With all the talk about security recently I thought I would add a quick post on some precautions to take when setting up a VPS. Most servers ( Windows and Linux ) I work on are behind a hardware firewall but a few of my smaller VPS's don't have that luxury and are totally open when you are first given access. I'm not going to go into detail on configuring the correct directory permissions, users services are run as or best practice for file uploading but simply mention one of the first things you should do on your shiny new linux VPS's ( Windows aswell of course but not covered here ) and that is settign up IPtables.

First I need to think about what do I want to expose to the net. Port 80 ( web ), 443 ( ssl ), and 22 ( ssh ). Now this server also has mySQL ( port 3306 ) but I'm happy to leave that closed and use a ssh tunnel when I need to use a admin tool from my local PC.

My server for this setup is Debian ( 5.0 - Lenny ) but these instructions should be almost the same on any distribution and exactly the same on Ubuntu. Jamie Krug has an excellent set of instructions on setting up Railo on Ubuntu and while my setup differs ( I use resin rather then tomcat ) his IP tables rule list is extremely handy and an excellent place to start.

One thing to note is that applying the rules manually without loading them at boot time means that if you accidentally lock your self out you can use your control panel to simply reboot the server and the rules will be unloaded. Handy while your just starting out.

Also note that for every website running under Railo gets it's own administrator so adding re-write rules to "hide" the admin pages is worth while to try avoid brute force password attempts ( you could also restrict this to a specific IP ).

<br /> # Forbid public access to Railo admins:<br /> RewriteRule ^/railo-context/admin/(.*) - [F]<br /><br /> # Proxy a hard-to-guess URL base to the Railo Admin base <br /> # (could also use a separate virtual host and put this on a <br /> # non-standard port and/or force SSL):<br /> RewriteRule ^/some-secret-way-to-access-railo-context/admin/(.*) /railo-context/admin/$1 [P]<br />

( apache mod rewrite and Helicon ISAPI rewrite for windows will accomplish this )

Nothing I have mentioned is specifically applicable to Railo or ColdFusion and I protect my non CFML machines in the same way and with the price of unmanaged VPS's coming down greatly in price recently I thought this was worth a mention.

If anyone has any other improvements or suggestions let me know.

You may or may not have seen yet but Sean Corfield has blogged the process of building Railo from source ( here ).

Now I doubt I'll ever want to change anything the Railo team do in the source. I did however want to compile my own version just to see if I could. ( It's been a little while since I used java )

Sean's instructions are really thorough and I had no issues I even tried this on the just released Galileo version of Eclipse.

Sean does say to use Java 5 but I have Java 6 sdk already so I tried with that but it didn't work so make sure you have JDK 1.5 ( I used 1.5.19 ).

To make sure I had actually compiled and it was working I added the change to my railo server that's hosting the examples on this blog I changed the version to 3.1.0.199 and the version name to "Paul -99".

The whole process took about 10-15 minutes.


BTW I did this in Windows 7 64 bit.

I was chatting to a friend ( Ryan ) the other day who has some experience with ColdFusion and was looking to get back into it but didn't want to mess up an already established local development environment. He asked for the easiest way to set up a cfml engine. The answer Railo express!

Railo express is available for Windows, OSX and Linux. It's very easy to install, infact you don't even need to install it simple extract and run. Here is a step by step guide ( Under Ubuntu ):

Download the express tar.gz and extract to a location. I choose the desktop under Railo.







Open a terminal and CD to the location and run dos2unix on the start and stop scripts. For some reason the must have been gziped with extra ^m as the end of the line, dos2unix will fix this.






From here you can launch Railo by running ./start.
You can now confirm it's running by launching http://127.0.0.1:8888 in your browser and you will see the following:

This is by default in the Railo express webroot ( ..Railo/webroot ) in index.cfm. I usually just rename the file to admin.cfm so I don't have to remember the path to the admin pages.

To confirm it will execute new code create a new index.cfm:

<br /><cfset somestring = "world"><br /><cfoutput>Hello #someString#!</cfoutput><br />

And reload http://127.0.0.1:8888
Also browsing to http://127.0.0.01:8888/flex2gateway will display a blank white page which lets you know flash remoting is up and running.

Not including download time I guess less then 2 minutes to have railo express running locally and the second time you don't need to run dos2unix so all that's needed is to either double click start or run it via a terminal.

Just a note that Open Blue dragon also has a ready to run version and ColdFusion by Adobe also comes with its own web server and its also easy and quick to setup.

CFML hosting has always been more difficult then static html and php to find. I have tried a few and some are good and some are cheap. There is next to nothing that both reliable and cheap. However there are options.

Recently I have been reading the Low End Box blog : http://www.lowendbox.com and decided that $5-10 VPS's may be cheap and perhaps unreliable but for that price I had to give it a go and so far its been great. I have half the demos from this blog running there with Railo and mySQL along with a few other test projects.

Another good one is Slicehost they have a good name, for $20 you can get a 256 meg VPS and they are fast here is an example of Railo on Slice host: http://www.bigimpactmarketing.co.uk/ ( By @clarkee21 )

So for anyone that's thinking about Railo consider a cheap low end VPS you might be much better then you think.

BTW you may want to brush up on your linux skillz and download putty ;)

And for those that asked my most recent VPS is with 2Host

The Railo team has been hard at work pushing out updates quicker then we can install them - well not really as it only takes less then a minute to upgrade Railo :) . One of the most recent and exciting updates that has come out with 3.1.0.15 and .16 preview is the ability to communicate with Flex over AMF the same way you can with ColdFusion.

Here is a run through of how I set this up. As I run ColdFusion and IIS on my local machine to duplicate our main production environment I really didn't want to mess with all my settings and didn't want 2 CFML engines running all the time I opted to install ( extract from zip ) the Express Edition of Railo so I can start and stop easily with a batch file.

I extracted the zip to e:\RailoExpress

Copied the E:\RailoExpress\webroot to E:\RailoExpress\wwwroot ( to mirror ColdFusion's directory structure )

Start the Railo express server by running the "Start.bat" file. Confirm Railo is running by hitting http://127.0.0.1:8888 and confirm that http://127.0.0.1:8888/flex2gateway returns a blank page.

Open Flex(Flash)Builder. Created a new Flex Project.

Selected the server type as "ColdFusion", click next.

This is where there are a few changes. FlexBuilder expects there to be wwwroot in the ColdFusion server directory this is the reason I made the copy in step 2. I wont need to modify the .xml files in the WEB-INF for this example.

I'm not going to be using IIS as the webserver I'm happy with the one that comes with Railo express ( Jetty ) and the default port is 8888. Also set the webroot to the webroot folder under the Railo install directory.


Click finish and you can start coding.

If you want to check the compiler arguments right click the project, select properties, then Flex Compiler and it should look like this:


From this point I made a simple cfc that runs a query and returns it to flex. Drop the cfc into the webroot ( E:\RailoExpress\webroot ) called Query.cfc ( mappings work the same way they do in ColdFusion also )

<br /><cfcomponent output="false"><br /> <cffunction name="getQueryData" returntype="query" access="remote" hint="I return a Query"><br /> <br /> <cfset local =" {}"><br /> <br /> <cfquery name="local.q" datasource="mySQLTest"><br /> select actor_id, firstName, lastName, lastUpdate<br /> from actor<br /> </cfquery><br /> <br /> <cfreturn><br /> <br /> </cffunction><br /></cfcomponent><br />

I made a simple program to get the query data and display it in a grid. The code looks just the same as it would with ColdFusion. Also notice the source of the remote object is "Query" which matches to the name of the .cfc if you had this in a mapping it would be com.project.Query for example and this would work fine.

<br /><?xml version="1.0" encoding="utf-8"?><br /><s:application fx="http://ns.adobe.com/mxml/2009" s="library://ns.adobe.com/flex/spark" mx="library://ns.adobe.com/flex/halo" minwidth="400" minheight="300" height="238"><br /> <br /> <mx:datagrid x="13" y="39"<br />dataprovider="{mySQLData}" width="375" height="183"><br /> <br /> <s:button id="btnGetmySqlData" x="12" y="11" <br />label="Get Query Data" click="btnGetmySqlData_clickHandler(event)"><br /> <br /> <fx:script><br /> <![CDATA[ import mx.rpc.events.ResultEvent; <br /> import mx.collections.ArrayCollection; <br /> [Bindable] private var mySQLData:ArrayCollection; <br /> private function btnGetmySqlData_clickHandler(event:MouseEvent):void{ <br /> rro.getQueryData(); <br /> } <br /><br /> private function mySqlDataResult(re:ResultEvent):void{ <br /> mySQLData = re.result as ArrayCollection; <br /> } <br />]]><br /> </fx:Script><br /> <fx:declarations><br /> <mx:remoteobject id="rro" destination="ColdFusion" source="Query" showbusycursor="true"><br /> <mx:method name="getQueryData" result="mySqlDataResult(event)"><br /> </mx:RemoteObject><br /> </fx:Declarations><br /></s:Application><br />

Demo:



Demo with source view can be seen here

The .16 update ( currently in preview ) fixed the issue where the column name's were always coming back as lower case now they are the correct case. It also addressed the issue of correct casing of VO's ( which is also working in my limited test cases ).

I picked a query as an example but all other data types seam to be working except a few odd ones ( I tried sending an image data blob back it didn't work....yet ) and all in all this will probably satisfy most people working with Flex and ColdFusion and now they can offer a slick backend to there clients as an alternative to ColdFusion.

The database is a sample from mySQL