ColdFusion Muse

CF Webtools Springapalooza Job Openings

I know I know - it's only been a week since we picked up our 7th new 2019 team member, but we are at it again. We have a need for up to 4 new ColdFusion developers. We are also looking for a new operations person to fill out that growing team. Info below.

  • Yes you work from home so pants are optional unless you are skyping.
  • Looking for folks legal to work in the US only. (sorry! We still love you world!)
  • Yes the position is W2 with benefits after a short (30 day) trial period.
  • Yes benefits include health care.
  • Health Insurance won't cover your calls to the Psychic hotline, but you might be able to use FSA for that.
  • Yes there are other benefits - 401k, dental, PTOs, disability, life insurance, and a positive, encouraging environment.
  • For Profile 1 - Advanced CF Developer:
    • Great team - lively, very bright and productive. A great customer who appreciates knowledgeable developers.
    • Plenty of bad code, plenty of good code, and the serenity to know the difference.
    • Yes, we test your ColdFusion knowledge among other things. The test uses VPN, CF Eclipse, and MSSQL. You will modify some scripts to do a few simple tasks. Note: we get a lot more out of a test than just "do you know CF". We find out about patterns, how you respond to criticism, whether you are creative or methodical, how much CSS you know and even how much whimsy you have. Be careful!
  • For Profile 2 - Operations Team Member:
    • Our operations group consists of 3 team members so far.
    • They spend their days fixing, migrating, managing and upgrading servers.
    • AWS is involved in about 80% of what we do.
    • You will need to be able to find memes that appropriately obscure as inside jokes among your team members.
    • Plenty to do. Lots of scrambling. Lots of appreciative customers and developers who will see you as a savior if you can fix their problem.
If you are still interested. Here are 2 profiles for the folks we are currently seeking. Each position has a unique set of needs.


Profile 1 - Captain Americode

Looking to add 2 to 4 new developers to our team of 3. You will need to grasp requirements fairly intuitively and think around corners. We need someone who is good at acquiring institutional knowledge of a system and code and can pass that knowledge on to team members. If you like to dig in, find things about a system and then use that knowledge to help others and make the system better, this is an ideal profile for you.

  • If you have Oracle experience (programming PL/SQL) that is a plus.
  • Familiarity with on-line testing, SCORM etc. will help here.
  • The ability to flesh out requirements and make appropriate assumptions without too much hand holding will help as well (although ramp up time is to be expected of course).
  • All the usual advanced CF that apply to all of our positions.


Profile 2 - Sys Ops Wizard

While a knowledge of ColdFusion is not required it would be a plus. This job will involve managing servers and server instances (this is not a help desk job) - provisioning, migrating code, upgrading OS or Java. Below are some of the technologies we use and you will need to work with. To qualify you'll need to know at least a handful of these.

  • Linux - For this job you probably need more than just a passing knowledge of Linux. You should be fluent in Linux administration. If you've set up some distros, used YUM or other package managers, know how to find stuff on a Linux box etc. you are probably qualified. But the more the better!
  • Windows Server - We have a high percentage of windows servers. Operations manages backups, patching, migrating, upgrading etc.
  • AWS - about 70% of our managed stack is AWS. If you apply for this job you will be expected to eventually test for an associate certification. Training (online Udemy) and testing are paid for, but you have to put in the work to get there.
  • Java/Tomcat - Our primary stacks invariably include Tomcat/JVM. If words like garbage collection, heap, context, web connectors etc. seem familiar you are on the right track.
  • Networking - you should know your way around a network stack, be familiar with firewall rules, IP addressing, NAT etc.
  • Troubleshooting - you should understand how to troubleshoot issues that arise from CPU, memory or disk constraints and performance.
  • DNS - you should understand DNS zones and record types, how they work, and how to modify them.
  • Web Servers - You should understand how to set up a website in one or both Apache and IIS.
  • Email Servers - We manage a number of email servers or email relays.
  • Jenkins - More of a "nice to have". We deploy code through Jenkins from SVN or Git. Ops manages deployments.
  • Nagios (network monitoring) - Also a "nice to have". We use Nagios to manage an array of uptime alerts from external and internal customers.


More about CFWT

We are not a staff augmentation company trying to find someone to fling out to a spot in hopes they stick. While you work with customers, we care about developers and work culture. We intend to know you and support you. We strive to create a workplace you enjoy. We are looking for developers that match our culture of Can-do, Caring, Communication and Competency. Here's some items that you need in order to fit in here.

  • You should be able to setup multiple local environments on your own dev workstation. You should know words like "Apache" or "IIS". Yes you will be exposed to ______ (windows/mac) even if you are religiously devoted to ________ (windows/mac). We don't make the rules.
  • You should be able to work with SVN or GIT and sometimes other source control products.
  • You should Maintain positive attitude - We interact with respect and gentle humor. Snark is minimized and encouragement is the order of the day. If you are quirky and self-deprecating that will be a plus and you will love it here.
  • You should Maintain and enhance your skills set - you will be given the opportunity to work on lots of code, different versions, platforms, integrations, libraries and SDLC organization and procedure. Everyone of these is a growth opportunity. If that has you licking your chops climb aboard.
  • We like Balanced Developers - Our devs have a full life. They ride horses, snowshoe, skydive, sword fight, play instruments, love dogs, golf, learn languages, rear children, go to plays, like to bake, fish, hunting, equestrian sports, skydiving, guitar playing, dog training, macramé, Golf, racquetball, Mandarin, Politics (careful!), family outings, child rearing, school plays, choirs, baking, snowshoeing, ice fishing, hunting, aquaponics, mudding, and the list goes on. We love it all! We think those things make you a better developer and it makes us want to be around you. We aren't looking for 80 hour a week developers slavishly devoted to coding. We are looking for eclectic, interesting people who enjoy coding and want to do it for a living.
Hopefully this helps explain how we operate enough to pique your interest. If you want to take a shot send your resume to jobs@cfwebtools.com or call (402) 408-3733 ext 126 and ask for the Kurt. You can try extension 105 and ask for the Muse, but you have to get past Rachel so be creative! We look forward to hearing from you!

ColdFusion and Java 8 and Java 11 Updates

As many of you are aware Oracle has changed their licensing for Java 1.8 and making it a pay to play for all commercial purposes. Here's a link to the licensing announcement. I'm not a lawyer and I'm not going to pretend that I understand these licensing agreements. But Oracle and Adobe (or their lawyers I presume) do understand these and as such there are changes to note. On January 24th Adobe announced that Adobe will maintain support. via a Long-Term Support Agreement with Oracle, for Java 8 and Java 11. Thank you Adobe!

I have questions as I'm sure everyone else does. I've been asking representatives at Adobe these questions.

What does this mean for us?
ColdFusion Server runs on Java from Oracle, and as such the new Oracle license affects all of our ColdFusion servers. To this point Adobe has secured licensing from Oracle that allows all ColdFusion Server owners continue running Java. It is very important to note that you now need to download Java from Adobe and NOT Oracle. Get your Adobe Licensed Oracle Java downloads HERE!

Is the Java version from Adobe Different that the same version from Oracle?
Great Question and I asked Adobe about this. Here is the answer "Wil, installers are same but license attached to them are different and this is for both Java 8 and 11".

What about my existing ColdFusion Servers?
Another great question! There are tens of thousands (or more) ColdFusion servers running and the vast majority of them are running on Java from Oracle. I know that the CF Webtools Operations Group maintains a very large number of servers for a large number of clients. Over time we have been upgrading the Java version on the servers to keep up with the security updates from Oracle. This means that most if not all of these servers are on Oracle Java from Oracle and not from Adobe. What do we have to do to remain compliant? I really hope we do not have to visit all of these servers and replace the Java with the one from Adobe simply because there is a different license agreement attached. I have submitted this question to Adobe and I'm awaiting anxiously for the answer. What I do know is that all servers that we need to update are going to get the Adobe Licensed version of Oracle Java to stay safe.

I received an answer today from Adobe on this.

Wil, to answer your question, if the JDK/JRE were downloaded before Oracle came up with Licensing change, it should not be an issue. Otherwise we recommend using the Adobe provided download as soon as possible, although we don't see a deadline around this.
This means that all the servers that I have recently updated will need to be re-updated with the Java from Adobe that has a different license agreement.

What about my New ColdFusion Servers?
This question has a simple answer. To install a new ColdFusion Server you need to use the ColdFusion installer from Adobe which comes with an Adobe licensed version of Oracle Java. If you want to use a newer version of Oracle Java then you need to download the Adobe Licensed vision of Oracle Java from Adobe. Download Here!

Do I have to use Oracle Java?
Awesome question and the answer is yes, no, maybe. There is OpenJDK that may work just fine to run ColdFusion servers. There is also a new player in the Java game and that is Amazon. "Amazon Corretto is a no-cost, multiplatform, production-ready distribution of the Open Java Development Kit (OpenJDK)." Currently their version 8 is production ready and they version 11 is in the Release Candidate stage. I have run ColdFusion 11 an dColdFusion 2016 on Amazon Corretto 8 and it ran fine for the very limited testing that I did. For now there isn't official support from Adobe for these two Java versions.

As I get more information from Adobe I will provide updates above. I'm sure there will be more questions that people will want answered.

CF Webtools Developer Teams are ColdFusion experts and are ready to build your applications. We are also an Amazon Partner. Our Operations Group can build, manage, and maintain your AWS services including ColdFusion servers. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at CF Webtools .

Converting Fusebox 2 to FW1 - Creating Scaffolding

A quick Muse post with a bit of code. I know I know it's been a while and my coding has suffered. Still, some of you may find this useful.

I'm converting a Fusebox 2 application to FW1 and I wrote a simple script to automate some of the shell files I need. FW1 uses a URL convention that looks similar to Fuesbox. In Fusebox you have a 2 part URL param that dictates what your code is supposed to do. For example, fuseaction=reports.users would logically be a "circuit" called "reports" - think of it as collection of code or an application within a suite of applications. The second part of the fuseaction dictates which report exactly is supposed to be run.

FW1 is not dissimilar to this approach although it tends to introduce complexity for complexity sake at times (don't @ me). In FW1 an "action" parameter dictates which controller to run which in turn calls services and views as needed to set up a page or action. So FW1 may have action=reports.users - it looks quite familiar.

Since my Fusebox application is well organized I created a script that builds off the circuit and creates the necessary FW1 files. For each circuit I am going to create:

  • circuitName.cfc in the FW1 /controllers folder.
  • circuitName.cfc in the FW1 /model/services folder.
  • circuitName.cfc in the FW1 /model/DAO folder.
  • A folder named for the circuit in the FW1 /views folder with a placeholder file within (default.cfm) for my eventual content.

The script is pretty easy and it's designed to be run within the fusebox application where the FW1 application is accessable via file operations. First some setup:

<!--- MAK: location of my F1 files. --->
<cfset targetFW1 = "E:\eclipse-ws\new-fw1\trunk\">

<!--- MAK: Set up our target Dirs for FW1. --->
<cfset controllerDir = targetFW1 & "controllers\">
<cfset serviceDir = targetFW1 & "model\services\">
<cfset DAODir = targetFW1 & "model\DAO\">
<cfset viewDir = targetFW1 & "views\">

Next I created some placeholder files for controller, services and DAO. I'm going to read those files into variables.

<cffile action="read" file="#templateDir#dao.txt" variable="daoContent">
<cffile action="read" file="#templateDir#service.txt" variable="servicesContent">
<cffile action="read" file="#templateDir#controller.txt" variable="controllerContent">
Then I'm going to use my Fusebox applications structure called "Fusebox.circuits" and loop through it taking action on my plan.
<!--- MAK: loop through them and check them out. --->
<cfloop collection="#fusebox.circuits#" item="circ">
    
    <!--- MAK: Does the controller exist? --->
    <cfif NOT fileExists(controllerDir & circ & ".cfc")>
        <cffile action="write" file="#controllerDir##lcase(circ)#.cfc" output="#controllerContent#">
    </cfif>
    <!--- MAK: Does the services file exist? --->
    <cfif NOT fileExists(serviceDir & circ & ".cfc")>
        <cffile action="write" file="#serviceDir##lcase(circ)#.cfc" output="#servicesContent#">
    </cfif>
    <!--- MAK: Does the DAO file exist? --->
    <cfif NOT fileExists(DAODir & circ & ".cfc")>
        <cffile action="write" file="#DAODir##lcase(circ)#DAO.cfc" output="#daoContent#">
    </cfif>
    <!--- MAK: Creat the Directory in the view along with a default.cfm --->
    <cfif NOT directoryExists(viewDir & lcase(circ))>
        <cfdirectory action="create" directory="#viewDir##lcase(circ)#">
        <cffile action="write" file="#viewDir##lcase(circ)#\default.cfm" output="<h4>Hello World</h4>">
    </cfif>
</cfloop>

That's it. The end result is matching DAO, Controller and service files and view folders. Of course I may delete some of them or merge or whatever as my FW1 application takes shape, but having a matching convention with Fusebox let's me examine code from one into the other without a lot of fuss.

Follow Up

I created a script that handles the "second" part of fuseaction and places an CFM in the views folder as a placeholder. Basically "reports.users" should result in a /views/reports/users.cfm file containing HTML. This is where the eventual display code will be housed.

Talent Search Continues - Eclectic ColdFusion Developers Sought

CF Webtools is having a stellar first quarter. We've added 5 folks to our staff and we are hungry for more. We are actively looking to fill 3 developer positions on our ColdFusion development team. Here are some facts about working with CF Webtools.

  • Yes you work from home so laundry day is no longer a stresser.
  • Looking for folks legal to work in the US only. (sorry! We still love you world!)
  • Yes the position is W2 with benefits after a short (30 day) trial period.
  • Yes benefits include health care.
  • No our health care won't cover your life coach, Zelda, and her $200 sessions - but it's ok.
  • Yes there are other benefits - 401k, dental, PTOs, disability, life insurance, and a water cooler chat that keeps humming with each new edition.
  • Plenty of bad code, plenty of good code, and the serenity to know the difference.
  • We need advanced ColdFusion developers and yes, you will be tested. The test involves logging into a VM and coding through a few simple tasks.
If you are still interested. Here are 3 profiles for the folks we are seeking. Each position has a unique set of needs.


Profile 1 - The Team Pro

We are still looking to fill this specific position. It's an awesome team with very bright and active programmers using a cutting edge stack. You will grow here.

  • Mac User (especially for development). If you know Vagrant that's a plus.
  • REACT js library.
  • Framework experience (especially FW/1)
  • Lucee experience.
  • High DB Skills in MSSQL or MySQL including optimization, design and indexing.
  • Familiarity with SCRUM, Git, Agile and Jira as primary elements of SDLC


Profile 2 - Self Starter

This is the third on a team of 2. The team is eclectic and engaging and you will have a good experience with them, but you do need to be able to find your way through requirements and think around corners. We need someone who is good at gleaning institutional knowledge of a system and code. If you like to dig in, find things about a system and then use that knowledge to help others and make the system better, this is an ideal profile for you.

  • If you have Oracle experience (programming PL/SQL) that is a plus.
  • Familiarity with on-line testing, SCORM etc will help here.
  • The ability to flesh out requirements and make appropriate assumptions without too much hand holding will help as well (although ramp up time is to be expected of course).
  • All the usual advanced CF that apply to all of our positions.


Profile 3 - The Wizard

We are looking for someone who is a ColdFusion jack of all trades. If you like to hop from project to project, If you love problem solving, If you like engaging with multiple folks each day on different levels, then this may suit you. Some helpful skills:

  • Front end expertise – ability to take a designer's PSD files and confidently make them into a workable website. Bootstrap experience, jQuery skills etc.
  • Strong CSS skills – you are the answer to the CF expert's question "is there anyone here who can help me with my css?"
  • Confident switching environments, CF versions, platforms, and frameworks. The confidence that you can "figure it out".
  • Comfortable with complex DB queries, query optimization, performance troubleshooting etc. I know I know - UI plus database is a unicorn. :)


More about CFWT

We are not recruiters and we are not looking to "place" you. You will naturally work with and for customers but we care about developers and work culture. We intend to get to know you and what makes you tick and we hope to provide a work environment where you can grow. We want you to want to come to work every day. We are looking for developers that match our culture of Can-do, Caring, Communication and Competency. Here's some items that you need in order to fit in here.

  • You should be able to setup multiple local environments on your own with a minimum of assistance. Probably this means words like "Apache" or "IIS" shouldn't scare you too much. Yes you will be exposed to ______ (windows/mac) even if you are religiously devoted to ________ (windows/mac). We don't make the rules.
  • You should be able to work with SVN or GIT and sometimes other source control products.
  • You should Maintain positive attitude - We interact with respect and gentle humor. Snark is minimized and encouragement is the order of the day. If you are quirky and self deprecating that will be a plus and you will love it here.
  • You should Maintain and enhance your skills set - you will be given the opportunity to work on lots of code, different versions, platforms, integrations, libraries and SDLC organization and procedure. Everyone of these is a growth opportunity. If that has you licking your chops climb aboard.
  • We like Balanced Developers - Our devs have a full life. They ride horses, snowshoe, skydive, sword fight, play instruments, love dogs, golf, learn languages, rear children, go to plays, like to bake, fish, hunting, equestrian sports, skydiving, guitar playing, dog training, macramé, Golf, racquetball, Mandarin, Politics (careful!), family outings, child rearing, school plays, choirs, baking, snowshoeing, ice fishing, hunting, aquaponics, mudding, and the list goes on. We love it all! We think those things make you a better developer and it makes us want to be around you. We aren't looking for 80 hour a week developers slavishly devoted to coding. We are looking for eclectic, interesting people who enjoy coding and want to do it for a living.
Hopefully this helps explain how we operate enough to pique your interest. If you want to take a shot send your resume to jobs@cfwebtools.com or call (402) 408-3733 ext 105 and ask for the Muse. We look forward to hearing from you!

It's Up To Us To Stop Hackers

The first month of 2019 has passed and it was full of year end wrap up articles about anything and everything from 2018. Most were fluff articles on pop culture and such. What I found most interesting were the articles that quantified the past year of hacking and security breaches. According to NBC News, Hackers stole nearly half a billion personal records in 2018. There were fewer breaches, but the breaches were bigger and worse and more data than ever was stolen. Crypto-miners have improved as well and not in a good way. Previously I wrote about Cryptojacking and Hacking for Bitcoins. These are malware attacks where hackers install crypto-miners on servers they have compromised. The Crypto-miners use your CPUs to make money for themselves. Hackers have taken this malware to a new level of deviousness. The malware can now target and remove cloud security products as reported here and here.

It's been a banner year for the hackers.

[More]

ColdFusion Bug Introduced In Newest Update

UPDATE: Adobe has released updates for the last update.
  • ColdFusion 11 Update 17 was released that supersedes Update 16.
  • ColdFusion 2016 Update 9 that supersedes Update 8.
Many of us have been testing these new updates including myself and so far they look good. We have not heard any news on any additional updates for ColdFusion 2018

alert everyone that there is a critical bug that was introduced with yesterdays updates for ColdFusion 2018, ColdFusion 2016, and ColdFusion 11. Adobe is very actively working on a resolution. The bug is simply this, in cfscript queryExecute() is broken. This is the bug report.

Here is an example of what is no longer working. Example one is a cfscript based CFC file.

component output="false"
{
    public query function getRoles() {
        var userRoles ='';
        var sql = "SELECT roleId, roleName FROM userRole ORDER BY roleID";
        userRoles = queryExecute(sql);
        return userRoles;
    }
}

Example two is a cfscript block in a CFML file.

<cfscript>
userRoles = '';
sql = "SELECT roleId, roleName FROM userRole ORDER BY roleID";
userRoles = queryExecute(sql);

writeDump(userRoles);
</cfscript>

The code causes a Java error at the queryExecute() statement. Many of us are working with Adobe to provide test cases, stack traces, and testing hot fixes in order to get this resolved as fast as possible. Until there is a fix, if your application is using cfscript based queries, you will want to hold off on the update.

CF Webtools Developer Teams are ColdFusion experts and are ready to build your applications. We are also an Amazon Partner. Our Operations Group can build, manage, and maintain your AWS services including ColdFusion servers. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at CF Webtools .

New ColdFusion 2018 and ColdFusion 2016 Updates and Patches

Adobe just released updates for ColdFusion 2018, ColdFusion 2016, and ColdFusion 11. Please note that this is most likely the last update that ColdFusion 11 will receive due to it's core support end of life is coming up in April of 2019.

Some New Features

  • This update includes adding support for Java 11 to ColdFusion 2018 and ColdFusion 2016. ColdFusion 11 did NOT get this update most likely due to ColdFusion 11 nearing end of life.
  • ColdFusion 2018: Server Auto-lockdown includes a new installer for Mac OS.
  • ColdFusion 2018 and ColdFusion 2016: Updated the following OEMs:
    1. Jetty 9.4.12
    2. ExtJS 6.6
    3. JPedal 8.4.31
  • ColdFusion 2018 and ColdFusion 2016: You can use cfloop as script for arrays, lists, structs, or queries.
  • ColdFusion 2018: New platform support matrix for the following:

Adobe has updated more features for ColdFusion 2018 and ColdFusion 2016 including new mobile updates and Performance Monitor Updates. It's time to update your servers.

CF Webtools Developer Teams are ColdFusion experts and are ready to build your applications. We are also an Amazon Partner. Our Operations Group can build, manage, and maintain your AWS services including ColdFusion servers. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at CF Webtools .

CF Webtools Looking for Talent

CF Webtools is actively looking to fill 3 developer positions on our ginormous ColdFusion development team. Each position has a unique set of needs. Here are some facts about working with CF Webtools.

  • Yes you work from home so your flip flops will not weird anyone out.
  • Europe is great and has many fine developers, but our we are looking for folks legal to work in the US only. (sorry!)
  • Yes the position is W2 with benefits after a short (30 day) trial period.
  • Yes benefits include health care.
  • No our health care won't cover your psychic or spa treatments in Barbados, but it's pretty good.
  • Yes there are other benefits - 401k, dental, PTOs, disability, life insurance, and daily interactions with me if you so choose (most do).
  • On holidays we party virtually like it's 1999 - I guess that means we don't worry about our carbon footprint on that day or something.
  • Bad code sometimes, lack of framework, security issues - sure we get code like that. Not always, but enough to notice. Still, it's never ever boring around here - and not just because Wil is hysterical.
  • We need advanced ColdFusion developers and yes, you will be tested. The test involves logging into a VM and coding through a few simple tasks.
If you are still interested. Here are 3 profiles for the folks we are seeking.

Profile 1 - The Team Pro

This position is on a high quality team maintaining, upgrading and enhancing a broad suite of complex applications. Responsiveness, communication, security mindedness and teamwork are key elements of the ideal candidate. Some other stuff:

  • Mac User (especially for development). If you know Vagrant that's a plus.
  • REACT js library.
  • Framework experience (especially FW/1)
  • Lucee experience.
  • High DB Skills in MSSQL or MySQL including optimization, design and indexing.
  • Familiarity with SCRUM, Git, Agile and Jira as primary elements of SDLC

Profile 2 - The Visionary

This position is on a team of 2 working on a high end code base with a demanding QA and business analyst team. Your team member here is a rock star and you will learn buckets. You need attention to detail, self-starting, thinking around corners and better than average front end skills are at a premium here. Other items:

  • Bootstrap skills.
  • jquery and Ajax asych programming.
  • OO Design sometimes without a framework.
  • Availability between 5 am PST (8am EST) and 5pm PST - standups etc. This company is multi-national so they need some availability guarantees.
  • Visualization experience - datatables, high charts tableau etc.
  • Strong SQL server DB Skills.
  • Experience working with APIs (REST for example).
  • CSS preprossing - SASS or LESS for example
  • Test Driven development

Profile 3 - The Knowledge Master

For this position we need someone who is good at gleaning institutional knowledge of a system and code. If you like to dig in, find things about about a system and then use that knowledge to help others and make the system better, this is an ideal place for you. Additionally:

  • If you have used Oracle in the past (programming PL/SQL) that is a plus.
  • Familiarity with on-line testing, SCORM etc will help here.
  • The ability to flesh out requirements and make appropriate assumptions without too much hand holding will help as well (although ramp up time is to be expected of course).

More about CFWT

We care about developers and work culture. We intend to get to know you and what makes you tick and we hope to provide a work environment where you can grow. We want you to want to come to work every day. We are looking for developers that match our culture of Can-do, Caring, Communication and Competency. Here's some items that you need in order to fit in here.

  • You should be able to setup multiple local environments on your own with a minimum of assistance. Probably this means words like "Apache" or "IIS" shouldn't scare you too much. Yes you will be exposed to ______ (windows/mac) even if you are religiously devoted to ________ (windows/mac). We don't make the rules.
  • You should be able to work with SVN or GIT and sometimes other source control products.
  • You should Maintain positive attitude - We interact with respect and gentle humor. Snark is minimized and encouragement is the order of the day. If you are quirky and self deprecating that will be a plus and you will love it here.
  • You should Maintain and enhance your skills set - you will be given the opportunity to work on lots of code, different versions, platforms, integrations, libraries and SDLC organization and procedure. Everyone of these is a growth opportunity. If that has you licking your chops climb aboard.
  • We like Balanced Developers - Our devs have a full life. They ride horses, snowshoe, skydive, sword fight, play instruments, love dogs, golf, learn languages, rear children, go to plays, like to bake, fish, hunting, equestrian sports, skydiving, guitar playing, dog training, macrame, Golf, racquetball, Mandarin, Politics (careful!), family outings, child rearing, school plays, choirs, baking, snowshoeing, ice fishing, hunting, auquaponics, mudding, and the list goes on. We love it all! We think those things make you a better developer and it makes us want to be around you. We aren't looking for 80 hour a week developers slavishly devoted to coding. We are looking for eclectic, interesting people who enjoy coding and want to do it for a living.
Hopefully this helps explain how we operate enough to pique your interest. If you want to take a shot send your resume to jobs@cfwebtools.com or call (402) 408-3733 ext 105 and ask for the Muse. We look forward to hearing from you!

Using CDN for Entire Website and Country Blocking - Part 3

This is Part 3 in a short series of articles about blocking entire countries from a website. Parts one and two cover CloudFlare and CloudFront.

CF Webtools has been asked numerous times to block an entire country or countries by many clients. The issue is that there's a lot of hacker activity from certain identified countries and the client(s) does not do any business with those countries. Typically it's entire server hacking attempts, but more recently it's to use the client's shopping cart to "test" stolen credit cards. This is a very serious problem and as such clients are asking us to help them prevent this from happening. One potential solution is to block the IP addresses that these attacks are coming from. I refer to this as the Whack-A-Mole method because it's just like that arcade game. As soon as you block one IP they switch to another IP address.

We need a better solution. I looked into what we could do and how reasonable and feasible the various options are in terms of technology and cost. In my previous two articles I wrote about using CloudFlare and AWS CloudFront. In this article I'm writing about using a slightly better hammer in the Whack-A-Mole method to block entire countries. This is one of the simplest but also least effective methods.

The option many of us have traditionally done is blocking problematic IP's on a case by case basis and in extreme cases blocking entire IP ranges. I've often referred to this as the Whack-A-Mole method. It's reactive and not proactive. A real hacker would not use their own personal IP and there is no guarantee that the IP will always remain with an unscrupulous user. Normally I do not block an IP because bad stuff happened from that IP once. However, I have noticed the same IP or IP ranges launching attacks on multiple unrelated, hosted at different locations, and different client's servers. That's when I start pounding the IP with the ol' Ban Hammer! Also, blocking and entire country with this method would mean being able to know all the possible IP addresses or address blocks assigned to a particular country. This is knowable!

I did some research on this and found a few very helpful resources. Resources like this http://ipdeny.com/ipblocks/ and this https://www.sitepoint.com/how-to-block-entire-countries-from-accessing-website/. These sites keep an updated list of IP addresses assigned to every country in the world. These are made available in the form of individual text files per country. And in the case of the SitePoint page, you can download a pre-scripted config file for many versions of web servers and firewalls. Hammer Time!

In the case of the country our client wants to block there are over 130 IP entries. These are in the form of CIDR IP ranges. This is the good news. The harder part here is that means there would have to be 130 plus entries manually added into IIS or a firewall. And this is for a smaller country. Larger countries, including countries that are known for hacking, have many thousands of CIDR IP ranges. But at least I can download the scripts for Apache and IIS from the SitePoint page and paste them into the respective config files.

What are the downsides to this method? First off I do not know if there would be any performance hit to IIS or Apache if we were to start entering thousands of IP restrictions. I do know that AWS restricts Network ACL's to an absolute max of 40 rules in their VPC's due to "performance issues" if more were added. We're still whacking at moles. IP assignments for countries can change thus you would need to update your static list of IP bans in your web server.

This is an example of how Apache 2.4 is configured.

<RequireAll>
Require all granted
Require not ip 5.11.40.0/21
Require not ip 5.34.160.0/21
Require not ip 5.43.192.0/19
Require not ip 5.102.96.0/19
.....
Require not ip 217.78.48.0/20
</RequireAll>

This is an example of how the IIS XML web.config is configured. The CIRD notation needs to be converted to IP and network mask format.

<?xml version="1.0"?>
<configuration>
<system.webServer>
<security>
<ipSecurity allowUnlisted="true">
<clear/>
<add ipAddress="5.11.40.0" subnetMask="255.255.248.0"/>
<add ipAddress="5.34.160.0" subnetMask="255.255.248.0"/>
<add ipAddress="5.43.192.0" subnetMask="255.255.224.0"/>
<add ipAddress="5.102.96.0" subnetMask="255.255.224.0"/>
.....
<add ipAddress="217.78.48.0" subnetMask="255.255.240.0"/>
</ipSecurity>
</security>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>

In conclusion each option; CloudFlare, CloudFront, and IP Banning, each have their benefits and costs. CloudFront was the easiest of the three to setup and if the downsides of the IP address masking isn't an issue then it is likely the most viable solution. The AWS CloudFront solution may be best if you are already on AWS and you have an understanding of AWS Solutions Architecting. Both CDN options have country restrictions (and rate limiting) that will help in preventing potential credit card scammers from misusing your shopping carts. IP Banning is simplistic, it has no additional dollar costs. But it may be a performance hit to your web server if you have a very large number of IP restrictions. You may also have to update the IP lists if IP assignments to a country change. It's also worth noting that all methods can be bypassed via proxies.

CF Webtools is an Amazon Web Services Partner. Our Operations Group can build, manage, and maintain your AWS services. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at cfwebtools.com.

Using CDN for Entire Website and Country Blocking - Part 2

This is Part 2 in a short series of articles about blocking entire countries from a website. See Part 1.

CF Webtools has been asked numerous times to block an entire country or countries by many clients. The issue is that there's a lot of hacker activity from certain identified countries and the client(s) does not do any business with those countries. Typically it's entire server hacking attempts, but more recently it's to use the client's shopping cart to "test" stolen credit cards. This is a very serious problem and as such clients are asking us to help them prevent this from happening. One potential solution is to block the IP addresses that these attacks are coming from. I refer to this as the Whack-A-Mole method because it's just like that arcade game. As soon as you block one IP they switch to another IP address.

We need a better solution. I looked into what we could do and how reasonable and feasible the various options are in terms of technology and cost. In this article I'm writing about using Amazon Web Services CloudFront to block entire countries.

Amazon AWS CloudFront
AWS CloudFront does offer country blocking. I thought this would be an easy setup, but it isn't. When I tried to setup AWS CloudFront to 'front' an entire website I found there are many pieces that needed to be in place in order for CloudFront to handle the entire website.

Route 53 is needed or any other DNS that allows an ALIAS record for the Zone Apex record. This is because the Zone Apex record (root record) will be set to the URL provided by CloudFront and not an IP address.

Elastic Load Balancing is needed. The CloudFront origin (EC2 server) needs to be behind an TCP Elastic Load balancer. If there is only one site then the ELB target can be the instance itself. If the EC2 instance hosts multiple different sites, then we need to add multiple internal IP addresses to the instance and configure the origin site to be on it's own IP. Then the ELB should be configured to that internal IP address and not instance. If you are passing host headers in the CloudFront 'Behavior' section then you can have a single IP on the web server with multiple sites per usual for virtual name hosting. You have to setup the TCP ELB as TCP port 80 passthrough in order to pass the original IP addresses to the web server.

AWS Certificate Manager is needed to create a new free SSL for the domain name being setup in CloudFront. (I say it's needed because all sites should be using TLS protocols these days.) I found a wild card certificate works well.

Then lastly AWS CloudFront itself can be setup. The settings are a bit tricky. The Origin will be the ELB which will then pass requests to the EC2 instance. If you want or need forms to be posted to the website then you need to select "GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE" option for Allowed HTTP Methods. If you need to allow logins then you have to choose "All" for Forward Cookies.

There are costs to each part. Route 53 charges by zone and number of requests. Elastic Load Balancing charges by the hour and by data transfer amounts. Then Cloud Front charges by data transfer amount.

There are downsides to this method as well. In addition to the AWS method being harder and more complex to setup there are more costs involved. I can pass the original requesting IP address through to the web server, it still comes through in the X-Forwarded-For custom header. In Apache it's easy to globally capture and place this value into log files or the CGI scope. IIS does not allow this to be done at a global level meaning each IIS site must be configured for the custom headers. Additionally, you may need to custom code the web application to read X-Forwarded-For no matter which web server you are using.

After you have all of that setup, configured, and working you can now start blocking countries. This is done in the AWS CloudFront Restrictions section. You can add a Geo-Restriction blacklist or whitelist by country.

Part 3 will cover using IIS and Apache and a slightly better hammer in the Whack-A-Mole method.

CF Webtools is an Amazon Web Services Partner. Our Operations Group can build, manage, and maintain your AWS services. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at cfwebtools.com.

Using CDN for Entire Website and Country Blocking - Part 1

CF Webtools has been asked numerous times to block an entire country or countries by many clients. The issue is that there's a lot of hacker activity from certain identified countries and the client(s) does not do any business with those countries. Typically it's entire server hacking attempts, but more recently it's to use the client's shopping cart to "test" stolen credit cards. This is a very serious problem and as such clients are asking us to help them prevent this from happening. One potential solution is to block the IP addresses that these attacks are coming from. I refer to this as the Whack-A-Mole method because it's just like that arcade game. As soon as you block one IP they switch to another IP address.

We need a better solution. I looked into what we could do and how reasonable and feasible the various options are in terms of technology and cost. In this article I'm writing about using CloudFlare CDN to block entire countries.

CloudFlare
I was not familiar with CloudFlare other than it's a CDN. They do offer advanced services for a price. There is a free tier that has CDN capability and limited Firewall features. The firewall features include the ability to setup 5 firewall rules.

To test the features and capabilities of CloudFlare I created a free account for myself and setup my blog to use CloudFlare. My blogs uptime is not critical like the client's business is and it gets real traffic thus it can be used to test various features.

Using the free firewall features I can block multiple countries in a single firewall rule. The rules allow for chaining filters with AND OR statements. See the example below.

I don't know yet if there is a limit to the number of conditions I can add to a single rule. However, at the moment it seems to be sufficient.

The negative side effect that I can see so far is that all the IP addresses that get logged on the origin web server are from CloudFlare. This defeats many clients needs/desires to have a valid IP address of their valid customers. Cloudflare does offer the option to pass through the original HTTP headers, but that is under their top Enterprise plan. They do not provide a cost for this. You need to request an estimate.

CloudFlare does pass through custom headers that has the original IP and other custom headers. However, these are not standard and web servers need to be configured to first read the custom header fields and then the application code needs to be updated to use the custom headers fields. It's far easier to do this in Apache than it is in IIS. IIS does not allow this to be done at a global level meaning each IIS site must be configured for the custom headers. Additionally, you may need to custom code the web application to read X-Forwarded-For no matter which web server you are using.

Another issue is that CloudFlare requires you move your DNS to them. Depending on the client, gaining access to their DNS and registrar can be challenging.

Part 2 will cover using AWS CloudFront to achieve the same results.

CF Webtools is here to fill your needs and solve your problems. If you have a perplexing issue with ColdFusion servers, code, connections, or if you need help upgrading your VM or patching your server (or anything else) our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations @ cfwebtools.com.

ColdFusion Exploit in the Wild

On September 11th of 2018 Adobe released a critical security patch to patch a very dangerous flaw (CVE-2018-15961) that could allow an attacker to upload a file that can be used to exploit and take control of the server. Adobe updated their security note to alert everyone that there are active exploits in the wild.

"UPDATE: As of September 28, Adobe is aware of a report that CVE-2018-15961 is being actively exploited in the wild. The updates for ColdFusion 2018 and ColdFusion 2016 announced in this bulletin have been elevated to Priority 1. Adobe recommends customers update to the latest version as soon as possible." - Adobe

Today it is being reported by multiple news outlets including ZDNet that the exploit is in the wild and being used by a nation-state cyber-espionage group.

"A nation-state cyber-espionage group is actively hacking into Adobe ColdFusion servers and planting backdoors for future operations, Volexity researchers have told ZDNet. The attacks have been taking place since late September and have targeted ColdFusion servers that were not updated with security patches that Adobe released two weeks before, on September 11." - ZDNet

This is one more friendly reminder to make sure your ColdFusion servers are patched! Either patch them yourself, have your hosting provider patch them or if they are not familiar or knowledgeable with ColdFusion contact us at CF Webtools to patch your servers. Our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to "operations at cfwebtools.com".

ColdFusion Developers Needed - But You Have to be Entertaining

The jokes in our water cooler chat have become a little tired so we are looking for some new material. If you think you are entertaining (and smart and talented) enough to join the Muse' Merry M... er.. Merry Persons, here's what you need to know.

  • You will work from home but if you are not wearing pants we don't need to know that.
  • We love our many friends in Europe, Asia and the subcontinent etc, but we are only looking for developers in the US and legal to work here. (sorry!)
  • Yes the position is W2 with benefits after a short (30 day) trial period. If you are scared by the trial period don't be - it's easy. It's the interview process that should worry you.
  • Yes benefits include health care.
  • No our health care won't cover your psychic or spa treatments in Barbados, but it's pretty good.
  • Yes there are other benefits - 401k, dental, PTOs, disability, life insurance, and my singing voice.
  • We only turn water into wine during the holidays.
  • Yes you will be frustrated with some of the code you will see, no we are not offended if you throw the Muse under the bus about his code. No you will never be bored.

If you are looking for an inside track here is some extra skills that are "nice to have". None of these are non-starters but if you hit one of these bells it could help.

  • Using a MAC as your primary development environment.
  • Vagrant experience (if you don't know what that is, there's your answer)
  • REACT
  • CF Frameworks like FW/1
  • Lucee experience
  • High DB Skills in MSSQL or MySQL including optimization, design and indexing.

More about CFWT

We care about developers and work culture. We intend to get to know you and what makes you tick and we hope to provide a work environment where you can grow. We want you to want to come to work every day. We are looking for developers that match our culture of Can-do, Caring, Communication and Competency. Here are some examples of what we expect.

  • You should be able to setup multiple local environments on your own with a minimum of assistance. Probably this means words like "Apache" or "IIS" shouldn't scare you too much.
  • You should be able to work with SVN or GIT (and yes we git it that you think git is the bomb and don't know why we have SVN listed).
  • Maintain positive attitude - We interact with respect and gentle humor. Snark is minimized and encouragement is the order of the day. If you are quirky and self deprecating that will be a plus and you will love it here.
  • Maintain and enhance your skills set - you will be given the opportunity to work on lots of code, different versions, platforms, integrations, libraries and SDLC organization and procedure. Everyone of these is a growth opportunity. If that has you licking your chops climb aboard.
  • Balance - We like devs who have a full life. If you enjoy fencing, equestrian sports, skydiving, guitar playing, dog training, macrame, Golf, racquetball, Mandarin, Politics (careful!), family outings, child rearing, school plays, choirs, baking, snowshoeing, ice fishing, hunting, driving your truck on a mud track (all activities enjoyed by folks on our team) then we think those things make you a better developer! We aren't looking for 80 hour a week developers slavishly devoted to coding. We are looking for eclectic, interesting people who enjoy coding and want to do it for a living.
Hopefully this helps explain how we operate enough to pique your interest. If you want to take a shot send your resume to jobs@cfwebtools.com or call (402) 408-3733 ext 105 and ask for the Muse (or Mark if you don't want to play). We look forward to hearing from you!

ColdFusion Debugging on Production

Today's short note is brought to you by "Don't Do That On Production!" At CF Webtools often times we get called in to help troubleshoot servers that are failing to perform well. We often hear the same sort of symptoms that goes like this. The server has been running fine for months then suddenly for no reason it's slow, CPU usage is high, and it hangs or crashes multiple times per day. This always prompts us to ask the same question. "What was changed just before these symptoms started?" And the answer is usually "Nothing was changed (as far as they knew)". In all reality the person we're talking to may not the be only person with access to make changes to the server. Or they may not in fact have access at all and they are relying on information provided to them by an IT team member. We take notes, assume nothing, and question everything (on the server).

We had this scenario play out a few times in the past few weeks with three servers from three different companies. The reason I'm writing this note is the same problem occurred on each server. The short answer is someone enabled ColdFusion Debugging on the production server. ColdFusion is a very powerful rapid development platform, but it has a few gotchas if you are not careful. Such as enabling debugging on a production server. Debugging output provides a massive amount of information and for obvious security reasons we never want this enabled on a production server. Yes, I know you can restrict debugging output to a certain IP address, but that does not prevent the debugging output from being generated. It's just not displayed. The generation of debugging output takes more CPU power and at times more JVM memory. On a low load web application you may not notice a difference. However, on a high load, high traffic production web application the extra resources needed to generate the debugging output may in fact cause all those symptoms described above.

In each of the cases we saw these past few weeks, we were reviewing the servers settings, looking at the results of Fusion Reactor, and reviewing ColdFusion settings. On the first server we almost missed the fact that debugging was enabled. By the time we were troubleshooting the third server with similar symptoms we were checking to see if debugging was enabled before we did anything else. Disabling debugging resolved the bulk of the performance issues. We then used this time to review each server and offered additional performance tuning recommendations based on each servers resources and application needs.

This falls into the category of "Don't Do That On Production!" Please leave debugging to your development and staging servers.

CF Webtools is here to fill your needs and solve your problems. If you have a perplexing issue with ColdFusion servers, code, connections, or if you need help upgrading your VM or patching your server (or anything else) our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations @ cfwebtools.com.

It's "Retired" Jim!

In another chapter of "The Cloud Never Crashes", I woke up Sunday to one of my AWS instances that was 'crashed' with a notice of "Amazon EC2 Instance scheduled for retirement". Retirement? What does that mean? I went to check my email and realized that the "retired" instance was the email server. Doh! It took me a little while to figure out what they meant. It means this "An instance is scheduled to be retired when AWS detects irreparable failure of the underlying hardware hosting the instance." This serves as a good reminder that the cloud is really someone else's server.

In theory this is an easy fix. The instructions at Amazon claims that stopping and restarting the instance will launch it on new hardware. In practice I could not get the instance to stop. This is where having physical hardware and a power cord to pull would have been nice. Failing to get the instance to stop I could not detach the EBS root volume. Even force detaching the EBS root volume didn't work. This is where daily snapshots of EBS volumes comes in handy. I was able to launch a new EC2 instance and then convert the last snapshot to an EBS volume and attach that to the new EC2 instance. Then I moved the elastic IP from the "Retired" instance to the new instance and hit "start'. Full recovery!

Now I'm left with a hanging EC2 instance that is still "Stopping" and an EBS volume that I cannot use, detach, delete etc. I tried reissuing stop commands a couple times. Eventually I noticed a "Force Stop" option. I do not remember seeing this on earlier attempts. I do not know if this shows up after the first failed stopped attempt or after several. I'm not sure, but I think that sends a trained monkey into the datacenter to pull the power cord. In any case it worked. This let me detach my EBS volume. From there was was able to stop the new instance, detach the EBS volume and attach my original EBS root volume. Now I have full recovery and I was able to clean up the loose ends.

Amazon Web Service has given us a new euphemism. Retired means It's Dead Jim!

CF Webtools is an Amazon Web Services Partner. Our Operations Group can build, manage, and maintain your AWS services. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at cfwebtools.com.

More Entries




Blog provided and hosted by CF Webtools. Blog Sofware by Ray Camden.