ColdFusion Muse

Dynamic Compression on ColdFusion 9 and IIS7

Maybe your already know that web servers can compress outgoing content. Compressed content arrives at the browser which decompresses it and is able to render it. This is all generally seamless to the user and results in a more effective use of bandwidth. Now, compressing static files (like .html files) is a no brainer for web servers. They simply pre-compress the files and store them in a file cache somewhere. When the original file is called for the web server serves up the compressed file instead.

Dynamic files are more problematic. There's no correlation between the file name and the buffered output of a ColdFusion page for example. Consider search results. One user might receive 10 results and another user might receive 10 completely different results. Still another user might receive 100 results. How is the web server supposed to compress that data? Like your app server it does it "on the fly". It waits for ColdFusion to return the response buffer, compresses the file in memory (as I understand it) and then outputs the buffer to the browser. At least that's the way it works in theory. In practice you might find that ColdFusion 9 and IIS 7 don't quite have this figured out yet.

Before I give you the blow-by-blow (and thankfully a solution) I want to make it clear that this problem and solution come to me by way of my good friend and colleague Vlad Friedman of Edgeweb Hosting. EdgeWeb consistently receives the highest possible reviews from its customers and Vlad is one of the brightest folks I know in our corner of the IT world. Now let's talk about our little problem shall we?


The Muse Visits EdgeWeb Hosting

On Monday and Tuesday of this week I was privilege to spend some time in Baltimore Maryland at the downtown location of EdgeWeb Hosting (EWH) - a hosting and data center services company owned and managed by Vlad Friedman. EWH specializes in ColdFusion hosting (although they have many other services by now). I've known Vlad for years through some mutual customers and through an email list on which we are both active participants, but I had never met him in person. Since I was doing some "emergency consulting" for a mutual customer I needed spend a day or two on site at EWH. Vlad was kind enough to show me around his data center and give me the "inside scoop" on the data center business.

The EdgeWeb data center is in a massive facility in the heart of Baltimore. EWH has redundant everything - including redundant power from separate substations, 4 way redundant UPS, and impressive cooling. The entire infrastructure has been recently designed from the ground up with the care and planning of a master craftsman. Vlad is understandably proud of the center and the staff he has assembled. I don't remember all the things he showed me but his networking topology uses the latest and greatest adaptive routing and his security setup (intrusion detection, audit control and the like) is state-of-the-art. I have visited a fair number of data centers but I was really impressed.

I was able to meet some of the EWH staff as well. His DBA and I spent some time gabbing about the differences between MSSQL 05 and MSSQL 08. His operations director is one of those IT pros who know exactly the questions that need asking. But I already knew that EWH has good staff. We have worked with his hosting support staff for years. We have a number of high profile customers hosted at EWH and we have always given the support staff high marks for their knowledge, practical know-how and alacrity. There is a reason they are often voted best in class for hosting and data center services.

On Tuesday evening Vlad took me to G & M restaurant for the best crab cakes I've ever had (and I am a crab cake lover). We had a great time telling our stories and filling up on crab and shrimp cocktail. As I told Vlad, it was the best meal I've had in many months - and of course a geek like the Muse thrives on conversations about hacking, retro computers, security vulnerabilities, and the business of IT. As is often the case when I meet someone who has built a thriving business I was able to glean many pearls of practical wisdom and advice that I hope will serve me well.

So here's a big thanks to Vlad and to EWH as well as a hearty recommendation. I hope they have a long run at the top of the hosting food chain.

Migrating XP Pro 32bit to Windows 7 Pro 64 Bit

This post is about the ins and outs of moving from XP Pro 32 bit to Windows 7 64 Bit. I just completed such a move and I have some tips for you that might save you hours of frustration. But before we begin let's get a couple things straight. First, this is not a post about the assets or shortcomings of Microsoft or it's products. Nor is this a forum for you Apple users to tell us all how superior you are because your box is shinier than ours. I actually love Apple products, but Apple users have been known to turn red and swell up like giant angry strawberries if you say anything positive about Microsoft. So if you are one of those folks who is going to have a stroke reading about someone actually choosing a Microsoft product, please stop reading now - or at least have emergency personnel standing by. On a side note, my next hardware project is building an Apple from an Intel box and off the shelf parts - same OS, less than half the cost. I'll write an article on that and hopefully sooth my Apple readers ruffled feathers (it probably won't be shiny though).

Meanwhile, let me first say that I was sad to see my XP pro box go. A computer is more than an OS to those of us in IT. We spend a lot of time and effort making it do things that "regular users" don't have to think about. My desktop XP Pro PC had more than 100 programs installed on it. Many of them I used regularly. I fully expected to have to reinstall numerous programs to insure full functionality. I also expected to have to abandon some items that would no longer work in my new environment. A year and a half ago I moved from one XP box to another using LapLink's PC Mover and it worked splendidly. This time, however, I was nervous about using PC Mover for 3 reasons:

  • I was moving from XP Pro 32 bit up 2 versions to Windows 7 64 bit (skipping Vista altogether).
  • My XP box had Office 2003 on it and I was putting Office 2007 in the new OS without an upgrade, yet I still wanted my outlook settings and email to migrate properly.
  • I was moving my login profile from a local account to a domain account.
I naturally assumed that I would have a great deal of work to do just to get the machine back to the functional state from which it started. Even with my reservations the LapLink docs seemed to indicate it was possible and could be successful so I decided to use the product anyway. Here is my story.


Address Resolution, Networking, and Cfdocument

Among the things that can befuddle even experienced developers, domain resolution ranks up at the top. Usually this is because we don't spend a lot of time worrying about resolution on our desktop or laptop or Iphone. DNS is an extremely mature technology and for the most part it just works with few issues. When it comes to a server however, there are several things that can trip up resolution. Without an understanding of exactly what is going on under the hood, you will find yourself destroying yet another keyboard with the ball of your fist as you shout "why won't you just work!"

Domain resolution comes into play on most ColdFusion applications, even if you don't think so. Among other things, resolution is important for:

  • Data Sources - how do you connect to an external server?
  • Ecommerce - how do you connect to a Gateway?
  • Web Services - how do you create your stub class?
So let's take a short journey down this path and see if we can uncover some of the general principles that will help us troubleshoot domain resolution issues.


Broken Remoote Desktop? Check Your Display Drivers

I confess I can't live without RDP (Remote Desktop Protocol). Coupled with a VPN it is an effective way to work from home on my high powered office workstation. In fact, on a recent road trip to St. Louis while my wife was driving, I used my Verizon Blackberry tethered to a laptop to connect to my VPN and RDP to my desktop at work. I managed to handle email and write most of an 8 page document. Such things were not even possible 3 or 4 years ago. Telling this to my mom and dad makes them think I'm Captain Kirk (I keep telling them that Picard is better - Kirk's screens and dials were all analog). I prefer RDP to everything else I've tried - including log me in, go to my pc, pcanywhere and VNC.

Anyway, Nicole (our creative director) and I had a similar problem. Her RDP stopped working completely after a windows update. For her, the login screen would not even appear - and no error either. It would just return to the host name box immediately. For me the login would appear and I enter my password to login - but then the process would lock up and I would have to wait a few minutes for the whole thing to time out without ever successfully getting in.

Googling around I found that a lot of folks had problems like this and their solutions seem to focus on display drivers (NVidia in particular). I have a 3 monitor setup and I use 2 NVidia cards - so this seemed likely to me. Checking with Nicole she too was using Nvidia drivers. To fix it, she downgraded her recent drivers one version. I took the opposite approach and simply "upgraded" my drivers to the next version - and that solved my issue.

When you think about it I suppose it makes sense that display drivers can cause RDP issues - since RDP renders the desktop for you. But it was not something on my radar. Now I have something to look for if it happens again.

Upload Problem Post-Mortem

We had a ticklish issue arise with a customers recently. We host an application for them that allows them to upload files. As they began to use the application more heavily they noticed that file uploads above a certain size were failing. The size was fairly modest. Uploads sized between 1 and 4 megs were simply timing out. We eventually came up with a solution, but not before some head scratching. Here is the play-by-play.


New Spam Bot Cracking Captcha Perhaps?

When I arrived at work this morning I found more than 280 spam links posted as comments to various entries on my blog. They were all for certain articles of clothing which shall remain nameless (but some of them are made for walking). Now occasionally, about 3 or 4 times a week, I'll see a single spammy comment posted and I just kill it - cased closed. The Captcha keeps out most automated spam, so I figure any spam I get is individuals paid to labouriously post links. This seemed like more than that - both in volume and in the systematic way it was perpetrated. I will be keeping a close eye on it - but it makes me wonder if there is a bot out there that has cracked my captcha.

Meanwhile, my sincerest apologies to anyone subscribed to any post of mine who had to suffer through these emails. The Muse will do what he can to make sure it is not a commmon occurance.

Certificate Renewal Follies in IIS 7

I have a few Win2008 servers under management and I had to renew a cert for one of them today. Now I confess this is the first time I had to do this particular task so there was some head scratching involved. I learned a number of things that might be of some use to you if you are up against this task. In this case I was renewing a Verisign cert. Here's what I learned.


Iframe Insertion on Index.* Home pages

There's a hack that's beginning to be active that targets pages named "index.*". Actually it sounds rather like an old hack that is resurfacing. Since many ColdFusion sites use this convention for the home page this attack tends to hit quite a few ColdFusion sites that are vulnerable. The attack appends a script like this one to the bottom of each "index.*" page:

<sc ript>
var applstrna0 = " ;
var applstrna1 = "rame src=http://***Domain Host Name****";
var applstrna2 = ".com/bb/faq.htm";
var applstrna3 = " width=100 height=0> ;
var applstrna4 = "frame>";
Please note that I have not included the actual url of this attack. The domain includes the string "said7". I am only making sure I mention said7 so that folks searching for info on this attack can find this specific post and possibly be helped. I have no wish to benefit the said7 effort and I hope they all get dysentery and spend the weekend in the latrine.

As you can see the script itself is pretty simple. It writes out an invisible Iframe to the bottom of the page. The target of the Iframe attempts to download a trojan or malware to the users machine. This attack is insidious and I have yet to discover the origin. But I do know a few things about it - and how to prevent it from continuing. One important thing to note, if you have this problem and Google indexes your sites and sees these pages they will flag your site. Browsers like Firefox use the Google service to throw up a big "malware" warning.

The following article details the attack and the notes I've gathered about it. Some day soon I hope to post a more definitive who, what, when and why post about it. To gather the following notes I'm indebted to the folks on the CF-Talk List (this thread), Nathan, Nick, Jason, Scott, Don and probably a few others I am forgetting. I can't give away too much info here - but please accept my thanks.


Coldfusion, SSL 3.0 and

I've been batting this around for a few days now. Recently, Mary Jo Sminkey of CF Webstore fame posted a note to an email list about the recent requirement by that incoming requests to their API use SSL 3.0. I confess to being unaware of the differences between SSL 2.0 and 3.0. So I set out to discover for myself. To start with SSL 2.0 uses weaker handshaking. A requesting client can, it seems, edit the list of preferences leaving the server no choice but to hand shake with the "lowest common denominator" cipher. There are some other issues as well dealing with how the packets are constructed etc. So the consensus is that SSL 2.0 is the weak sister and should be deprecated. For its part SSL 3.0 has been around for a decade or so and is widely supported.

The question is, will my CFHTTP calls from ColdFusion 6 or Coldfusion 7 still work when disables SSL 2.0? To answer this question I got some great help from Scott Krebs over at Edge Web. He dug out three or four URLs that were really helpful. I've included them at the bottom of this post. I also got some guidance from the Stephen Hawking of cryptography, Mr. Dean H. Saxe (the H is for Holy Cow he knows a lot). The answer is a qualified yes. Anyway, here's what I did to test while I wait for to get their act together and set up a test bed.


When Patches Attack

Last night I was sitting at home and using my VPN to dial into one of our servers (a Win2k3 server). I noticed that there were a couple of patches pending installation. Now as a rule I do not run every patch, nor do I ever let windows "manage" patching for me. Instead, I let windows download the patches and I choose when and what to install. Still, a couple of these patches were important security fixes (Usually a good idea) so I installed them. Now windows does not always require a reboot after patching, but sometimes it does, and yes it is one of the annoying things about Windows, so please don't use this post to comment on how much better Linux is than Windows or cheese or Santa Clause or sex or whatever. Anyway, this time it did ask and when I chose to restart things went "a bit wonky" as some of my UK readers might say.


Checking the Size of the Spool Directory on Windows

If you ever send out a few tens of thousands of messages using CF you know the spool directory can get pretty crowded. If you are like me you sometimes want to keep an eye on it as those messages clear out to make sure there is nothing funky going on. If you use Windows Explorer this can be a maddening experience. Windows doesn't just retrieve a count of files. It retrieves the entire file list and meta data and it redraws the explorer window. When you have 50k messages in the spool folder it can take 10 to 30 seconds just for Windows to refresh the count so you can know how many were added or deleted to the folder.

Instead, I use a little tool called "t4edirsize" from tools 4 Ever. I have a "show spool" batch file on my servers that looks like this:


t4edirsize.exe d:\cfusion8\mail\spool
The output gives me all sorts of information including the number of files in the directory - but it usually only takes 50-200 milliseconds to run. Tools 4 ever command line tools along with Sys-Internals tools (now owned by Microsoft) like "pslist" and "pskill" are essential to your arsenal as a troubleshooter.

Virtual Sites and "Host Headers" Explained

Some web developers never bother to learn the nitty gritty stuff that makes up the Internet. I've seen very bright programmers who don't know the difference between a GET request and a POST request (or why they should care). In your journey through the IT landscape it would behoove you to pick up a few tips on how the web actually works. In my view you should know the basics of how a web server and browser work together to deliver content. You should know how to setup a web site in IIS or Apache, and you should know when to use a GET and when to use a POST. It also wouldn't hurt to learn about IP addressing, routing, classless subnets, ARP Caching, application pools, JVM Garbage collection, the theory of relativity and the meaning of life.... but I digress.

Among the items I find myself explaining over and over is the concept of a "HOST Header" and how it's used on a web server. Like many of my blog posts this one is intended to help me so I can point to it and not have to repeat myself. Now to be fair, this topic is one I sometimes have to cover with customers and site owners who need to know the difference between a dedicated IP address and a "virtual site". Either way, here's a run down of "virtual sites" and "host headers".


Search Engine Safe URLs and Semantic Parameters

This topic crops up frequently in our line of work. Among the items that are often listed as important to search engines are "search engine safe" (SES) URLs. It has been pointed out that Google will index just about anything - including obscure looking URLs with cryptic parameters on them. Although this is true, we shall see that it does not exempt the developer from paying attention to the URL when he or she is thinking about search engine optimization. Let me explain.


Targeting Web Masters: Spamming's New Low

Fighting spam is a lot like those movies where blood sucking zombies just keep coming at you in a never ending supply of non-descript humanoids who want to eat your brain or take out your daughter. I can live with having to keep filters up to date. I know how to use SPF, Spam Assassin and client side filters like spambayes (check it out if you are an outlook user). I can even live with the bots constantly attacking my web forms and trying to hack them to send their own mail. But I think I have stumbled onto a technique that smacks of desperation.

Occasionally I view a stats report for my blog. I use Smarter Stats from "Smarter Tools". It's quite good and it gives me some excellent reporting options (I also love their "Smarter Mail" server). One of the reports I like to view is "referring sites". Mostly I'm just snooping to see if any CF big wigs like Ben Forta, Sean Corfield or Ray Camden have linked to my blog (we keep a bottle of champaigne on ice for those occasions). It is interesting to see all of the sites that are listed. All of our CF Webtools blogs are cross linked so I see them listed as I would expect. Google, MSN and Yahoo are all represented as are blog aggregators like fullasagoog and the old Macromedia weblog aggregator. Interestingly I see some international sites like and

All of these I can explain and understand how they arrived in my log files. But here's a couple I can't explain. There is a link to a site called "" - which I took to be another blog portal. When I went to the site it is actually a personal loan information site. A closer look discovered sites like "topsecuredloan","onlineapoker", "insurede" and others less benign. How are these particular referring sites getting into my log files? I have a couple of guesses.

My first guess has to do with email. If you are using a web based email client like Yahoo, and someone sends you an email with a link in it, when you click on the link the "referring site" is actually something like "". So perhaps these sites are showing up because someone is clicking on a link in a web based email client that uses that domain. I kind of find this explanation unlikely. Would anyone really be checkign their mail at a domain like I suppose if they were using a web host where it was set up that way it could happen.

My second guess is that someone clicked on a Google ad for Coldfusion Muse. I quickly went to my ad words account and verified that I am not set up to serve Google ads for my blog. We only serve ads for our main web site, CF Webtools.

There may be other explanations, but at least one that I can think of is that it is a new form of spam. It would be trivial to create a bot that issues web requests with a specific referrer. After all, adding your site as a referring site causes your link to show up in reports and sometimes someone (like myself) will click on it. Of course it would only target folks who are looking at web log reports. Can any muse readers provide any alternate theories? It certainly seems like an act of desperation - or perhaps just too easy to pass up. In any case, I'm off to apply for a 22% loan. Tata.

More Entries

Blog provided and hosted by CF Webtools. Blog Sofware by Ray Camden.