This is a very important message that all ColdFusion developers need to read. Maybe you didn't know this - but ColdFusion can crash under load! This was certainly news to me. A blogger, maniacalrage, describes just such a situation here.
Now listen closely as this is very important. Apparently, he went to a ColdFusion site. The ColdFusion site crashed. Therefore, ColdFusion can't handle load.
Wow.... can you believe it? I know I was certainly surprised.
Ok - so I'm being sarcastic. I just can't believe the audacity of such a post. One broken ColdFusion site means the entire technology is broken. I guess the blogger has never seen any other site in an inoperative state. I guess the numerous sites out there running ColdFusion under heavy load are simply faking it.
Or maybe... and just maybe... and this is crazy so just go with me for a second... but maybe the site wasn't written properly? I mean, lord forbid a developer have to actually put some thought into his code to make it run well under load. Or even modify a server setting.
Ok... I'll calm down now. Rant (and sarcasm) mode officially off.
Archived Comments
It is tough when we compete against those incredibly un-crashable Microsoft technologies. I heard the new version of Visual Studio will automatically rewrite bad code and make your site impervious to hackers! Plus it will ingeniously make all your standardized CSS work on IE. C'mon Macromedia...time to play with the big boys.
My favorite comment from that blog...
"Or better yet, by this logic I should NEVER EVER EVER EVER trust ANY application server for anything important. PHP sites crash. ASP.NET sites crash. JSP sites crash."
Ah, the voice of reason.
Well, one poorly written website - happens to be CF this time. I am sure there are rather few people that take the original post seriously.
Actually there is a bigger problem. I have seen it where when CF crashes, it shuts down the CF service. Now most people say, well big deal.
Well it is. See when the service stops, IIS throw the CF page as plain text. So if this happend you can also get at their application.cfm page and their settings template if they use one. Most people keep their DSN login information in these templates and this could be all the information a hacker needs to get at your database. Or they can use the information for some other purpose. It even gives someone the oppotunity to steal your code.
Good little WINT admins know that you should use the Recovery tab for the service to set actions upon failures like restarting the service or shutting down IIS and CF by using the "run a program" selection to run a batch file containing:
net stop "ColdFusion Service Name"
net stop "World Wide Web Publishing"
net start "ColdFusion Service Name"
net start "World Wide Web Publishing"
As people have said in the past, most of the security issues with ColdFusion come from the fact that almost all of the people who are CF developers don't have a background in Network or Systems Administration. As such, most people don't the ramifications of a service stopping or crashing.
Tony - isn't there also a setting in IIS you can configure to prevent this? It seems familiar. Most of the time when I have seen CF crash, a request for a cfm file results in an error, _not_ the source.
i've never gotten the source... only a message saying no jrun server can be found.. or something like that...
Ray,
You are correct. This did happend in the CF5 and below version. Mostly because CF5 "hooked" into IIS. Thus if you stopped the CF service, it would result in an error stating that the CF service isn't started.
I have seen this happend with CFMX J2EE setup. So stopping the Jrun server service resulted in the CFM template code coming back as plain text. The reason for this is because CFMX is now just an ISAPI filter. I know that most people will say that it should throw a "cannot connect to Jrun error" if it is stopped, but it doesn't. It only throw this error if the service is started and there is some sort of error connecting to the service. If the service isn't started, it exits gracefully, thus resulting in IIS grabbing the CFM file and displaying it.
Now I don't know if CFMX7 does this or if JRUN SP 5 fixes this. Currently I have seen this happend on CFMX 6.1 SP 1 with JRUN SP 4.
Ray,
You do make good points, and I agree. The blogger did, however, make some good points, too:
1. This was not just some random company hosting the server. It was MACROMEDIA.
2. It was not some random person installing and configuring ColdFusion and JRun on that server. It was MACROMEDIA.
3. It was not a third party developer writing the code and testing it. It was MACROMEDIA.
The question is, why was the service crashing for such a long period of time?
Damn, Aler beat me to it. The real issue is the Macromedia involvement, and the subsequent egg on their face. This isn't good press, and if that guy hadn't posted this blog entry, it would've gone largely un-noticed - with the exception of people trying to enter films. I don't think people should be attacking him for his post - he was obviously caused alot of stress over the problem that almost prevented him from actualizing months of work on his film. That was mis-directed anxiety, not arrogance.
People should be saying "WTF Macromedia?", but instead their knee-jerk reaction is to attack whoever poopoos on thier grand overlord, ColdFusion. This community suffers from an unhealthly dose of zealous. It's ok to ask questions, it's ok to criticize. CF is not perfect, but it's impossible to have a decent argument on the subject lest you get gang-banged by the JediMasters of the community.
Herman, I respectfully disagree. The original poster was not attacking the implementation of CF at that site. He said, specifically, that CF should not be used for high volume sites. That is different from saying foo.com doesn't work. He attacked the _entire_ technology. I definitely agree that CF is not perfect.
Stopping CFMX6.1 service and calling a cfm page I get:
Server Error
The server encountered an internal error and was unable to complete your request.
Could not connect to JRun Server.
Look, in all seriousness, I think that while we all can understand the guys frustration (hell, I have been there), I think Macromedia's involvement doesn't change much other than from a PR perspective (and the extent to which MM was involved outside of hosting was not clear from his post). The truth is that sites go down, even the large one's (regardless of what app server)... While we can appreciate his frustration, he jumps to rather overreaching conclusion with regard to ColdFusion and Macromedia as a whole.
http://maniacalrage.net/arc...
currently shows...
Error: SQL
Database Error
Sorry, but the database seems to be down. Oops! Check back in a minute.
how ironic...another faulty product
Let me just add that - the original poster _has_ said that he was being a bit extreme... so this isn't the big huge deal that I may have made it out to be. All in all - we all get mad as heck at products that we use at times. (Although I do wish the blogger would edit his main post to clarify his comments.)
Daniel: there's a difference between a site going down due to attack and it going down from "normal" use. For the past week, our servers have been under seige by comment spammers hitting any site using MT. I realize how ironic it LOOKS for my site to go down today, but the truth is that Macromedia's ColdFusion server wasn't being attacked that night, people were using it as they should have been.
I didn't post that comment, I posted the previous one.
But,
"Macromedia's ColdFusion server wasn't being attacked that night"
How do you know?
Correct me if I'm wrong but as I understand it CFML compiles to Java. CFML = Java? Badly written code is badly written code. An oversight or bug written in Java is no worse or better than an oversight in CFML.
tony,
I've never seen the scenario you describe occur. Can you cause it to happen and post the steps to reproduce it?
It seems to me that the expected load was underestimated and that was the primary cause here. As has been noted elsewhere, the work may well have been outsourced (I'm fairly certain the mm.com web team didn't build the Amazon film submission app and the site was not hosted by Macromedia - I could be wrong but that's my understanding).
As to whether CF can handle high load: mm.com does pretty well with up to 40,000 concurrent sessions during morning peak traffic (used to be I'd quote "20,000" but we have fifty CF apps on the site now and traffic on the CF part is way higher now that all of our tech notes are handled by CF).
Is anyone still having this problem with CF suffering under load? Because I have something I'd like you to try out and give me some feedback on if possible. FusionReactor (fusion-reactor.com) has a load of features to protect CF servers from dying due to high numbers of requests, high memory or long running requests. Please post and let me know. Thanks
cool, i see you are offering a Trail Edition
Sorry for the slow reply. It's been crazy busy here! *smiles*. Yes, there is a trial version and also a completely free version of the software. Please feel free to give us any feedback you have on the software. Enjoy!
Does anyone know what the name of the ColdFusion MX7 Application Server service is actually called? I'm trying to setup a service watcher and it doesn't find the service by that name, though it can find things like DNS and Apache2. I've also tried cfusion, CFMX, CFMX7, jrun, JRun, and some others. Thanks.
If you double click on the service in the Services panel, it shows you the proper name.
"ColdFusion MX 7 Application Server"
Thanks a lot! Wow, one space missing, how humbling :)