Entries for month: November 2012

The server lockdown guide for ColdFusion 10 is now available on the Adobe website. The ColdFusion 10 Server Lockdown Guide will help server administrators secure their ColdFusion 10 installations. You will also find several tips and suggestions intended to improve the security of your ColdFusion server. 

You can access the lockdown guide here.

While making a cfhttp call to a coldfusion server the apache httpclient library tries to generate a secure random number. It is an operation which depends on the "entropy" of the system.

In case of linux systems (mainly the ones which are freshly installed) it is observed that this operation can be quite time consuming because the system "entropy" is apparently quite low. Hence, as a consequence cfhttp calls will be slow.

Fortunately for people who deploy Coldfusion-10 on linux machines this is not a reason to worry. Just do one of the following:

1. Set this system property to your JVM – if you are using standalone CF installation, you would set it in jvm.config.



2. In $JAVA_HOME/jre/lib/security/java.security file, change the value of securerandom.source to file:/dev/./urandom 


You can also refer to this post by Shilpi, from the ColdFusion team which talks about this issue



The ColdFusion 10 Update 5 is now available for install within your administrator. Update 5 is a security update that resolves a vulnerability affecting ColdFusion on Windows Internet Information Services (IIS), which could result in a Denial of Service condition. Adobe recommends users update their product installation.

Refer the security bulletin for all the details associated.

Replacing JRun with Tomcat is a fundamental change in ColdFusion 10 and with that comes the new connectors for IIS and Apache. That also makes it very important to know the different configuration options available for the connectors as an incorrectly configured connector can easily lead to “Service Not available” or “Server is too busy” errors for your site.

During IIS connector configuration, user can choose to configure connector for individual sites or for “ALL” sites.

When connector is configured with individual sites, separate connector for each site will be placed under {CF-Home}/config/wsconfig/{some no}/ , Similarly for “ALL” configuration the connector is configured at global level, which means the same connector binary will be used across multiple sites.

In most of the cases server administrators wish to go for configuring connector for “ALL” sites as it is very convenient.

In this blog post we will talk what are the parameters needs to be tuned appropriately to make CF connector works flawlessly.

I will be covering three most important parameters which decide the scalability of the connector.

  • Reuse Connections
  • Connection pool size
  • Connection pool timeout

There are other parameters which CF connector inherits from Tomcat AJP connector. Please find the details of those settings from AJP documentation (http://tomcat.apache.org/connectors-doc/reference/workers.html )

Connection pool size: - This setting determines the maximum number of connections that can be created in the connection pool. When multiple requests arrive to the connector from IIS, connector creates  new connections in the connection pool only if there are no free connections available in the pool.  The connector will not create a new connection if connections reach the connection pool size limit.

Re-use connections: - This setting determines the count of connections that can be re-used.  . When Tomcat connector makes a connection with Tomcat server, it does not close the connection even after it finished serving the request. Instead it keeps the connection alive, so that for the next request, the same connection can be re-used. This increases the performance by minimizing the overhead of creating new connection with tomcat server for every request.

Note: - The default re-use connection count is same as connection pool size which is 200.

Connection pool timeout: - This setting determines the timeout value (in seconds) for idle connections in connection pool.  This value must be in sync with the connectionTimeout attribute of your AJP connector in Tomcat's server.xml.

Let us discuss more about how these 3 parameters can be tuned properly to make your server with varying load on your server.

1.       Connection pool size: - When connector is configured with “ALL” sites, the same connection pool will be used to serve the request for all sites.  So the default value of the connection pool size, works well with the single site configuration, but fails to work well with “ALL” site configuration in some scenarios. Hence this value should be increased carefully based on the need and number of sites that are present in IIS. 

2.       Max Re-use connections: - This settings needs to be used for connector configured with multiple sites.  The max value for the re-use connection is determined based on the number of sites configured with same CF server and the load on each site.

Let us consider use case where site 1 configured with CF server, now site 2 is also configured with the same CF server. By default each connector will have 200 re-use connections.

Now consider site 1 is running under heavy load make all 200 re-usable connections with CF server. Now CF server is not left with any new connection in its connection pool, hence any request for new connection from site 2 will be ignored by CF server.

 Hence it is required to make site 1 re-use connection count  to optimal value, so that site 2 does not starve for new connection. This can be achieved by configuring optimal value of max re-use connection count.

For the above use case, if site 1 is allowed to use 100 re-usable connections, there will be 100 more connections available for site 2 at the tomcat server connection pool.

3.       Connection pool timeout: - This timeout value helps in recycling connections that are being re-used when they are not used for a long time.  This is proved very useful when sites runs under varying load and makes overall improvement in the server performance. By default timeout for connection is indefinite.

Below we will discuss steps to follow to configure the above parameters

  • Go to worker.properties file (inside connector installer folder) add below line as new entry worker.cfusion.connection_pool_size = 500 (This is connection pool size inside connector which are available to handle request)
  • Add another entry in new line worker.cfusion.connection_pool_timeout = 60 (This value is idle connection timeout, when sites are not under load connections will be recycled back to IIS)
  • Tune the entry for max_reuse_connections to appropriate value based on number of site. Optimal value is connection_pool_size / {no of site}
  • Now open the server.xml from {cf-home/cfusion/runtime/conf}, add/update the maxThreads=500 and connectionTimeout="60000" to connection node containing the AJP entry. Now the AJP entry in server.xml should look like  <Connector port="8012" protocol="AJP/1.3" redirectPort="8445" tomcatAuthentication="false" maxThreads="500"  connectionTimeout ="60000">  </Connector>
  • Restart the IIS and ColdFusion server to reflect the above changes.

I am pleased to announce a brand new community driven training program for ColdFusion - Learn CF in a week!

It is great to see Learn CF In a Week live from what started out as a conversation about training resources for ColdFusion between Simon and me at cf.Objective() this year.

Huge shout-out to Simon Free and other community experts for making this happen. I would like to call out all contributors from the community for this traning program that walks you through various concepts of ColdFusion as you build a fully functional ColdFusion website

• Emily Christiansen
• Tim Cunningham
• David Epler
• Sam Farmer
• Dave Ferguson
• Simon Free
• Paul Hastings
• Guust Nieuwenhuis
• Dan Skaggs
• Nic Tunney
• Adam Tuttle
• Dan Wilson
• Mark Esher
• Kristin Ferguson
• Tiffany Goebel
• Nick Borden
• Jim Priest

Go try out the training for yourself! And help spread the word!