Tuesday, May 24, 2016

ColdFusion 10+, IIS 7+, Custom Errors and a little thing called TrySkipIisCustomErrors

Today as I was debugging some issues that FuseGuard allowed me to see, it appeared that on my IIS Server my custom error page was being rendered after the IIS error page.

At first I was confused as I know I can control my 404 as I had set it properly in my Web.Config file as such:
<httpErrors existingResponse="Auto">
 <remove statusCode="404" subStatusCode="-1" />
 <error statusCode="404" path="/?action=main.404" responseMode="ExecuteURL" />
</httpErrors>
With the existingResponse attribute set to "Auto", it leaves the response untouched only if the SetStatus flag is set. Which I thought that meant as long as I set it in ColdFusion it would skip trying to show the IIS error page. Now, not to confuse further, the settings above worked for my 404s because I was removing how the server handled it and applying my own ExecuteURL setting. The issue was when i was trying to do a custom 503 (as FuseGuard shows when a request is blocked).

Now there is a value of PassThrough that can be set for existingResponse and it would work but the problem here is that if you have lets say a RewriteRule that blocks a request and sets it as a 503 nothing displays. So this was not going to work for me in that scenario.

More on IIS Custom Errors

Here is where TrySkipIisCustomErrors comes into play. Basically for existingResponse="Auto" to work properly we must be able to set Response. TrySkipIisCustomErrors to true but there is no way to do this in ColdFusion, trust me I tried hacking at it using getPageContext(). So then I started to google an alas there is a fix now for some of us.

While the solution can be found in either of the 2 following posts, you still have to search within the content to find it so I thought I would just show you and hopefully make future google searches a little easier.

http://blogs.coldfusion.com/post.cfm/onmissingtemplate
https://bugbase.adobe.com/index.cfm?event=bug&id=3982328

As of ColdFusion 10 Updater 18 and ColdFusion 11 Updater 7 there is a new setting that you can find in your isapi_redirect.properties file for your connector that is called iis_skip_custom_errors_enable which defaults to false. Go into that file or files (if more than one connector) and set it to true. Restart your IIS site (ColdFusion does not have to be restarted) and like magic it all works now.



To get a visual of what I am talking about below is a before and after of what my 503 page was coming up like.

BEFORE


AFTER


And since the setting is set to Auto, if nothing is set by ColdFusion, like one of my RewriteRules which blocks access to a certain directory, then the default IIS page is displayed as such.

Wednesday, May 11, 2016

ColdFusion 11 Update 8 is out now!

A new update is available for ColdFusion 11 which includes the following changes:

  • Tomcat upgrade to 7.0.68
  • Addresses a vulnerability mentioned in the security bulletin APSB 16-16.
  • Several important bug fixes for security, language, AJAX, and other features.

For me specifically, this fixes the CachedWithin bug with QueryExecute() where it ignored it.

All the bugs fixed can be found here.

ColdFusion 11 Update 8

Monday, May 09, 2016

ColdFusion IIS 10 HTTP/2 - Safari Bug

For a while I have been dealing with a bug that I had no idea how to even explain to the ColdFusion team and after telling them several times about it, nothing was ever resolved. Today though, I believe there is enough to show how and why this is occurring and only with Safari.

On Windows 10 running IIS 10, the HTTP/2 protocol is enabled by default and all you need to do to take advantage of it is have your site served over HTTPS. Believe it or not it is actually that simple.

The Bug
So when I would browse my site on any browser I would see that the connection was downgraded to http/1.1 which is absolutely ok and the site would still render, but when I would try it on Safari it would just go into an endless loop causing a lot of connections opening up on the server. I have to give it to Fusion-Reactor here because it was what allowed me to easily see this in action the first time.

Why it was a problem for me
Now any other day, because this is my dev box it would not matter but on this particular dev box, I needed to test a Cordova App I built that is pointing to a Webserver and although it worked on production when I pointed it to my dev box it would just never render. So I then tried to open in Safari on my desktop (because we know it is iOS Safari on the phone) to see what was going on and I would just get a white page, the spinning wheel and a lot of connections on ColdFusion.

I decided to finally open up my console (not web) and I started seeing the following:

Safari[2061]: tcp_connection_destination_handle_tls_close_notify 60 closing socket due to TLS CLOSE_NOTIFY alert
tcp_connection_tls_session_error_callback_imp 60


Those errors would just continue as long as I left Safari trying to connect. Once I stopped Safari, the messages would stop and Fusion-Reactor graphs would go back to normal. You can see all of this in the following video.


The temporary solution
So until either the Safari team or the ColdFusion team fixes this, the only solution is to disable HTTP/2 on Windows 10 which is easy by doing the following:

  1. Open the registry editor (regedit)
  2. Browse to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
  3. Enter 2 new DWORD Values EnableHttp2Cleartext and EnableHttp2Tls
  4. Set their values to 0
  5. Reboot


Now when you browse any HTTPS site running on IIS 10 it is server as HTTP/1.1, not causing the connection downgrade and therefore working properly in Safari.

Tuesday, January 12, 2016

ColdFusion WebSocket Proxy and IIS 8+ - 500 Error

Today I ran into an issue in my development environment that was one of those "Duh" moments. If you are using the WebSocket Proxy with IIS we already know the following is required.
  1. IIS 8+ with WebSockets Installed
    • Windows 8+ : Can be found in Control Panel > Programs and Features > Turn Windows Features on or Off > Internet Information Services > World Wide Web Services > Application Development Features > WebSocket Protocol (check it)
    • Windows Server 2012+ : Same as above but the steps are a few more screens. You may also start from the Server Manager (Top Right: Manage > Add Roles and Features)
  2. Run wsconfigproxy.exe (as administrator) which can be found in {{ColdFusionInstallDir}}/cfusion/bin/wsconfigproxy.exe
  3. Set "Use Proxy" in ColdFusion Administrator (restart may be required if not already set)
At this point everything should work without a problem and most of the times it does. I have ran into permission issues, especially when you go thru the lock down guide and you did not set the required permissions on the config/wsproxy directory. If all the above is correct and you still have an issue, like I did today, check one last thing.

Last time I configured the app pool on this app I was testing I had set the .NET CLR Version to "No Managed Code" and when the cfws directory was created it used the parent App Pool. The fix is simple, set the .NET CLR version back to a valid version or create another App Pool with a CLR assigned and bind it to the cfws folder since it is created as a virtual application. Below are some images that show the error I was receiving (after I allowed errors to show on localhost) and how to assign the fix. An easy way to test that they can be connected to is by browsing to the /cfws/ path of your domain. In an http call you should receive a good 200 response.

UPDATE
Do not use a different app pool, just ran into an issue that when I sent a call to WsPublish on the server side it messed with my Session scope. The only fix is to make sure they both use the same App Pool and that it is set to use a .NET CLR. (duh moment #2 of the day)

Bad Request

Causes Error Works Again


Good Request

Wednesday, December 23, 2015

FusionReactor Developer Edition!!!!

I can't express how valuable FusionReactor is for me daily and today on their Holiday mailer I noticed bullet item #8 which stated "Introduced a FusionReactor Developer Edition". This bullet item got my attention, because I have a Developer subscription that is normally available after you have 1 Production license which comes at a lower cost. So I was wondering why it was a bullet item on their newsletter.

This now goes to another reason why I love this company so much, not just because their product is great but because you can reach out to them and they respond almost immediately (we are across the pond from each other). So I reached out to David and he confirmed this was a different and less expensive version than I was currently paying for. Merry Christmas!!!!!!

So here is the low down on this version.
The initial cost for this version is ONLY $199, which includes your very own perpetual license and the first year of updates. Renewing for updates annually is only $99, but if you decide to not renew you still own your license.

This is really great for them to offer for us and the savings over what was previously available even for the developer based subscriptions is HUGE!!!

This company does offer a great product and if you are using it on a production server I would say pay for the correct license as the product pays for itself. 

David will be posting a blog entry soon regarding this edition, until then, you can purchase the developer edition by using the following link.


Keep Calm and Carry On Monitoring :-)
Thanks for the cup at the ColdFusion Summit this year!