Entries Tagged as 'OpenBD'
Posted by Jordan Michaels
For those of you familiar with the mod_cfml project, you know it consists of two separate sections: The web server adapter that provides information about the web site being served, and the Tomcat valve, which takes that information and automatically processes it within Tomcat - creating a new host, alias, etc as needed within Tomcat so that Tomcat will match the information coming from the web server. Both the web server adapter and the Tomcat valve have been greatly enhanced in version mod_cfml version 1.1.
New features in The Tomcat valve:
- Speed: the process of creating a new host in Tomcat has been greatly reduced and has taken less than a second in all our tests - down from several seconds in previous versions of mod_cfml. Jar scanning is disabled by default.
- Speed: the process of "waiting for context files" has been completely removed as it is no longer necessary.
- Speed and memory footprint: only one Tomcat “Host container” is created per Apache/IIS virtualhost/context. All aliases / default site hosts / IP-based hosts, are now added as aliases. The process of creating a new alias is lightning fast.
- Bugfix: Thread safety errors have been corrected, and hosts are now created reliably in every event.
Next, for the web server adapter, for Apache 2.4 the web server adapter has been completely re-written in C! This means that any system can run mod_cfml natively without the need for mod_perl. The mod_perl version of mod_cfml will still be available for Apache 2.2, but will no longer be maintained. With Apache 2.4 and a native C-module, mod_cfml can run natively on any system with extreme speed and only a few lines of config!
The new mod_cfml.so also includes the following enhancements:
- Feature: SES URL support is now handled automatically using path_into. Previously, URLs like /some/page.cfm/id/123 would not work out of the box with Tomcat. With mod_cfml 1.1, now they do! This feature is supported in Lucee, OpenBD, and Railo.
- Security: A shared secret key implementation has been added to prevent unauthorized context creation.
- Feature: Virtual directories, or “Aliases” in Apache, are now passed by default from the mod_cfml.so file and handled automatically by Lucee for the current request. Check the documentation for more details on this.
Documenation for mod_cfml 1.1 is HERE.
Installation instructions for mod_cfml 1.1 is HERE.
Huge "Thank you!" to Paul Klinkenberg and Bilal Soylu for their amazing dedication to this project. You two are awesome!
So... what are you waiting for? Install! Upgrade! Stay secure and have fun with CFML!
Posted by Jordan Michaels
For those of you who may not follow these things, users of the open-source CFML context creation software known as "mod_cfml" should know that the latest release is actually pretty important with regards to security. The mod_cfml software is a group of programs that work together in order to automate the process of creating contexts within Tomcat. Usually the process of creating contexts is a manual job, which is accomplished by editing various configuration files in order to tell Tomcat where to find the files for specific sites and directories (or contexts) when Tomcat receives requests for them. The idea behind mod_cfml is to simplify server management, and make creating contexts in Tomcat happen automatically by passing off configuration information from Apache or IIS to Tomcat so a new context can be made if it doesn't exist yet. Pretty basic stuff.
The problem is that, before this latest release, this process of automating the context creation using mod_cfml could be exploited to create a Denial of Service attack on the system that is running mod_cfml. Using a specially crafted attack that is targeted at mod_cfml, an attacker could potentially issue multiple requests in rapid succession to a vulnerable system. This process would cause many contexts to be created simultaniously, and could potentially overload and/or crash the server.
The newest version of the mod_cfml Tomcat Valve corrects this problem by adding limitors to how quickly new contexts could be created, and how many contexts can be created within a single day time frame. These limitors protect users from the danger that previously existed and the possibility of a DoS attack that specifically targets this issue.
You can install the latest mod_cfml Tomcat valve by shutting down Tomcat, removing the mod_cfml Tomcat valve from the [tomcat]/lib/ directory, and dropping the latest mod_cfml Tomcat valve back into the [tomcat]/lib/ directory. Now, restart Tomcat and you're good to go. Documentation on adjusting the new limitors in the Tomcat valve can be found here:
Railo users who have installed Railo 4.0.3 or newer will already have the latest version of mod_cfml, and OpenBD installers version 3.0 and up will have the latest release. If you are running with an earlier release and haven't updated your mod_cfml Tomcat Valve, you should consider doing so.
Posted by Jordan Michaels
Just recently I found myself needing to verify if a server I was working on - which required image manipulation - was actually running in headless mode. On Linux servers, graphical user interfaces (GUI's) aren't usually running because they take up additional resources (like memory) and server administrators usually want to give all the resources they can to actual server processes rather then a GUI which they only use occasionally. However, the JRE that ColdFusion engines run on needs the window processing engines in order to perform graphic manipulation - image resizing, rotating, etc - all require image processing libraries.
The following code bit allows you to see if your CFML engine (Railo, OpenBD, or ACF) is actually running in headless mode. This is useful if you're debugging a pesky image processing problem and you want to make sure your JRE's access to the XORG libraries aren't the problem.
<cfset geResponse = geObj.isHeadless()>
The code calls java directly and returns a true or false response if you're running in headless mode or not.
Hope this helps!
Posted by Jordan Michaels
Recently I had the opportunityto work with someone who was trying to use the Vivio Installers for Railo and OpenBD on a W2K8r2 Cloud/VPS system running the Plesk Control Panel and they were having trouble getting the connector to work right. The problem they were encountering was the notorious "Calling LoadLibraryEx on ISAPI filter isapi_redirect-(version).dll failed" error. Usually this error means that you're trying to run a 64-bit connector on a 32-bit machine, but since this was W2K8r2, which ONLY comes in 64-bit, this had me stumped for a little bit.
After some digging, I found that Plesk had updated the IIS7 application pools to actually run in 32-bit mode because Plesk's own DLL's were in 32-bit. I found this out by changing the application pools to disallow 32-bit, and then plesks DLL's stopped working. The IIS7 settings are a bit misleading in this area too. The option in IIS7 is to allow 32-bit DLL's, but when you set that, ONLY 32-bit DLL files can run. Instead of "Allow 32-bit", I think the IIS7 setting should say something along the lines of "run in 32-bit mode. Otherwise it sounds like you can run both 32-bit and 64-bit, which you can't.
The Railo and OpenBD installers use the mod_jk DLL that's provided by the Tomcat project, and both the 64-bit and 32-bit versions are shipped with the installers. During the install process, one of the DLL's is renamed with a generic name and used in the IIS7connect.bat scripts. Those scripts are what run the commands and connect Tomcat to IIS using the mod_jk DLL. This works out in our favor, as it makes the fix for this really easy.
When installing OpenBD or Railo on a Windows 2K8 R2 machine that's running Plesk, here are the steps you will need in order to make it work right:
- During the Railo/OpenBD install process, go ahead and select to have the IIS7 connector installed. This will perform the bulk of the work for you.
- After the installation, there will be two dll's in the "connector" directory where you installed Railo. The default location to install Railo is c:\railo\ so the connector directory is located by default at c:\railo\connector. The connectors will be named isapi_redirect-1.2.30.dll and isapi_redirect-22.214.171.124-bit.dll
- Rename isapi_redirect-1.2.30.dll to isapi_redirect-126.96.36.199-bit.dll
Rename isapi_redirect-188.8.131.52-bit.dll to isapi_redirect-1.2.30.dll
- Now Restart IIS, and restart the Tomcat service that Railo or OpenBD is running on.
- Check to see if things are working correctly now.
After things are installed and working, it's important for you to remember that CFML functionality will be available to each and every site that's located on that Server.
Further, a "jakarta" virtual directory will be required in each site as we
ll. You'll more then likely have to add this manually to IIS. Documentation on how to add the Jakarta directory is here:http://trac.getrailo.org/installers/wiki/VivioInstallerWinAddingSites
Future releases of the Windows installer will probably allow for the manual selection between 64-bit and 32-bit, but the option will defauilt to whatever your system type is. That way it's still easy, but allows for some customization for situations like this.
Hope this helps!