Greetings Railo fans,

In this article I will be covering how to setup and configure Railo with the Helicon Zoo module for IIS and then configure various custom settings. I will continue to add to this article as I find out new tricks and learn more about Jetty, so be sure to check back occasionally if you are using Helicon Zoo.

Contents

1. Why Helicon zoo
2. Installing Railo
3. Enable Railo on your website
4. Search engine friendly url's
5. changing the JVM settings
6. How to set the Java Agent
7. Customising the JVM settings on a per site basis

Why Helicon Zoo

While Railo is a brilliant alternative to ColdFusion and has many benefits right out of the box, one of the problems it does suffer from is that like ColdFusion it runs as a service which means that every website is running inside the same instance of Java/tomcat and thus all websites can affect each other.
If you are only running a single website this is not a problem, but if you run multiple websites on the same server then this can present a couple of problems.

1. Security
   While Railo does offer built in sandboxing which restricts file access to the web root, this only applies to CFML code. If you drop in some Java then this completely overrides any Railo security and allows you to do pretty much anything you like. Your code will have the same level of access as the Tomcat service.
   Sure you can disable direct Java access, but doing this will break virtually every modern app or framework, all of which use Java in some fashion.
2. Stability and performance
   If you run multiple websites then you also run the risk that any one of those sites will kill Tomcat by coming all its resources and thus take down all your other sites in the process.
3. Custom configuration
   As all sites share the same JVM settings, there is no way to configure each site separate out of the box, you would need a custom multiple instance Tomcat setup/installation to do this.

Enter Helicon Zoo, which uses Jetty as the Java servlet container for Railo and runs it as a process inside IIS and thus works in the same way that PHP, ASP etc work with all the advantages.
What this basically means is that every single Railo site is by default running a dedicated instance of Java/Jetty, which runs as the application pool identity. As a result you do not have the same security issues as any Java code that is executed runs in the context of your application pool identity, so you can fully control what Railo can and cannot  do with standard windows permissions in the same way as you would with PHP.
Using Helicon Zoo also provides better performance and stability as well, because each site is a completely isolated Java process,  it cannot affect your other Railo sites. Because each site is running as a separate process, this also means that each site has its own memory heap all to itself, which can either be defined globally (e.g. 256mb for every site) or you can create completely a separate JVM config settings for each individual site if you prefer.

One other advantage you get with running Railo as a process is that it shuts down when not in use to conserve system resources, as defined by your application pool settings. 
what this means is that if you have a site that is not very busy then Java/Jetty/Railo will only be loaded when required, if there is no further activity on your site for say 1 hour (depending on what you have defined in your app pool) then the Java process for this site will be unloaded.
The only caveat to this is that initial load time will be considerably slower each time Java has to load again, plus of course you use more memory as each site will require at least 128MB to run Railo.

cont......

Read more...

Last week while answering some coding questions on a discussion list I needed to post some example code, which meant if I wanted to test the code first then I needed access to a cf server. As I tend to do most of my list replies etc on my mobile device, I do not have a local CF installation to test with. 
With PC sales dropping and mobile devices sales far exceeding PC sales these days, I would imagine most other people are doing most of their community activity on their mobile device as well.

I then considered how often I have seen other devs posting code snippets and saying "this is not tested code as I do not have access to a cf/Railo  server right now", or the question is about Railo and you only have CF or vice versa, so it must be a fairly common scenario.

This made me think to myself "wouldn't it be handy if there was a web page I could go to where I could quickly just type some code into a form, submit it and the code would be executed and tell me if there were any errors and give me some debug output, surely someone has written such a tool ? 
So I Googled it and was surprised that such a tool did not exist, that I could find, at least not for CF.

Well it seemed like such a simple app to write and it has been a long time since I did any coding as I simply do not get the time these days, so I thought I would do it  myself, and here it is.

www.cflive.net

You can test code against both ColdFusion 9 and Railo simultaniously.
You can selectivenable debug output
You can use virtually all CFML tags and functions, excluding file read/write and Java for obvious seurity reasons.
Your code is saved into a session and form automatically re-populated so you don;t have to keep re-typing code.

Please give it a try and leave me some feedback, feel free to try and hack it and find any vulnerabilities or bugs, as long as you let me know about them.

I recently upgraded a server to Railo 4 and noticed my catalina folder started to fill up with random folder names, e.g.

C:\railo\tomcat\conf\Catalina\acoaqnyfnl (or whatever the equivalent is on Linux)

Every time I checked back the number of randomly created folders had increased exponentially, I ended up with thousands of them before I found the cause. This can cause multiple issues if left to grow, affecting the performance of Railo and Tomcat and your server in general once you get seriously large numbers of files or folders.

I poste don twitter a few times but unfortunately not one single person in the Railo community had a clue on this one so I was rather stumped initially.
Then it dawned on me, this folder normally only contains an entry/folder for each of your virtual hosts, so I went and checked another server and noticed that not only did it contain a folder for each virtual host, but also for any other domain alias that pointed at those virtual hosts, even if they were not defined in the server.xml.

Once I realised this then the reason why the folders were being created became obvious, any host header that is used to access any Railo site on your server will cause a new folder to be created in c:\railo\tomcat\conf\Catalina, at this point I don't actually know why this happens only that it does. Previously I thought that any aliases had to be defined in the virtual host config, but this is obviously not the case.

So the next question is why are all those host headers getting through?

This one was simple too, the default website on IIS is set to respond on <ALL Undefined> by default, meaning that it doesn't expect any host header and will display the default website for anything that points to any IP on the server if there is no other site with a valid entry for that host header. And of course Railo is installed to the default website as the default webapp.

So the next question was, why all the random folder names, which clearly were not normal host headers as they were not domain names. My first thought was that it could be bots trying to hack the server using randomly generated host names, so I checked my IIS logs and found a bunch of entries like this.

2013-02-06 07:08:10 W3SVC1 BTI-APP1 1.2.3.4 HEAD / - 80 – 5.6.7.8 HTTP/1.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_8_2)+AppleWebKit/537.17+(KHTML,+like+Gecko)+Chrome/24.0.1312.57+Safari/537.17 - - kcqtvklylt 200 0 0 259 249 3430

As you can see the request was coming form a MAC and was using the host header "kcqtvklylt", which explains the folder names.

Whether this was dodgy or not I really could not tell, the logs did not show any specific filenames being requested or any query strings such as sql injection, but I guess it certainly could be a trojan or malware of some sort scanning servers for open ports, which seems more likely than a hacker using a Mac

The solution was simply to put a host header on the default website to stop these requests even getting through the web server, once I did that the problem went away and no more randomly created folders.

and the moral of this tale, if you are running Railo or anything else on Tomcat, always use host headers (bindings) for all your sites, do not have any setup to allow <all undefined> or "*" without any host header at all.

MangoBlog uses TinyMCE editor when adding/editing articles and pages, which by default will strip out certain tags, including iframe tags, which I needed for posting youtube videos.

The solution is actually very simple.

open up the admin/editorSettings.cfm

and add the following line with any tags[parameters] you want to allow.

extended_valid_elements : "span[class|style],code[class],iframe[src|width|height|name|align|frameborder|scrolling]",

In addition if you have “script protection” enabled, then this will replace certain tags (such as iframe) with the text “InvalidTag”. Either your ColdFusion/Railo Admin has Enable Global Script Protection turned on or your Application has scriptProtect set to true. This would be set in either the CFAPPLICATION tag or the This scope of your Application.cfc file.

below is the full code with my amendment.

<!-- TinyMCE --> 
<script type="text/javascript" src="assets/editors/tinymce_3/jscripts/tiny_mce/tiny_mce.js"></script> 
<script type="text/javascript"> 
    <mangoAdmin:Event name="beforeTinyMCEinit" /> 
    tinyMCE.init({ 
        mode : "specific_textareas", 
        editor_selector : "htmlEditor", 
        theme : "advanced", 
        plugins : "table,save,contextmenu,paste,noneditable,asffileexplorer", 
        entity_encoding : "raw", 
        theme_advanced_toolbar_location : "top", 
        theme_advanced_toolbar_align : "left", 
        theme_advanced_path_location : "bottom", 
        theme_advanced_buttons1 : "bold,italic,formatselect,styleselect,bullist,numlist,del,separator,outdent,indent,separator,undo,redo,separator,link,unlink,anchor,image,cleanup,removeformat,charmap,code,help", 
        theme_advanced_buttons2 : "", 
        theme_advanced_buttons3 : "", 
        paste_remove_spans: true, 
        extended_valid_elements : "span[class|style],code[class],iframe[src|width|height|name|align|frameborder|scrolling]", 
        theme_advanced_resize_horizontal : false, 
        theme_advanced_resizing : true, 
        relative_urls : false, 
        remove_linebreaks : false, 
        strict_loading_mode: tinymce.isWebKit, 
        document_base_url : "<cfoutput>#blog.getbasePath()#</cfoutput>", 
        <cfif len(currentSkin.adminEditorCss)><cfoutput> 
        content_css : "#blog.getbasePath()#skins/#blog.getSkin()#/#currentSkin.adminEditorCss#", 
        </cfoutput></cfif> 
        <mangoAdmin:Event name="tinyMCEinit" /> 
        <cfoutput> 
        plugin_asffileexplorer_browseurl : '#blog.getSetting('urls').admin#assets/editors/tinymce_3/jscripts/tiny_mce/plugins/asffileexplorer/fileexplorer.cfm', 
        plugin_asffileexplorer_assetsUrl:'#fileUrl#', 
        file_browser_callback : 'ASFFileExplorerPlugin_browse' 
        </cfoutput>, 
        onchange_callback: function(editor) { 
            tinyMCE.triggerSave(); 
            $("#" + editor.id).valid(); 
        } 
    }); 
    <mangoAdmin:Event name="afterTinyMCEinit" /> 
</script> 
<!-- /TinyMCE –>

I am currently beta testing the latest WebsitePanel 2.0 release, which has a some great new features thanks to Helicon who have contributed support for their ZOO engine. Helicon ZOO is what I currently use to provide Railo hosting over on cfmldeveloper.
Below are some videos showing the new features, which as you can see make installing Railo and Mura a synch.
The new features will be available on CFMLDEVELOPER when the Beta is released and when our host BlueThunder do the upgrade.

Railo installer

Easily install Railo on your server via WebsitePanel.

Railo Project Template

Enable Railo on your website by installing a template project and enabling the Helicon Zoo module.

Mura Installer

Easily install Mura on your site via Microsoft Gallery installer.