
If you need a CA bundle, then export all the certs from the root, or use the intermediate cert you would have received from the CA.

Whether you are using a CMS or blogging app such as WordPress, Joomla, Drupal, or even a custom built app, then you likely have an admin system to manage your website and its content.

The problem is that hackers know this too, and they know that in most cases your admin will reside in www.yoursite.com/admin and they regularly try to hack this URL with brute force password attacks or a bit of SQL injection, and unless you have any logs you regularly monitor or a failed login notification system, then you will be completely oblivious to this, many people get hacked and do not realise until months later that malware has been inserted into their site and is trying to infect all their website visitors, and worse that their site has been blacklisted/blocked as a malware site or that all their customer data has also been stolen.

Now at least with off the shelf open source apps like Wordpress et al you have the advantage that you can easily update to the latest version and thus plug any known security issues or vulnerabilities that arise, but with a custom built app you do not have this luxury and you will remain oblivious of any security holes in your app until it is too late.

The best solution is to add IP address restrictions to your admin folder so that only authorised people can access it.

With Apache

How to do this with apache is pretty common knowledge, you simply use your .htaccess file, so I wont bother covering that here, for those that do not know here are a couple of links showing you how to get it done.

• How to deny visitors by IP address using Apache : http://www.htaccess-guide.com/deny-visitors-by-ip-address/
• .htaccess generator : http://www.toshop.com/htaccess-generator.cfm

With Microsoft IIS

However doing this with Microsoft IIS is less common knowledge and if you are on shared hosting you likely have no idea how to do it at all and probably do not have access either.

By default on IIS, IP Address restrictions must be done via the IIS Management interface, and you need to install the "IP Security" feature, instructions on how to do that can be found HERE, if you are on a shared host you may need to ask them if they have this installed, and if not ask them to install it.
But even with this installed you are still restricted to doing the IP Address restrictions via the MMC (see previous link), which means you need direct access to the server, and one thing this lacks is the ability to add comments to specify who the IP address belongs to, which is very important if you want to allow an IP address temporarily or want to keep track what who each IP belongs to.

What you really want to do is be able to add these IP restrictions in your web.config, so you can also add comments next to each entry and so that you do not have to login to the server and use the MMC, ala apache .htaccess style.
The good news is that you can do this, all you have to do is enable IPSecurity override in your ApplicationHost.config. For those that do not know, ApplicationHost.config is where IIS stores its global settings (such as default documents and handlers) and those which are not managed via the web.config by default.

To edit this file go to C:\Windows\System32\inetsrv\config and open applicationhost.config in your favourite text editor.

NOTE:

You need to be using a 64bit text editor on a 64bit OS otherwise it will not be able to open the 64bit version of this file, and instead opens an alternate version of this file, which is not the one in use. I discovered this after many hours of head scratching as I always used Notepad++ by default, which is only a 32bit editor.

Now find the following section:-

<section name="ipSecurity" overrideModeDefault="Deny" />

And change the "Deny" to "Allow". If you are on a shared host, you will need to ask them to make this change, there is really no reason for them to not allow this.

You can now use your web.config file to manage IP address restrictions.

How it's done
Example IP address restrictions. Comments are enclosed in <!-- --> and are not required, but I suggest you use them to record what IP is there for what reason.

• Allow all, but block specific IPs or networks
  

  <security>
     <ipSecurity allowUnlisted="true">    <!-- this line allows everybody, except those listed below -->            
         <clear/>     <!—removes all parent restrictions -->                
         <add ipAddress="83.116.19.53"/>     <!-- blocks the specific IP of 83.116.19.53  -->                
         <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>     <!--blocks network 83.116.119.0 to 83.116.119.255-->                
         <add ipAddress="83.116.0.0" subnetMask="255.255.0.0"/>     <!--blocks network 83.116.0.0 to 83.116.255.255-->                
         <add ipAddress="83.0.0.0" subnetMask="255.0.0.0"/>     <!--blocks entire /8 network of 83.0.0.0 to 83.255.255.255-->                
     </ipSecurity>
  </security>

• Deny all, but allow specific IPs or networks

  <security>
      <ipSecurity allowUnlisted="false">    <!-- this line blocks everybody, except those listed below -->                
          <clear/> <!—removes all parent restrictions -->
          <add ipAddress="127.0.0.1" allowed="true"/>    <!-- allow requests from the local machine -->
          <add ipAddress="83.116.19.53" allowed="true"/>   <!-- allow the specific IP of 83.116.19.53  -->                
          <add ipAddress="83.116.119.0" subnetMask="255.255.255.0" allowed="true"/>   <!--allow network 83.116.119.0 to 83.116.119.255-->                
          <add ipAddress="83.116.0.0" subnetMask="255.255.0.0" allowed="true"/>   <!--allow network 83.116.0.0 to 83.116.255.255-->                
          <add ipAddress="83.0.0.0" subnetMask="255.0.0.0" allowed="true"/>   <!--allow entire /8 network of 83.0.0.0 to 83.255.255.255-->                
      </ipSecurity>
  </security>

• Use a text editor to create a file named web.config
• Save the web.config file with the appropriate content
• Place the web.config file in the directory that you wish to protect

• If there isn't an existing web.config in the directory, your new web.config should look something like this

  <?xml version="1.0"?>
  <configuration>
     <system.webServer>
        <security>
          <ipSecurity allowUnlisted="true">    <!-- this line blocks everybody, except those listed below -->                
             <clear/> <!—removes all parent restrictions -->
             <add ipAddress="83.116.19.53"/>   <!-- block one IP  -->                
             <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>   <!--block network 83.116.119.0 to 83.116.119.255-->               
          </ipSecurity>
        </security>
     </system.webServer>
  </configuration>

• If there is an existing web config, without a <system.webServer> section... Your new web.config should look like this

  <?xml version="1.0"?>
  <configuration>
     <system.web>
       .. existing text ..
       .. existing text ..
     </system.web>
     <system.webServer>
        <security>
          <ipSecurity allowUnlisted="true">    <!-- this line blocks everybody, except those listed below -->                
             <clear/> <!—removes all parent restrictions -->
             <add ipAddress="83.116.19.53"/>   <!-- block one IP  -->                
             <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>   <!--block network 83.116.119.0 to 83.116.119.255-->               
          </ipSecurity>
        </security>
     </system.webServer>
  </configuration>

• If your existing web.config already has a <system.webServer> section, just add the <security><ipSecurity> section

  <?xml version="1.0"?>
  <configuration>
     <system.web>
       .. existing text ..
       .. existing text ..
     </system.web>
     <system.webServer>
        <security>
          <ipSecurity allowUnlisted="true">    <!-- this line blocks everybody, except those listed below -->                
             <clear/> <!—removes all parent restrictions -->
             <add ipAddress="83.116.19.53"/>   <!-- block one IP  -->                
             <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>   <!--block network 83.116.119.0 to 83.116.119.255-->               
          </ipSecurity>
        </security>
     </system.webServer>
  </configuration>