Last week while answering some coding questions on a discussion list I needed to post some example code, which meant if I wanted to test the code first then I needed access to a cf server. As I tend to do most of my list replies etc on my mobile device, I do not have a local CF installation to test with. 
With PC sales dropping and mobile devices sales far exceeding PC sales these days, I would imagine most other people are doing most of their community activity on their mobile device as well.

I then considered how often I have seen other devs posting code snippets and saying "this is not tested code as I do not have access to a cf/Railo  server right now", or the question is about Railo and you only have CF or vice versa, so it must be a fairly common scenario.

This made me think to myself "wouldn't it be handy if there was a web page I could go to where I could quickly just type some code into a form, submit it and the code would be executed and tell me if there were any errors and give me some debug output, surely someone has written such a tool ? 
So I Googled it and was surprised that such a tool did not exist, that I could find, at least not for CF.

Well it seemed like such a simple app to write and it has been a long time since I did any coding as I simply do not get the time these days, so I thought I would do it  myself, and here it is.

www.cflive.net

You can test code against both ColdFusion 9 and Railo simultaniously.
You can selectivenable debug output
You can use virtually all CFML tags and functions, excluding file read/write and Java for obvious seurity reasons.
Your code is saved into a session and form automatically re-populated so you don;t have to keep re-typing code.

Please give it a try and leave me some feedback, feel free to try and hack it and find any vulnerabilities or bugs, as long as you let me know about them.

Ever get the above error when trying to use CFIMAGE to resize images?

The cause is related to running security sandboxes and not running CF under the SYSTEM account.

If you are running a standard out of the box installation of ColdFusion which is running under the SYSTEM account by default, then CFIMAGE will use c:\windows\temp for creating its temp files, and that is the path you would need to put in your sandboxes.
But if you are running ColdFusion under a dedicated user account (as you should be) then CF will instead use that users temp folder.

e.g.

If your ColdFusion service runs under a user called "coldfusion", then the temp path will be

c:\users\coldfusion\AppData\Local\Temp

So if you use security sandboxes then you need to add the following paths to your security sandbox.

c:\users\coldfusion\AppData\Local\Temp\
c:\users\coldfusion\AppData\Local\Temp\-

<cfscript> 
writeoutput("Temp Dir : " & createobject("java","java.lang.System").getProperty("java.io.tmpdir") ); 
</cfscript>

Obviously we use security sandboxes on our servers and we also lock down ColdFusion, if you do not do either of those things then you probably will never have this issue, bit then you will probably have a hacked server anyway, so this would be the least of your worries

This week I needed to renew the SSL certificate for our OpenVPN server. the process according to the docs required using OpenSSL to generate a private key, which will then be used to generate a CSR, which will then be used to register your SSL, and you then need to get the certificate (CRT) file, a CA bunble (crt) file, and a private key (pem) file to install on the OpenVPN server.

Now I am used to dealing with Windows and IIS, and dealing with SSL is a breeze on windows, but as is usually the case when it comes to Linux, simple tasks like this suddenly become 10 x more work and as my Linux skills are almost zero that made the task even more arduous.

I had a go at doing everything with OpenSSL but ended up generating invalid SSL certs that did not work, so I then thought to myself, why not just use IIS to generate the CSR and get the SSL cert and then just export it from there into a format I can use on Linux, this seemed like it would be a much quicker solution and it was, here are the steps.

Using IIS7 on any machine, generate your CSR in the usual way, I did this on my local Windows 7 machine.

Now take your CSR and register your SSL certificate in the usual way, when you get it back, install it on IIS from above section using "complete certificate request"

Once you have your SSL installed in IIS, you now need to export the SSL and the private key as a pfx file.

Open MMC.exe and add the certificates snap-in, now browse to the personal>certificates and export your SSL cert

choose to export the private key and include all certificates

Your private key password is your windows password that you are current logged in with.

For Windows systems this PFX file will be everything you need, however on Linux systems (such as open VPN) you will need  separate private key files.

This is where you need to use OpenSSL.

Using command line.

Export the private key file from the pfx file

openssl pkcs12 -in filename.pfx -nocerts -out key.pem

Export the certificate file from the pfx file

openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

Remove the passphrase from the private key

openssl rsa -in key.pem -out server.key

Using XCA GUI

XCA is a handy GUI for open SSL, you can download it here http://sourceforge.net/projects/xca/

On the Private Keys tab choose "Import PFX", this will import everything from your PFX file.

Now select your newly imported private key, and click export to get your PEM file.

Now select your certificate and export that in required format, although in most cases the certificate file you received from the CA will be sufficient.
If you need a CA bundle, then export all the certs from the root, or use the intermediate cert you would have received from the CA.

Whether you are using a CMS or blogging app such as WordPress, Joomla, Drupal, or even a custom built app, then you likely have an admin system to manage your website and its content.

The problem is that hackers know this too, and they know that in most cases your admin will reside in www.yoursite.com/admin and they regularly try to hack this URL with brute force password attacks or a bit of SQL injection, and unless you have any logs you regularly monitor or a failed login notification system, then you will be completely oblivious to this, many people get hacked and do not realise until months later that malware has been inserted into their site and is trying to infect all their website visitors, and worse that their site has been blacklisted/blocked as a malware site or that all their customer data has also been stolen.

Now at least with off the shelf open source apps like Wordpress et al you have the advantage that you can easily update to the latest version and thus plug any known security issues or vulnerabilities that arise, but with a custom built app you do not have this luxury and you will remain oblivious of any security holes in your app until it is too late.

The best solution is to add IP address restrictions to your admin folder so that only authorised people can access it.

With Apache

How to do this with apache is pretty common knowledge, you simply use your .htaccess file, so I wont bother covering that here, for those that do not know here are a couple of links showing you how to get it done.

• How to deny visitors by IP address using Apache : http://www.htaccess-guide.com/deny-visitors-by-ip-address/
• .htaccess generator : http://www.toshop.com/htaccess-generator.cfm

With Microsoft IIS

However doing this with Microsoft IIS is less common knowledge and if you are on shared hosting you likely have no idea how to do it at all and probably do not have access either.

By default on IIS, IP Address restrictions must be done via the IIS Management interface, and you need to install the "IP Security" feature, instructions on how to do that can be found HERE, if you are on a shared host you may need to ask them if they have this installed, and if not ask them to install it.
But even with this installed you are still restricted to doing the IP Address restrictions via the MMC (see previous link), which means you need direct access to the server, and one thing this lacks is the ability to add comments to specify who the IP address belongs to, which is very important if you want to allow an IP address temporarily or want to keep track what who each IP belongs to.

What you really want to do is be able to add these IP restrictions in your web.config, so you can also add comments next to each entry and so that you do not have to login to the server and use the MMC, ala apache .htaccess style.
The good news is that you can do this, all you have to do is enable IPSecurity override in your ApplicationHost.config. For those that do not know, ApplicationHost.config is where IIS stores its global settings (such as default documents and handlers) and those which are not managed via the web.config by default.

To edit this file go to C:\Windows\System32\inetsrv\config and open applicationhost.config in your favourite text editor.

NOTE:

You need to be using a 64bit text editor on a 64bit OS otherwise it will not be able to open the 64bit version of this file, and instead opens an alternate version of this file, which is not the one in use. I discovered this after many hours of head scratching as I always used Notepad++ by default, which is only a 32bit editor.

Now find the following section:-

<section name="ipSecurity" overrideModeDefault="Deny" />

And change the "Deny" to "Allow". If you are on a shared host, you will need to ask them to make this change, there is really no reason for them to not allow this.

You can now use your web.config file to manage IP address restrictions.

How it's done
Example IP address restrictions. Comments are enclosed in <!-- --> and are not required, but I suggest you use them to record what IP is there for what reason.

• Allow all, but block specific IPs or networks
  

  <security>
     <ipSecurity allowUnlisted="true">    <!-- this line allows everybody, except those listed below -->            
         <clear/>     <!—removes all parent restrictions -->                
         <add ipAddress="83.116.19.53"/>     <!-- blocks the specific IP of 83.116.19.53  -->                
         <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>     <!--blocks network 83.116.119.0 to 83.116.119.255-->                
         <add ipAddress="83.116.0.0" subnetMask="255.255.0.0"/>     <!--blocks network 83.116.0.0 to 83.116.255.255-->                
         <add ipAddress="83.0.0.0" subnetMask="255.0.0.0"/>     <!--blocks entire /8 network of 83.0.0.0 to 83.255.255.255-->                
     </ipSecurity>
  </security>

• Deny all, but allow specific IPs or networks

  <security>
      <ipSecurity allowUnlisted="false">    <!-- this line blocks everybody, except those listed below -->                
          <clear/> <!—removes all parent restrictions -->
          <add ipAddress="127.0.0.1" allowed="true"/>    <!-- allow requests from the local machine -->
          <add ipAddress="83.116.19.53" allowed="true"/>   <!-- allow the specific IP of 83.116.19.53  -->                
          <add ipAddress="83.116.119.0" subnetMask="255.255.255.0" allowed="true"/>   <!--allow network 83.116.119.0 to 83.116.119.255-->                
          <add ipAddress="83.116.0.0" subnetMask="255.255.0.0" allowed="true"/>   <!--allow network 83.116.0.0 to 83.116.255.255-->                
          <add ipAddress="83.0.0.0" subnetMask="255.0.0.0" allowed="true"/>   <!--allow entire /8 network of 83.0.0.0 to 83.255.255.255-->                
      </ipSecurity>
  </security>

• Use a text editor to create a file named web.config
• Save the web.config file with the appropriate content
• Place the web.config file in the directory that you wish to protect

• If there isn't an existing web.config in the directory, your new web.config should look something like this

  <?xml version="1.0"?>
  <configuration>
     <system.webServer>
        <security>
          <ipSecurity allowUnlisted="true">    <!-- this line blocks everybody, except those listed below -->                
             <clear/> <!—removes all parent restrictions -->
             <add ipAddress="83.116.19.53"/>   <!-- block one IP  -->                
             <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>   <!--block network 83.116.119.0 to 83.116.119.255-->               
          </ipSecurity>
        </security>
     </system.webServer>
  </configuration>

• If there is an existing web config, without a <system.webServer> section... Your new web.config should look like this

  <?xml version="1.0"?>
  <configuration>
     <system.web>
       .. existing text ..
       .. existing text ..
     </system.web>
     <system.webServer>
        <security>
          <ipSecurity allowUnlisted="true">    <!-- this line blocks everybody, except those listed below -->                
             <clear/> <!—removes all parent restrictions -->
             <add ipAddress="83.116.19.53"/>   <!-- block one IP  -->                
             <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>   <!--block network 83.116.119.0 to 83.116.119.255-->               
          </ipSecurity>
        </security>
     </system.webServer>
  </configuration>

• If your existing web.config already has a <system.webServer> section, just add the <security><ipSecurity> section

  <?xml version="1.0"?>
  <configuration>
     <system.web>
       .. existing text ..
       .. existing text ..
     </system.web>
     <system.webServer>
        <security>
          <ipSecurity allowUnlisted="true">    <!-- this line blocks everybody, except those listed below -->                
             <clear/> <!—removes all parent restrictions -->
             <add ipAddress="83.116.19.53"/>   <!-- block one IP  -->                
             <add ipAddress="83.116.119.0" subnetMask="255.255.255.0"/>   <!--block network 83.116.119.0 to 83.116.119.255-->               
          </ipSecurity>
        </security>
     </system.webServer>
  </configuration>

Myself and my wife were discussing all these unemployment benefit issues that the government keep moaning about but failing to solve, and to us the solution seems quite simple. So I thought I would blog it and see what others think.

Specifically we were discussing the issues where people are just abusing the benefits, such as benefit fraud, lazy slackers who cannot be bothered to get a job and are happy to just live on benefits, and people wasting their benefits on drugs and alcohol. The last one could equally apply to those who have legitimate reason to be on benefits, as much as it does to the slackers, such as those who lost their jobs and are sinking into depression or students who are at college etc. Many many years ago when I was at college and claiming benefits my lifestyle was prob the same as most people, I would get my money each fortnight and pretty much spend most of it on beer and cigarettes, so I do know how it works.

Most of the problems stem from from the fact that people get cash in the hand, which they are then free to blow on whatever they wish, or simply pocket in the case of the fraudsters. 
This is where we think the solution is actually quite simple, all you really need to survive food in your cupboards and your bills paid, so instead of paying out cash each week/fortnight, give out vouchers which can be redeemed in all the supermarkets, with energy suppliers, at the post office, whsmiths, bus and train stations etc, this covers all the bases. You can buy food, pay your bills and generally survive, you can buy stamps, paper etc for sending out resumes and applying for jobs and travel to interviews.
Or alternately, a benefits credit card, which gets topped up each fortnight and which you can use in approved stores like a normal debit/credit card.

The trick is then to then have restrictions on what these vouchers or cards can be used for in the shops. So you cannot buy cigarettes or alcohol, cannot exchange them for cash, and clearly wont be able to buy any drugs. Suddenly being on benefits is not the easy life anymore as you can no longer do whatever you like.

Sure we all know the real hard-core criminals will find a way to profit from this, but for the average Lazy Joe, being on benefits just got a whole lot less appealing, the low end fraudsters who are signing on in 5 different names are no longer making any cash out of it, and the rest of the legitimately unemployed will no longer to able to give in to temptation or depression and waste their money on booze and cigs and may just find the incentive to get out of their rut.
Also consider those unworthy parents who choose to buy cigs, drugs and booze over food and nappies for their babies, they would no longer have this option, thus improving the lives of those poor children and reducing the chances of some horrible fate befalling them, such as being beaten to death by a drunken parent, starving to death or being left for days in dirty nappies to get horrible painful  infections.

If I was in that position I would be far more likely to be responsible go and get even a crappy part time job that I wasn’t prepared to do before, just so I can have some actual cash in my pocket.

Clearly there is some cost involved to implement such a solution, but we think the savings would outweigh the cost in no-time, and lets be honest, the govt waste money on stupid freaking ideas all the time.