SpyAttributes=(log=(file)C:\\temp\\spy.log;logTName=yes;timestamp=yes)

Thing is I don’t remember enabling it.  I found some more information on Charlie Areharts’ blog which reminded me that at one point I had installed a demo version of Fusion Reactor to diagnose some performance issues. I’m not sure if the version of FR I installed modified the connection string and did not remove it when I uninstalled the program, or if I added it (note to self: make better changelog notes please).

In any case, the fix was simple, delete the connection string attribute and restart the CF services.

UNSUBSCRIBE!

Wow. What a concept. Why did it take me so long to figure this out? A couple of reasons I guess. Habit & Creep. Back in the bad old days clicking on an unsubscribe link often was simply a way for spammers to verify an address so I got in the habit of simply trashing everything. (And I don’t make a habit of clicking on links in emails – we all know that’s a really bad idea right???) Since most of the emails I was getting were from obviously legitimate sources using services like Constant Contact (who provide the SafeUnsub system), I could be assured that I could with a careful click (hovering over the link, verifying that it was pointing to a site I expected, etc) I could rid myself of these emails. Aside from habit, creep is the other reason. A newsletter here, a weekly sales blast there and suddenly you’ve got 50 marketing emails a day.

So there you go. Make a resolution for 2012 to clean up your inbox. It’s dead easy. And my InBox – down to 4 marketing emails today (unSUBBED!) and 6 from friendly suppliers in China – which I guess I’m stuck with.

My Stats

• Harvester visits to your site(s): 42
• Recent visits (this week): 3
• Recent visits (this month): 9
• Spam traps issued on your sites: 304
• Spam received at your addresses: 1,089
• Received this week: 112
• Received this month: 417
• Comment spam posts to your site(s): 0

A code update.

One of the things I noticed since implementing the code in my previous post, my site page load times were up quite a bit. The reason is that the code uses http:Bl to do a DNS look up to the project servers for every page load. This takes -time-. I decided to add my own white list table and some code to eliminate these multiple look-ups.

The table is simple, just

visitor_ip_addys [varchar(15)]
visitdate [datetime]

I added the following function to my Honeypot CFC

<cffunction name="newVisitorCheck" returntype="string">
   <cfargument name="ip" required="yes" type="string">
   <cfset var vQry = "">

  <cfquery name="vQry" datasource="myDSN">
    select ipaddy from visitor_ip_addys where ipaddy = <cfqueryparam cfsqltype="cf_sql_varchar" value="#arguments.ip#">
  </cfquery>

 <cfif vQry.recordcount eq 0><!--- then it's a new visitor  --->
   <cfset result = "new">
 <cfelse>
   <cfset result ="existing">
 </cfif>
<cfreturn result>
</cffunction>

And changed my honeyPotCheck function to

<cffunction name="honeypotcheck" returntype="struct" hint="Check Project HoneyPot http:BL">
  <cfargument name="ip" required="yes" type="string">
  <cfset var aVal = "">
  <cfset var hpkey = "MyKey">
  <cfset var stRet = structNew()>

<!---jb: added check to see if this ip has visited in the last 3 months. We have a table to track ips which is retained for 3 months. IP's that check as clean
against http:BL are added to this table to increase page load performance. The table is cleared every 3 months to revalidate visitors (in case they may have been
compromised in that time and to keep table size reasonable --->

<cfinvoke method="newVisitorCheck" returnvariable="result">
<cfinvokeargument name="ip" value="#arguments.ip#">
</cfinvoke>

<cfif result eq "new">
  <!--- Get the different IP values --->
  <cfset aVal = listToArray(gethostaddress("#hpkey#.#reverseip(arguments.ip)#.dnsbl.httpbl.org"),".")>

        <cfif aVal[1] eq "IP-Address not known"><!--- jb: added evaluation of array for good addresses --->
        <!--- set a value indicating ok address --->
            <cfset stRet = {type=99}>
            <!--- insert into visitor_ip_addys table as this is a clean IP --->

            <cfquery name="iQry" datasource="MyDSN">
            insert into visitor_ip_addys (ipaddy, visitdate) values
            (<cfqueryparam cfsqltype="cf_sql_varchar" value="#arguments.ip#">,
            <cfqueryparam cfsqltype="cf_sql_timestamp" value="#now()#"> )
            </cfquery>

        <cfelse>
          <!--- there was a match so set the return values --->
          <cfset stRet.days = aVal[2]>
          <cfset stRet.threat = aVal[3]>
          <cfset stRet.type = aVal[4]>

          <!--- Get the HP info message ie: threat level --->
          <cfswitch expression="#aVal[4]#">
           <cfcase value="0">
            <cfset stRet.message = "Search Engine (0)">
           </cfcase>
           <cfcase value="1">
            <cfset stRet.message = "Suspicious (1)">
           </cfcase>
           <cfcase value="2">
            <cfset stRet.message = "Harvester (2)">
           </cfcase>
           <cfcase value="3">
            <cfset stRet.message = "Suspicious & Harvester (1+2)">
           </cfcase>
           <cfcase value="4">
            <cfset stRet.message = "Comment Spammer (4)">
           </cfcase>
           <cfcase value="5">
            <cfset stRet.message = "Suspicious & Comment Spammer (1+4)">
           </cfcase>
           <cfcase value="6">
            <cfset stRet.message = "Harvester & Comment Spammer (2+4)">
           </cfcase>
           <cfcase value="7">
            <cfset stRet.message = "Suspicious & Harvester & Comment Spammer (1+2+4)">
           </cfcase>
          <!---  <cfdefaultcase> jb: moved to top of function as we can't eval the array if there is no lookup response ie: not match in http:BL
            <cfset stRet.message = "IP-Address not known">
           </cfdefaultcase> --->
          </cfswitch>

        </cfif>
  <cfelse>
    <!--- good address  --->
    <cfset stRet = {type=99}>
</cfif>
  <cfreturn stRet>
 </cffunction>

As you can see from the comments in the code, I do the look-up (newVisitorCheck) when honeypotcheck is invoked, which is on each page load. The check does a query to see if that IP is in our white list table. If it is, then we skip the rest of the check and do not do a http:Bl DNS query. If it does not exist in our white list, that either means that the IP is new so we need to check it, or that it is a known bad IP. This means that new visitors have a slightly longer wait on first page load as we are doing the look-up, but then if they pass the look-up, we add them to the white list* and do not slow them down for subsequent page loads. As noted in the comments, we keep entries in the white list for 3 months (an arbitrary number).

After 3 months, we remove the IP from the white list so we can recheck it to make sure the IP hasn’t been compromised.

The code to do this is:

<cffunction name="ipTableCleanup" access="Remote">
<cfquery name="deleteIP" datasource="myDSN">
    delete from visitor_ip_addys where visitdate <= DATE_ADD(CURRENT_TIMESTAMP, INTERVAL -90 day)
</cfquery>
</cffunction>

This is run every day via a schedule task set up in CFAdmin.

All in all, this seems to be working quite well as page load times are back to where they were before the Honeypot implementation and the Honeypot is still doing its job.

*Note that since you are capturing & storing IP addresses, your privacy policy should reflect this fact.

Update 2: Thanks to a comment from Michael, I’ve found another way to fix the issue by adding encodeURIComponent to the JS function. See the comments for details. Now you have 2 ways to do it

The problem is that by using the url scope you can only get one url parameter to pass to the Chart API from the variable #url.siteurl#.

If you enter

http://www.testserv.com?foo=1&bar=2

as the input value of the text box, the value of url.siteurl becomes http://www.testserv.com?foo=1 and then CF creates -another- URL variable called bar with a value of 2.

This had me stumped for a while. but what is happening is that the url being passed as

dsp_qrcodeGen.cfm?siteurl=http://www.testserv.com?foo=string1&bar=string2

What we get when we do a <cfdump var=”#url#”> is

param1 (siteurl) = http://www.testserv.com?foo=string1

param2 (bar) = string2

See what happened there? Everything after the first ? (dsp_qrcodeGen.cfm?) up to the first & (&bar) becomes a param pair and then everything after the & becomes a pair. Problem is we don’t -want- to pass 2 url params. as we’d have to handle them by doing something like

<cfhttp url="http://chart.apis.google.com/chart?chs=200x200&cht=qr&chl=#url.siteurl#&someparamname=#url.someparamname#" result="qrcode" getasbinary="yes">

This gives us the proper string to pass but it requires us to hand code the cfhttp call making it very inflexible.  It becomes even more difficult as we need to pass additional params. You could probably code up a parsing loop of some kind but there is a much simpler method.

CF does not  parse form variables in the same way it does URL params, so by using the form scope, CF doesn’t break apart the string that we feed it.

<cfoutput>
<div style="margin:auto; width: 700px; height:450px;padding:25px;text-align:center;border:1px solid;">
    <form method="post" action="dsp_qrcodegen.cfm">
        <h3>QR Code Generator</h3>
        <hr>
        Input URL
        <input type="text" name="siteurl" id="siteurl" style="width:500px;margin:50px 0 50px 0;"><br>
        <input type="submit">
    </form>
    <cfif structkeyexists(form, "siteurl")>
        <div style="margin:auto;">
        <cfhttp url="http://chart.apis.google.com/chart?chs=200x200&cht=qr&chl=#urlencodedformat(form.siteurl)#&chld=H|0" result="qrcode" getasbinary="yes">
        <cfimage action="writeToBrowser"  
                 source="#qrcode.filecontent#" />
            <br>
            #form.siteurl#
        </div>
    </cfif>
</div>
</cfoutput>

#form.siteurl# stays siteurl=http://www.testserv.com?foo=string1&bar=string2 so all our params get passed and you can add as many additional params as you like.

Things became even stranger as we found that User A had the error but when User B logged on to the same machine, they were able to use the app just fine. My initial thought was that it was a permissions problem for User A. We checked folder permissions for our app folder and everything seemed fine. We also checked to make sure both users had perms to the Access Program folder (where the OCX resides) and that checked out OK as well. I was tied up with some things so I had my assistant investigate a bit more. After some muttering & swearing (I may be projecting here), he returned to my office and said triumphantly, “Regional settings!”

For some reason User A had regional settings that were different than User B (who had the correct setup) Calendar control didn’t know what to do with the format it was being given so it threw an error.

Firstly, it’s awesome that “my guy” figured this one. In a very long series of assistants, he is the first one even remotely capable of the kind of thinking that finds these kinds of solutions. If you’ve ever uttered the words, “never mind, I’ll fix it myself”, you know what I’m talking about.

Secondly, I ran into this exact error when we made the switch from win200 to XPpro years ago but I didn’t make note of it. Now I have and I’ll be able to find a solution when we make the switch from win7 to win10 in 8 years time. :0

Basically, the problems I experienced in the first few times around were due to 2 things; Plesk and my confusion (or IIS 7.5 lack of clarity) as to what Enable 32 Bit Applications means. Plesk does quite a few funky things to IIS since it is a web based management tool. Much of my grief stemmed from the fact that Plesk is a 32 bit App and my server install is 64 bit. Plesk also uses but doesn’t expose a version of Tomcat. My confusion in the original post as to why the Railo Tomcat was installing itself on a different port than normal was likely due to the Plesk instance. Now we don’t want to break Plesk (I’m paying for it every month!) so we need a procedure to make it play nice and undo some of the problems it causes with IIS. The following outlines the steps needed to get Plesk, Railo, Tomcat & iis 7.5 all running happily.

The first section of my previous post outlines how to set up the server and a single website using Plesk on a GoDaddy VPS (virtual private server). I’m assuming Plesk operates pretty much the same on all II 7.5 setups so it should be pretty standard. That setup walkthrough is still valid however, as I found out, the remaining part of the post dealing with Railo & IIS is incorrect (well, not exactly incorrect – it did get things working, just not in the best way) and superseded by this. I’ve also changed the order in which I did some things so let’s get started.

Fixing what Plesk Hath Wrought

Once we’ve created our website via the Plesk panel we need to go and make some changes in IIS so fire up inetmgr

Select Application Pools under the main node of your site. You’ll notice there a couple of the standard and a couple added by Plesk.

Click Set Application Pool Defaults from the right column. Here we see that Plesk has set Enable 32 Bit Applications to True. We need to set this to false.

This was a big stumbling block for me on the first couple tries as I did not have a clear understanding as to what Enable means. For IIS 7.5 Enable means Only Allow.  So If you have this set in defaults it will create all new AppPools with 32 bit enabled preventing 64 bit apps from running. You will get an error: HTTP Error 500.0 – Internal Server Error Calling LoadLibraryEx on ISAPI filter “C:\railo\connector\isapi_redirect-1.2.31.dll” failed.

The other very confusing thing is that this seems to override individually set AppPool settings and break all 64 bit websites if 32 bit is enabled in Application Pool Defaults.  In order to have a mixed 32/64 bit environment you MUST have Application Pool Enabled 32 bit Application set to FALSE. To allow an individual site to run 32 bit apps, you need to click on the appPool you want to change and click Advanced Settings from the right column.Change the drop down from False (the default) to True

For Plesk to work we need to set  both plesk(default)(2.0)(pool) and PleskControlPanel to use 32 bit applications. Once you have done this, browse to your Plesk panel and verify everything is working.

Now that we’ve got Plesk in a 64 bit environment, we need to add an AppPool for our new website. Click Add Application Pool in the right column and give your pool a meaningful  name. The name of the website works well. Leave the other settings as they are.

Now that we’ve got that set up, we need to associate the new AppPool with the new website. Select the website in the left column and then click Advanced Settings from the right. You’ll note that the website is set up by Plesk to use plesk(default)(2.0)(pool). Click on this and then  click on the [...] Select your new AppPool and click OK.

Install Railo

Not much to say here. Run the setup routine, making note of your Tomcat admin password. The installer may request that you choose a port for Tomcat. If you don’t get asked, it means that Tomcat can use the default port. If you do, it means that something is using that port. I assume it’s Plesk’s version of Tomcat? This happened twice and the rest of the time it didn’t on the various installs I’ve tried. Does Plesk choose different ports at setup? I don’t know. Remember, my install is based on an OS image with Plesk pre-installed so I don’t have any control over it’s install.

Once the install is complete and you get the first run page, set your Server & Web Admin Passwords for Railo.

Now we need to fix one more issue introduced by Plesk. This one was another stumbling block in my initial tries. Because I installed Railo immediately, I did not know that Plesk had already set up a jakarta virtual directory pointing to its own version (32 bit) isapi connector for use by its own version of Tomcat. Without going into too much detail about that, the jakarta vDir in any application that uses railo needs to be pointed at the railo isapi 64bit  connector (on a 64 bit OS). Click on the jakarta subdirectory of your website, Click Advanced Settings in the left column and  point the physical path of the Railo connector

Now we’ve cleared up all the issues caused by Plesk and it’s time to move on to the final set up of IIS 7.5

The Home Stretch

The Railo install does a lot of the work for you but we do have to do a few things. The server root node will have a Handler Mapping for *.cfm files set up, but it doesn’t seem to set it up for individual sites. Click on your website node and then Handler Mappings. Click Add Script Map from the right column. Set the Request Path to *.cf*. All the Railo walkthroughs I’ve seen only seem to add one for *.cfm. The installer only adds *.cfm but I’m not sure if it will process CFC’s if only *.cfm is set up. I assume it will but it won’t hurt to use *.cf* to cover both right?

edit: While I don’t think it will do any harm to set it to *.cf*, setting/leaving the Handler Mapping as *.cfm is fine. Now that I have an actual operating system, I was able to verify that CFCs were processed correctly with only a mapping for *.cfm

Point the executable to the {installPath}\connector\isapi_redirect-xx.xx.xx.dll and give it a name.

*note: some of the more eagle eyed of you may notice that the path in the handler mapping screen cap above shows I’m adding the Handler Mapping in the {website} > jakarta section. This was not intentional. You should be in the root node of your website when you add an handler mapping. In this case it should have been railoinstalltest.ca

Now double check that there is an entry for the isapi connector in the Isapi Filters section. This should be added by the installer but if not you can add it easily.

One final thing to do is to make sure that index.cfm is at the top of the Default Documents list (not necessary but I’d do it in any case). Index.cfm should be added by the installer, but if not you can add it.

Adding a Tomcat Webcontext

Click on Start Menu >All Programs  > Railo >Tomcat Host Config to open up the Tomcat Server.xml file (a nice touch added by the installer). Scroll to the bottom of this file to add your “webcontext”; basically tell Tomcat what directory to watch under what website. There is a template to use which is commented out with <!– –>

<!–
<Host name=”[ENTER DOMAIN NAME]” appBase=”webapps”>
<Context path=”" docBase=”[ENTER SYSTEM PATH]” />
</Host>
–>

Copy that twice and modify it to add the Hostnames of your site and the path to the document root.

<Host name=”railoinstalltest.ca” appBase=”webapps”>
<Context path=”" docBase=”C:\inetpub\vhosts\railoinstalltest.ca\httpdocs” />
</Host>

Note that there are two instances for a single site; one for www.railoinstalltest.ca and one for railoinstalltest.ca. You would need to repeat this for each binding your site has that you want to process cfm files. You wouldn’t need to add one for ftp.railoinstalltest.ca but you probably would for admin.railoinstalltest.ca

edit: Thanks to Spills in the comments for pointing me to the use of Alias. Add an alias for each binding of your site that you want to process cfm files. Saves a few lines and if you have a lot of sites, it keeps the file cleaner.

<Host name=”www.railoinstalltest.ca” appBase=”webapps”>
<Context path=”" docBase=”C:\inetpub\vhosts\railoinstalltes.ca\httpdocs” />
<Alias>railoinstalltest.ca</Alias>
</Host>

Save the file and restart Tomcat using Start Menu >All Programs  > Railo > Railo-Tomcat Service Control

Now at this point we -should- be able to browse our first cfm file. (but I bet you’re guessing maybe, just maybe we can’t?)

Create a simple one
<cfoutput> <h1>Hello World!</h1><br> The time is #now()#</cfoutput>

and save it to the httpdocs folder of your website and browse to the site and…

You’ll note the error detail Cannot read configuration file due to insufficient permissions. Now we know that the website configuration file is web.config and it is located in the document root of each website. So the error message tells us that for some reason, IIS doesn’t have permission to read that file, or more accurately, the website’s AppPool doesn’t. In IIS 7.5 the appPool is an isolated security context for each website, provided you set them up that way as we did. We need to give the appPool permissions to access the directory. Open Explorer and browse to your webroot, in this case inetpub\vhosts and select your website. Right click and select the security tab. Click Edit and then Add. In the Object Names box enter IIS AppPool\{nameof yourAppPool} or in this case IIS AppPool\railotest. Click ok.

Now at this point (again) you’d think we’d be done, but I discovered that granting permissions at the topmost level of the site doesn’t propagate the changes to lower directories like you’d expect. I’m not sure if this is a Server 2008R2 thing or something related to IIS AppPool objects but we need to do one more thing. From the Security Tab of the properties box, click Advanced > Change Permissions. Click in the Permission Entries box and select all of the entries, including the AppPool entry you just added. This step is important and failure to do so can mess up the permissions for the site. Click the Replace All Child Object Permissions With Inheritable Permissions From this Object check box. This will set the permissions of all of the subdirectories of the root website based on the permissions of the root directory (ie: the one we just added the AppPool permission). It does this for each Permission Entry in the list. As such all of the subdirectories will have permissions Read & Execute, List Folder Contents and Read set for your website AppPool.

Finally, back to the browser and …..

Ahhh, I love it when a plan (and 2 weeks, 5 OS reinstalls and several hundred cups of coffee) come together.

Unlike my previous post, I’m pretty confident that this is the correct way to get these various pieces of code to live on my webserver in glorious harmony. I didn’t realize when I started this project that I would be spending this much time just getting the server set up, but in retrospect, I’m glad it did. I have a much better understanding of how all the various pieces work and feel much better about the way my server is set up. My initial attempts led to so much random clicking of settings that I could have easily compromised the security of the server. I’m very glad that I have a VPS so flattening the server and starting again was a simple, 2-3 hours automated process which required none of my time.

As before, If you’ve got any corrections or suggestions, let me know about them in the comments.

UPDATE 2: I’ve written a Part 2 post with the -proper- way to set up Railo and get it working on a 64 bit Windows server with Plesk. You can still read up on how to setup your server and website using plesk in this post. The Part 2 post only deals with getting Railo running

Initial Server Set up

Several months ago I had an idea for a website which I think is going to be very interesting. All the posts on this blog so far have been on things I’ve discovered at my day job, this project is a personal one. Part of personal means I needed to find a server to host the thing. I looked at shared Coldfusion hosting plans but I’ve grown so used to having complete control over my co-located server at work I was reluctant to give that up. I decided on goDaddy’s (GD from now on) “Value” Virtual Dedicated Server offering.

The server (virtual) specs are:

Nothing to write home about but it’s a respectable package for $40 a month. There are also systems available with CentOS & Fedora for about the same price. There are 2 bits of fine rpint you need to know about

Only CentOS and Fedora plans can be upgraded without reprovisioning. To upgrade a Windows server, you must purchase a new plan, backup your data, and cancel your existing server.

Disk space includes operating system files, which can be close to 1 GB in a CentOS/Fedora server or 11 GB on a Windows server. Please take that into consideration when choosing a server size that best fits your needs.

So I knew that the 30G might end up being too small and that it wasn’t easily expandable (reprovisioning means your VM and everything on it is deleted and replaced with the default VM). However, I’m not sure if this project is going to go anywhere so I decided to take a conservative approach. BTW, the 11G used noted is only for OS space by the time I was finished with the various installs to get me up and running, I’m at 11.6G -free- space. If traffic & use grows, I’ll look at an upgrade. That’s one of the reasons I’m writing this today. I want a record of how I did it as it has taken a full week of evenings to get to a “hello world ” server status.

I expect many of you will be here looking for help with Railo & IIS 7.5. If so, you can skip the next bit and start reading HERE. Since I’m mostly writing this for me, I’m going to document the entire server setup procedure.

According to GD, after you’ve made your purchase, it takes up to 48 hours for your server to be provisioned. In my case it was about 6 hours.

Request an Additional IP

The first thing we need to do is set up our DNS so we can resolve the domain.  Well not quite. We need to set up the domain first but GD has a different way of handling Nameservers than my provider at work. My work provider has 2 dedicated Nameservers so their control panel takes care of most of the work. We just need to fill out a couple of forms. With GD, every vServer is its own NameServer so we need to set that up. To do this (for NetSol at least) we need 2 IP addresses. By default, when your server is provisioned you only get one. Fortunately, you can easily request another and the additional IP doesn’t appear to cost anything. I don’t know if GD has a limit to how many IP’s you can request but I only need 2 at the moment.

Select My Products > Server > Click on Request Additional IP  in the Account Summary tab. You just have to confirm that in fact you want one.

The issue here is that it takes 6-8 hours for one to be generated so it’s a good idea to get on this right away since without it, you’re not going to be able to get DNS set up.

Setting up your domain using Plesk

I’m not going to document how to do this if your domain is hosted by goDaddy, I expect it’s pretty simple. My registrar has been NetSol since the 90′s so this will be how to set up a domain provided by a 3rd party. Plesk is new to me and it has some interesting options and features. It also throws in an additional layer of complexity which had me a bit confused at various points in the build.

Log in to your Hosting Control Center

Select My Products > Server > Support Tab in the central panel > Launch Plesk (Note: You can also log in to Plesk from your desktop if you are logged on via RDP. )

Plesk is designed for resellers, which I may end up being at some point, however here I’m basically setting myself up as a “customer”.  To create a new domain you first create a Subscription. Fill out the form provided with your  Domain Name, Select your primary IP address,  Username & Strong password. You can also choose a service plan level (which relates to a level you set  for your customer). Submit the form & wait a couple of minutes and Plesk will set up a wesite in IIS based on a basic template, Most of the DNS entries you will require and Account information (for your customer) You can also create a Subscription at the same time as you create a Customer. I’m not going to go into that as I didn’t need to do it.

Setting Up Your Nameservers

(Just to clarify here, Plesk has 2 different control panels. Hosting Control & Domain Control. The HC Panel admins the details of each of the Customer accounts & their domains. The DC panel controls the setting of the Domain itself.

Assuming you now have 2 IP addresses, you can now set up your Nameservers. From HC Panel select Domains and then the Control Panel link of the domain. From the DC Panel select Websites & Domain > More > DNS Settings

(I’m not going to go into the details of DNS records. You can read about what the following means on Wikipedia.) By default, Plesk creates a single Nameserver (ns.domain.com) when the domain is created. We need 2 so we need to click Add Record. The form gives us a drop down to select resource type and a few fields to fill out based on what kind of resource.

Select A from the list

The Domain field will look like [       ].yourdomain.com > Enter NS2

In the IP Address field > Enter the second IP address you received from GD

Click OK

Click Add Record again

Select NS from the List.

The Domain field will look like [       ].yourdomain.com > Enter NS2

In the Nameserver field > Enter ns2.yourdomain.com

Click OK

Now you need to click Update to save the changes.

Now you can update your Nameserver pointers at your Domain Name provider. This is pretty straightforward. Log in to your provider, select your domain and modify DNS settings, add ns.yourdomain.com & ns2.yourdomain.com, click through the dire warnings about rendering your website unreachable and save. Now you’ll wait a few hours for the DNS to propagate.

Now on to setting up the server.

Basic Server Setup

We abandon Plesk now & get messy with the server itself via rdp

When you login via RDP you need to enter your primary IP as the Computer. When RDP asked for credentials, you enter them in the format servernameuser.  You set these up when you provisioned the server.

Now you have a brand spanking new MS Server 2008 r2 desktop to look at. First thing you’ll want to do is have a look at the Initial Configuration Tasks window which should run when you log on. By Default, most things like auto updates, roles & features are setup by provisioning but one thing that is not is Windows Firewall. You should enable the Public Networks location. This server has the full Windows Firewall  with Advanced Security suite and you can tweak to your hearts content but that’s another post. (by someone who knows a lot more about 2008 WFAS than I do)

The next thing I do is to install Firefox and the NoScript plugin. IE is locked down and is a real pain to use to download what we need. There is a real risk of server compromise by browsing sites so NoScript is a -must install- and no browsing Facebook!

Now you can fire up either Server Manager console and go to Roles > WebServer >IIS Manager or IIS Manager directly. For those of you who are used to IIS6 you’re going to be in for a bit of a shock. There’s nothing much familiar. I’m not going to go into much detail here other than to get you up and running with it.

First thing to do is expand the tree to view Sites. You’ll see that Plesk has set up a basic website for you. If your DNS has updated, you can browse to the site and see the Plesk default welcome site.If we were setting up a static site we’d be done however we’re Coldfusion coders so we’re not done yet.

Railo vs Coldfusion

As I noted before, this is a personal project which may or may not go anywhere. I couldn’t justify $1300 for a CF9 Standard install for this so I’ve decided to go with Railo. I could have also chosen Open BlueDragon. Both of these are open source CFML Servers. I’ve read that Railo is the fastest of the 3 but I don’t really know. I have installed CF8 Standard on 2008 r2 64bit and while there were some issues, it was up and running in a couple of hours. Railo? Not so much.

UPDATE 2: I’ve written a Part 2 post with the -proper- way to set up these various bits. You can still read up on how to setup you server and website using plesk in this post. The Part 2 post only deals with getting Railo running.

Important! Everything from here to the end of this is superseded by the Part 2 post. My solution at the end of this post, while it works, would not be suitable for a production environment. Read on to feel my pain, but don’t use the rest of this post for anything but a nice yet tragic work of fiction.

Installing Railo

The only walkthrough guide I’ve found to installing Railo on 2008 r2 64 is from 2008, refers to IIS 7 and not IIS 7.5 and does not account for the improvements in the installer that the Railo team have made. It wasn’t a lot of help. Grab the latest install package from getRailo.org. Choose Railo Server with Tomcat 6.xx.xx. This download contains both 32 & 64 bit packages. run the install and walk through the wizard. Just keep the defaults unless you have compelling reason to change them. Make note of the Tomcat Port in my case it was suggested to be 8888. Most of the docs available online suggest it runs on 8009. I’m not sure why it was different but it may be that 8009 was in use. In any case, this is important as we need to make some changes later on and we need to know the port number.Make sure Railo is set to start at boot and let the installer run.

Once complete, you’ll be asked if you want to go to the initial Admin page. Do so and you should get the welcome page at http://localhost:8888/index.cfm. From there you should immediately click the links for Railo Server Manager & Railo Website Manager and set admin passwords.

Pretty simple so far. We’ve verified that both Tomcat & Railo are working on Port 8888. However, we don’t want to be adding 8888 to every url so we need to set up Tomcat and IIS so we can intercept CFM & CFC files for processing by the Railo/Tomcat engine. This is where the problems started. Now let me be clear here. The install may work out of the box. It did not work for me. I believe I followed the step by step guides found on the Railo site and it did not work. The guides may have been written for IIS 7 and not 7.5 or perhaps I just missed something (for 6 days of evenings and multiple reinstalls) In any case, the following outlines some tof the issues I had and how to I got it running finally. Unfortunately, I didn’t record actual error messages I was getting so they’ll be a bit generic (and perhaps wrong in the context but it’s what I remember). I also may not have set this up entirely correctly. I’m writing this as I go, so I may add updates or corrections. If you spot anything I missed or a glaring un-fact, please let me know in the comments.

Setting up a Tomcat Website Context

First thing we need to do is go to C:railotomcatconf and edit server.xml to add a “website context”. This lets Tomcat know which sites to process.

<Host name=”www.yourdomain.com” appBase=”webapps”>
<Context path=”" docBase=”C:inetpubvhostsyourdomain.comhttpdocs” />
</Host>
<Host name=”yourdomain.com” appBase=”webapps”>
<Context path=”" docBase=”C:inetpubvhostsyoudomain.comhttpdocs” />
</Host>

Notice that there is an entry for each website binding If you only have  and entry for yourdomain.com, browsers pointing to www.yourdomain.com will not have pages parsed by Railo.  (ie: your website will be broken for them). The httpdocs folder is created by Plesk and that’s where all your CF files will go.

Save this file and restart tomcat. To make restarts simple, Railo creates a shortcut on the start menu Railo-Tomcat Service Control. Launch it the click Stop & Start

Now Serving CFML

At this point we’re almost ready to start serving files, but of course we need something to serve.  Create a file in your httpdocs folder called index.cfm and add the follwing code.

<cfoutput>Hello World. The time is now: #now()#</cfoutput>

Using NOW() is a good idea as it changes at every page load and will make sure you’re not viewing a cached page. We also need to add index.cfm as a document type in IIS, so open Default Document in IIS Manager, add it and move it to the top of the list.

At this point we need to check to see if we can serve pages. browse to http://youdomain.com:8888/index.cfm. All things going well, you’ll get our welcome page. Now try http://youdomain.com/index.cfm and you’ll get an error. (If you don’t you were luckier than and and you’re done!)

Tomcat and IIS 7.5 Connector

The Railo install includes isapi_redirect-1.2.31.64-bit.dll in the Railoconf directory (it also includes a 32 bit version). The install guide says to add that to ISASPI filters and add it as a Script Map in Handler Mapping for *.cf*.  The typical steps (with pictures for those who like that kind of thing) are on Doug Boude’s site. However this is the site I referred to that outlines the steps prior to the upgraded installer. The installer takes care of all the steps prior to “Tell IIS It’s Okay To Run the DLL”. Complete the remaining steps except for adding the jakarta vDirectory (it’s added by the installer), restart and theoretically, you’re done. Not so with me. Browsing from my laptop, I got a generic 404 error but browsing on the server, I got a more detailed message. A couple actually. First (I think),was a 500.19 Cannot read configuration file due to insufficient permissions. It may have been another error but it was a permissions error.

A Whole New Identity

IIS 7.5 changes the way that permissions are granted to the webserver. The new security context is per Application Pool rather than for the Network Service. I’ve read this is a big improvement in security and application isolation seems like a good thing to me. In any case, we need to deal with it to make our website work. When you create a website in Plesk as we have done, Plesk creates and Application pool with the followoing attributes

Name: plesk(default)(2.0)(pool)

.NET Framework: v2.0.5xxxx

Managed Pipeline Mode: Integrated

I’m a fuzzy on whether I created an AppPool for my website manually or not, but I have one set up.

To make the site run under that context, you click on your site in IIS Manager and click Basic Settings from the right hand column. Select the AppPool you want to use. Restart the website. Now you need to give your AppPool permissions for the website. In Explorer, browse to your site in inetpub, right click and select the security tab. Click Edit and then Add. In the Object Names box type IIS AppPool{theAppPoolName}, and click ok.Try to browse your site. If you still get the 500.19 error (as I did) there is one more step. For some reason the permissions propagation to the entire folder contents didn’t seem to take place. To fix this, go back into the Security tab of the properties dialog and click Advanced. Click Change Permissions. Select all of the items in the Permission Entries section (IMPORTANT: don’t proceed until all are selected. failure to do so can mess up your folder permissions for this folder entirely!) Click the Replace All Child Object Permissions with the inheritable permissions from this object check box and click ok. This will apply the permission settings of the root folder of your website (which now includes your new AppPool context) to all objects below it. Click out of the dialogs and browse your site. All things having gone well, the 500.19 error should be gone. And replaced by another.

404.17 and the Temple of Doom

This is where things really started to get frustrating. The 404.17 error is The requested content appears to be script and will not be served by the static file handler. Well duh. Of course it’s a script. CFML is a scripting language. What this is telling us is that IIS doesn’t know how to handle the file and therefore the redirect to Tomcat/Railo is not working. After scouring the web for solutions and finding none using the isapi_redirect supplied with the install, I began to look at other options. I found a potential fix at one of my favourite code repositories, RiaForge in the TomcatIIS Connector which is based on the BonCode AJP. I ran the installer, and things started to look promising however I ended up with a new error:  System.Security.SecurityException: Request for the permission of type ‘System.Web.AspNetHostingPermission. This error occurs when the system tries to process a dll that it doesn’t know about, ie: one downloaded from the internet. The fix is to Unblock the DLL (how-to) for the 2 BonCode DLL’s. If you elected to add the connector to every IIS site during install, you have to manually unblock them in every directory that they occur. On the Riaforge notes, the author suggests you can also get around this by switching the Security model from AppPool back to Network Service. I think it’s better to stay with the AppPool and fix it -properly- and not revert to a less secure state. Once the DLL’s were unblocked and everything was restarted, I hit the browse button and….. 404.17 The requested content appears to be script and will not be served by the static file handler. Sigh.

So what to do now. In my browsing, I saw one mention  of tossing the Tomcat connector (because it was such a cumbersome and miserable thing to get working with IIS. really?!@)  and using Application Request Routing. There a basic set up walk through which includes how to install it at IIS.net  However, I’ll walk you through how I set the thing up.

A Light at the End

Once ARR is installed, it will show up in IIS Manager with a new entry called Server Farms. Right Click and Create New. Call it RailoTomcat or whatever. For server address enter localhost. Click the Advanced Settings link and enter the Tomcat port for the httpPort entry, 8888 in my case. Click through until you’ve got a new “server farm” of one server called localhost. Restart IIS & Tomcat and browse to http://youdomain.com/index.cfm.

Hello World. The time is now: {ts ’2011-09-05 08:39:03′}

Success!

It works. It works. Once more time. It works.

Alright. We can start setting up our website. Back to Plesk. Oops. Why is the Tomcat Admin page there. Hmm. Seems that we need to add some routing rules as -everything- going to localhost is passed through 8888 (to Tomcat) at this point. Click on you Server Farm and open the Routing Rules.Open Advanced routing URLRewrite, Click on the Inbound Rule and under Inbound Rules in the right column. Add *.cf* as a pattern. You can also  add exclusions for *.jpg, *.html, *.php, *.css, *.asp. This will prevent passing  files to tomcat that it doesn’t need to process. You don’t have to add exclusions but it will probably help server performance.

And that pretty much wraps it up. I’m now serving CFML on IIS 7.5 using Railo and Tomcat.

As I said, at the beginning, you may not have any of these issues. I did. This was my solution. Hopefully it works for you. If you’ve got any suggestions or corrections on any of what I’ve written, please post in the comments. Most of this is all new territory for me so I may have gone down a few wrong paths to get to my working solution.

 <cffunction name="manageAccessRequest" returntype="string"  access="remote">
    <cfargument name="partnermasterid" required ="true">
    <cfargument name="type" required ="true">
    <cfset var manageAccessRequests = "">
    <cftry>
    <cfquery name="manageAccessRequests" datasource="dsn">
        update partner_master set approved = <cfqueryparam cfsqltype="cf_sql_integer" value="#arguments.type#">,
         dateapproved = <cfqueryparam cfsqltype="cf_sql_timestamp" value="#now()#">
        where partnermasterid = <cfqueryparam cfsqltype="cf_sql_integer" value="#arguments.partnermasterid#">
    </cfquery>
    <cfif arguments.type eq "9">    
        <cfset result="AccessRejected">
    <cfelse>
        <cfinvoke method="sendApprovalNotice">
            <cfinvokeargument name="partnermasterid" value="#arguments.partnermasterid#">
        </cfinvoke>
            <cfset result="AccessGranted">
    </cfif>
<cfcatch type="any">
    <cfset result = "#cfcatch.type# - #cfcatch.message# - #cfcatch.detail#">
</cfcatch>
</cftry>
<cfreturn result>
</cffunction>

The sendApprovalNotice function is a local call. Basically, it does a query or the partner table and formats a cfmail to send the access code. Pretty simple stuff.

<cffunction name=”sendApprovalNotice” >

You’ll note that manageAccessRequest is returning a string – either AccessRejected or AccessGranted to use in a simple alert box on the calling page

function manageReq_response(obj)
{
    alert(obj)
}

Again nothing complex here. Except it wasn’t working. Whenever I submitted a  cfargument type of 9 which is DENY, I got my AccessRejected alert box. However, when I submitted a value of 1  APPROVED, the browser popped up with the dreaded generic ajax Parsing Error: The value returned could not be evaluated. (note: this is a “friendly” error thrown by JSMX but the following should apply to all ajax parsing errors) This showed me the manageAccessRequest was working correctly and whatever was failing was happening in the sendApprovalNotice function

Hmmm. Open up Firebug,and what do I see

<br> <wddxPacket version='1.0'><header/><data><string>AccessGranted</string></data></wddxPacket>

Look like a normal wddx return packet – stare, stare, hmmm hey what’s that <br> doing there. That can’t be there.

Looking at the code for sendApprovalNotice I find it just before my cfsavecontent section where I create the HTML to go in the mail.

<cfset theaddy = AccessByID.contactEmail>
</cfif><br>
<cfsavecontent variable=”vTmp”>

Remove the <br> and all works fine.

Now WHY? Well, the returned value from an ajax call to a CFC can not contain any characters outside of the wddxpacket and the <br> was causing the parsing to bork. This one was pretty simple to find. I remember struggling with this issue a couple of years ago with a very large CFC function and the culprit was a . (dot) at the end of one line. It was almost invisible to my frustrated eyes, especially in the days before Firebug.

Now, back then, as now, I’d forgotten the simple way to prevent this kind of typo related hi-jinx. Use the output=”false” attribute

<cffunction name=”sendApprovalNotice” output=”false”>

This forces CF to ignore all text outside of a CF tag. Frankly, you should never have display code in a CFC in any case. Remember, my correct “display code” is inside a cfsavecontent and is therefore not being displayed by the CFC.

The other benefit to using output=”false” is that it can help reduce whitespace.

So moral of the story. If you see Parsing Error: The value returned could not be evaluated on a callback from a CFC, check for stray characters (just to keep your code clean) and add the output=”false” attribute

These [qr] codes can link directly to browser exploits, or could include other malicious content to manipulate your phone.

As I just confirmed by scanning the code on the ISC page, one of the most popular QR Code apps for the iPhone, Scanlife  does NOT “tell you what URL they are going to open up before they actually load it.” The app immediately loads the page, which is a fairly large security risk. As far as I can tell the app (v3.12 at time of writing) provides no optional setting to view or stop the page from loading once scanned.

Moral of the story, random scanning of QR codes can be quite dangerous so watch yourself.

Some may know that I use a modified version of Fusebox3 framework for my coding. This routes everything through a single index.cfm file using various templates & includes. This makes maintenance simple and allows for a ton of code reuse and I’m a big fan.

To start the diagnosis, I simply started with index.cfm and commented out the code which kicks off the fusebox framework. A simple <cfoutput>#now()#</cfoutput> confirmed that I was able to serve a cfm page correctly and eliminate a CF configuration problem. Next I worked my way through a couple of more templates until I got to one which made me say hmmmm. As part of this framework, I redirect users who land on

mysite.com/index.cfm

to

mysite.com/index.cfm/fuseaction/main.home.html

When I removed the redirect so the page stayed on mysite.com/index.cfm my layout page loaded without the 404. Very interesting.

For years, I’ve been using sesConverter (on this one site only) to convert my  search engine friendly urls like:

index.cfm/fuseaction/circuit.action.html

to Coldfusion urls like

index.cfm?fuseaction=circuit.action

So it seems that was only files within the framework that seemed to be an issue. On a hunch, I tried

mysite.com/index.cfm?fuseaction=main.home

and TADA – the page loaded completely. OK. So now I knew there was an issue with sesConverter but what was it. The page at Fusium is pretty much abandoned with little information in any case. I had a look at the page code and didn’t really see anything that could be an issue.

I knew there was an issue with the url and I knew I had just installed URLScan so hmmmm what to do. Back to the URLScan site. All of the settings for URLScan are in URLScan.ini. Third setting in and I had my answer

“AllowDotInPath=0
By default, this option is set to 0. If this option is set to 0, URLScan rejects any request that contains multiple periods (.). This prevents attempts to disguise requests for dangerous file name extensions by putting a safe file name extension in the path information or query string portion of the URL. For example, if this option is set to 1, URLScan might permit a request for http://servername/BadFile.exe/SafeFile.htm because it interprets it as a request for an HTML page, when it is actually a request for an executable (.exe) file with the name of an HTML page in the PATH_INFO area. When this option is set to 0, URLScan may also deny requests for directories that contain periods.”

Since I left everything as default after the install, AllowDotInPath was set to 0 or deny. That’s a bit of a problem when your URL looks like

mysite.com/index.cfm/fuseaction/main.home.html

as the main.home will match the deny rule and URL Scan will block the request. (at least I know it’s working!) The fix was simple. Just change AllowDotInPath=0 to AllowDotInPath=1

No need to even restart IIS, The site was up and running immediately.

Note: Some may be wondering about the security of this. As it states in the note, allowing DotInPath could result in an attack like  “http://servername/BadFile.exe/SafeFile.htm. While this is true, an attacker has to have a way to get that file on your server in the first place. Since my server is locked down with no FTP and no user file uploads, there really is a very small risk in continuing to use sesConverter and AllowDotInPath=1

UPDATE: Found another issue today. Or rather a few browsers did.  I have a form that is filled out and before submit, I do a client side check to make sure the form is filled out correctly. If not, I pass a string to ColdFusion.Window.create to open a cfwindow with information on the missing fields

Basically it is this

ColdFusion.Window.create(“myWindow”+showreq.arguments[0], showreq.arguments[1], “#msgWindow.cfm?msg=<span style=”font-weight:bold;”>Require Fields Missing</span>” + fieldArray)

However, by default, URLScan blocks the inclusion of HTML in the url. This shows in the URLScan log as Rejected disallowed+query+string+sequence query+string - When users missed filling out a form field, instead of the nicely formatted error window, they received a 404 message (as the msgWindow.cfm was blocked) which led them to believe the page was broken, when in fact it was working, provided they filled out all the fields correctly.

So this kind of checking is something we want to keep doing as for the most part, HTML has no business in a URL. I will be re-thinking my user feedback on this and doing a bit of a rewrite but in the meantime, I needed a quick fix. Turns out URLScan.ini comes to the rescue again. Fortunately, there is a section called

[AlwaysAllowedUrls]
;
; URLs listed here will always be explicitly allowed by UrlScan
; and will bypass all UrlScan checks.  URLs must be listed
; with a leading ‘/’ character.  For example:
;
/msgWindow.cfm

and adding just the single URL to the exception rule, things got back to normal. Note that the path in the URL must be complete from the root so it may be  /files/display/msgWindow.cfm or whatever.

Wonder what I’ll find next?!?