Entries Tagged as 'Railo'

mod_cfml 1.1 is released! Fast, reliable, and new features!

For those of you familiar with the mod_cfml project, you know it consists of two separate sections: The web server adapter that provides information about the web site being served, and the Tomcat valve, which takes that information and automatically processes it within Tomcat - creating a new host, alias, etc as needed within Tomcat so that Tomcat will match the information coming from the web server. Both the web server adapter and the Tomcat valve have been greatly enhanced in version mod_cfml version 1.1.

New features in The Tomcat valve:

  • Speed: the process of creating a new host in Tomcat has been greatly reduced and has taken less than a second in all our tests - down from several seconds in previous versions of mod_cfml. Jar scanning is disabled by default.
     
  • Speed: the process of "waiting for context files" has been completely removed as it is no longer necessary.
     
  • Speed and memory footprint: only one Tomcat “Host container” is created per Apache/IIS virtualhost/context. All aliases / default site hosts / IP-based hosts, are now added as aliases. The process of creating a new alias is lightning fast.
     
  • Bugfix: Thread safety errors have been corrected, and hosts are now created reliably in every event.

 

Next, for the web server adapter, for Apache 2.4 the web server adapter has been completely re-written in C! This means that any system can run mod_cfml natively without the need for mod_perl. The mod_perl version of mod_cfml will still be available for Apache 2.2, but will no longer be maintained. With Apache 2.4 and a native C-module, mod_cfml can run natively on any system with extreme speed and only a few lines of config!

The new mod_cfml.so also includes the following enhancements:

  • Feature: SES URL support is now handled automatically using path_into. Previously, URLs like /some/page.cfm/id/123 would not work out of the box with Tomcat. With mod_cfml 1.1, now they do! This feature is supported in Lucee, OpenBD, and Railo.
     
  • Security: A shared secret key implementation has been added to prevent unauthorized context creation.
     
  • Feature: Virtual directories, or “Aliases” in Apache, are now passed by default from the mod_cfml.so file and handled automatically by Lucee for the current request. Check the documentation for more details on this.

 

Documenation for mod_cfml 1.1 is HERE.

Installation instructions for mod_cfml 1.1 is HERE.

 

Huge "Thank you!" to Paul Klinkenberg and Bilal Soylu for their amazing dedication to this project. You two are awesome!

 

So... what are you waiting for? Install! Upgrade! Stay secure and have fun with CFML!

Methods to address a slow Tomcat/Railo startup

Recently my technicians and I encountered an issue with a hosting customer who had an interesting situation between two VPS Accounts that he owns. The first VPS had a relatively quick startup time (under a minute), and the second VPS had an extremely slow startup time (above 5 minutes). Both VM's were relatively similar, and both served a great number of sites. The following are the two options that corrected the issue:


Slow Railo/Tomcat Server

Option 1

Set property in TOMCAT_HOME/conf/catalina.properties:

org.apache.catalina.startup.ContextConfig.jarsToSkip=*.jar

This will turn off jar scanning during the Tomcat startup.

Option 2

Configure the number of concurrent threads for Tomcat to use to create new contexts by adding the "startStopThreads" attribute to the <engine> tag in the Tomcat server.xml file. The number of threads should not be higher the number of CPU cores available to your server or the threads might overlap and you probably won't get the speed boost you were hoping for.

 

Once these options were implemented, both servers started up in just a few seconds.

Railo CGI remote_addr/remote_host says 127.0.0.1

When installed on to a Linux/Apache machine, the Railo installers will install mod_proxy_http as the default connector for Apache to Tomcat/Railo. The result is the same as you'd get with any other proxy, where the remote host is replaced with the address of the proxy (in this case 127.0.0.1) and the original requester's IP address is placed in the "X-Forward-For" header.

simplicityIf you need to find the original requestors IP address you can accomplish this in one of two easy ways.

Pull the IP from the X-Forward-For Header
This can be done easily using the following single line of code:

GetHttpRequestData().headers['X-Forwarded-For']

Use the Tomcat Remote IP Valve
This can be done simply by opening up your Tomcat server.xml file and adding a single line of code right under your "<Engine>" tag:

Change this:

<Engine name="Catalina" defaultHost="127.0.0.1">

To this:

<Engine name="Catalina" defaultHost="127.0.0.1">
<Valve className="org.apache.catalina.valves.RemoteIpValve" />

Restart Tomcat and you'll now see the IP address of the original requesting client populate your CGI scopes.

The Latest mod_cfml Update is Actually Pretty Important

For those of you who may not follow these things, users of the open-source CFML context creation software known as "mod_cfml" should know that the latest release is actually pretty important with regards to security. The mod_cfml software is a group of programs that work together in order to automate the process of creating contexts within Tomcat. Usually the process of creating contexts is a manual job, which is accomplished by editing various configuration files in order to tell Tomcat where to find the files for specific sites and directories (or contexts) when Tomcat receives requests for them. The idea behind mod_cfml is to simplify server management, and make creating contexts in Tomcat happen automatically by passing off configuration information from Apache or IIS to Tomcat so a new context can be made if it doesn't exist yet. Pretty basic stuff.

ddosThe problem is that, before this latest release, this process of automating the context creation using mod_cfml could be exploited to create a Denial of Service attack on the system that is running mod_cfml. Using a specially crafted attack that is targeted at mod_cfml, an attacker could potentially issue multiple requests in rapid succession to a vulnerable system. This process would cause many contexts to be created simultaniously, and could potentially overload and/or crash the server.

The newest version of the mod_cfml Tomcat Valve corrects this problem by adding limitors to how quickly new contexts could be created, and how many contexts can be created within a single day time frame. These limitors protect users from the danger that previously existed and the possibility of a DoS attack that specifically targets this issue.

You can install the latest mod_cfml Tomcat valve by shutting down Tomcat, removing the mod_cfml Tomcat valve from the [tomcat]/lib/ directory, and dropping the latest mod_cfml Tomcat valve back into the [tomcat]/lib/ directory. Now, restart Tomcat and you're good to go. Documentation on adjusting the new limitors in the Tomcat valve can be found here:

http://www.modcfml.org/index.cfm/documentation/modcfml-tomcat-valve/config-options/

Railo users who have installed Railo 4.0.3 or newer will already have the latest version of mod_cfml, and OpenBD installers version 3.0 and up will have the latest release. If you are running with an earlier release and haven't updated your mod_cfml Tomcat Valve, you should consider doing so.

Why the switch to mod_proxy from mod_jk?

I've talked about this a lot in various places, but because I expect to get a few questions about this, I want to create a post where I could fully explain the decision to move from mod_jk to mod_proxy. As of Version 4 of the Railo Installer, mod_proxy_http will be configured by default in Linux Apache installations.

Current Installs Will Continue to Function

If you're comfortable using mod_jk, then there's no reason for you to migrate any of your existing installation to mod_proxy. mod_jk will continue to work just fine with Railo and Tomcat for as long as the Tomcat developer community continues to develop and improve mod_jk. There is no reason to switch if you're comfortable where you are.

Mod_proxy is Simpler to Configure

There are sevaral points to make within this overall "mod_proxy is simpler" point. First, it should be noted that mod_proxy is installed by default in nearly all modern Apache installs. Even Windows version. So as far as "installing" mod_proxy goes, it's incredibly easy because in most cases it's already there! Second, mod_proxy is configured purely by a few commands within the Apache configuration file. Mod_jk has several different configuration files you have to work with. These additional files are the cause for much confusion among users about what to edit, when to change it, and what to change it to in order to do what you want. Once you know the purpose of each file for mod_jk, it's really not very difficult, but it can be daunting to try to figure it out, or if you're on an unfamiliar system, find where those specific files are located. With mod_proxy, you can simply look at the proxy rules, and generally have a pretty good idea of what's going on without having to track down and review separate configuration files.

Mod_proxy is Recommended by Tomcat Dev Team

This article describes in detail the differences between the current connection methods: http://www.tomcatexpert.com/blog/2010/06/16/deciding-between-modjk-modproxyhttp-and-modproxyajp

Note that the article was written by Mark Thomas, a member of the Apache Foundation and Tomcat Developer.

Mod_proxy Fits Better into Future of CFML

There are many features that would be very useful when connecting Apache to Tomcat with regards to the CFML development language. For example, it would be nice if users could have some built-in support for Search Engine Safe URL's without having to add complex mappings to their Apache configurations. It would also be nice to have the ability for Apache to pass on certain aspects of its configuration to Tomcat from within the HTTP protocol. Work in that area has started with the mod_cfml project, but it would be great if mod_cfml could run as a native Apache module instead of as a mod_perl module. Mod_perl is fantastic software, but some users resent having to install it in order to get mod_cfml working in Apache.

With mod_proxy, we can extend mod_proxy's existing functionality and add our own - in much the same way that mod_proxy_ajp and mod_proxy_html extend the base functionality of mod_proxy, we could potentially create a mod_cfml module that is simply an extension of mod_proxy where basic support for CFML pass-throughs are built in directly to the module. This would make installation and configuration even easier then it is currently.

comparable