Tuesday, May 24, 2016

ColdFusion 10+, IIS 7+, Custom Errors and a little thing called TrySkipIisCustomErrors

Today as I was debugging some issues that FuseGuard allowed me to see, it appeared that on my IIS Server my custom error page was being rendered after the IIS error page.

At first I was confused as I know I can control my 404 as I had set it properly in my Web.Config file as such:
<httpErrors existingResponse="Auto">
 <remove statusCode="404" subStatusCode="-1" />
 <error statusCode="404" path="/?action=main.404" responseMode="ExecuteURL" />
With the existingResponse attribute set to "Auto", it leaves the response untouched only if the SetStatus flag is set. Which I thought that meant as long as I set it in ColdFusion it would skip trying to show the IIS error page. Now, not to confuse further, the settings above worked for my 404s because I was removing how the server handled it and applying my own ExecuteURL setting. The issue was when i was trying to do a custom 503 (as FuseGuard shows when a request is blocked).

Now there is a value of PassThrough that can be set for existingResponse and it would work but the problem here is that if you have lets say a RewriteRule that blocks a request and sets it as a 503 nothing displays. So this was not going to work for me in that scenario.

More on IIS Custom Errors

Here is where TrySkipIisCustomErrors comes into play. Basically for existingResponse="Auto" to work properly we must be able to set Response. TrySkipIisCustomErrors to true but there is no way to do this in ColdFusion, trust me I tried hacking at it using getPageContext(). So then I started to google an alas there is a fix now for some of us.

While the solution can be found in either of the 2 following posts, you still have to search within the content to find it so I thought I would just show you and hopefully make future google searches a little easier.


As of ColdFusion 10 Updater 18 and ColdFusion 11 Updater 7 there is a new setting that you can find in your isapi_redirect.properties file for your connector that is called iis_skip_custom_errors_enable which defaults to false. Go into that file or files (if more than one connector) and set it to true. Restart your IIS site (ColdFusion does not have to be restarted) and like magic it all works now.

To get a visual of what I am talking about below is a before and after of what my 503 page was coming up like.



And since the setting is set to Auto, if nothing is set by ColdFusion, like one of my RewriteRules which blocks access to a certain directory, then the default IIS page is displayed as such.

Wednesday, May 11, 2016

ColdFusion 11 Update 8 is out now!

A new update is available for ColdFusion 11 which includes the following changes:

  • Tomcat upgrade to 7.0.68
  • Addresses a vulnerability mentioned in the security bulletin APSB 16-16.
  • Several important bug fixes for security, language, AJAX, and other features.

For me specifically, this fixes the CachedWithin bug with QueryExecute() where it ignored it.

All the bugs fixed can be found here.

ColdFusion 11 Update 8

Monday, May 09, 2016

ColdFusion IIS 10 HTTP/2 - Safari Bug

For a while I have been dealing with a bug that I had no idea how to even explain to the ColdFusion team and after telling them several times about it, nothing was ever resolved. Today though, I believe there is enough to show how and why this is occurring and only with Safari.

On Windows 10 running IIS 10, the HTTP/2 protocol is enabled by default and all you need to do to take advantage of it is have your site served over HTTPS. Believe it or not it is actually that simple.

The Bug
So when I would browse my site on any browser I would see that the connection was downgraded to http/1.1 which is absolutely ok and the site would still render, but when I would try it on Safari it would just go into an endless loop causing a lot of connections opening up on the server. I have to give it to Fusion-Reactor here because it was what allowed me to easily see this in action the first time.

Why it was a problem for me
Now any other day, because this is my dev box it would not matter but on this particular dev box, I needed to test a Cordova App I built that is pointing to a Webserver and although it worked on production when I pointed it to my dev box it would just never render. So I then tried to open in Safari on my desktop (because we know it is iOS Safari on the phone) to see what was going on and I would just get a white page, the spinning wheel and a lot of connections on ColdFusion.

I decided to finally open up my console (not web) and I started seeing the following:

Safari[2061]: tcp_connection_destination_handle_tls_close_notify 60 closing socket due to TLS CLOSE_NOTIFY alert
tcp_connection_tls_session_error_callback_imp 60

Those errors would just continue as long as I left Safari trying to connect. Once I stopped Safari, the messages would stop and Fusion-Reactor graphs would go back to normal. You can see all of this in the following video.

The temporary solution
So until either the Safari team or the ColdFusion team fixes this, the only solution is to disable HTTP/2 on Windows 10 which is easy by doing the following:

  1. Open the registry editor (regedit)
  2. Browse to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
  3. Enter 2 new DWORD Values EnableHttp2Cleartext and EnableHttp2Tls
  4. Set their values to 0
  5. Reboot

Now when you browse any HTTPS site running on IIS 10 it is server as HTTP/1.1, not causing the connection downgrade and therefore working properly in Safari.