Category Archives: Code

Coldfusion Admin API

For the past 4 years or so, I’ve been more active with the devops side of things. So, I was lucky enough to not work so closely to the business side anymore. That perk, though, came with a caveat. I was made responsible to provide optimizations and performance gains at the company’s main service, which unfortunately is largely built using one language thats hanging literally by a thread.

Yes, that language’s name is "Coldfusion". No, you have surely not heard of it before, and yes, luckily, it has nothing to do with physical cold fusion.

What is this Coldfusion?

Adobe’s mental child, which came out with Dreamweaver…

Coldfusion, is a closed source language that was created by Adobe. It’s a language that was conceived in 1995 (!) and it’s purpose was to help people break the compiling loop that reigned the internet world back then.

Their first intent was to create a framework that would connect html pages with database engines, and thus providing an Api that would be very easy to change while coding websites.

Luckily, the first implementation of Coldfusion was coded in Visual C++ (god help us), and its runtime was strictly Windows, as back then the popular runtime and tools were being provided by the Gates family. There were some ports to Sun’s Solaris, but they were limited.

After version 6 with the debut of Coldfusion 6MX, everything moved to Java, where they stayed up to now. You can see my repo, thats a port of the popular SOLID pattern. Since I was hired as a Software engineer, I had to deal with code quality. The syntax is quite similar to javascript, but you can easily load java jars and run them directly (which actually gives the language actual leeway).

Ok, but, so whats this API you talking about?

If for some weird reason you have ended up in my position and Coldfusion is “paying your bills” you might end up reading up articles about how to do stuff.

Most helpful is Ben Nadel’s blog, this guy has been with Coldfusion since its first steps and he’s helped a lot lot of people with his posts. Ben will solve a lot of questions you will have when writing code with Coldfusion. He’s done a lot of good work, and also getting a lot of props for publishing his problems and solutions. There are also more resources you can address your questions at, I’ll just mention some here: official Coldfusion Adobe community community.adobe.com, the Adobe CF portal at coldfusion.adobe.com, CFML Slack, and more.

But there were times that we had to ask for professional help. Unfortunately Coldfusion is a closed source project. There is a respective open source implementation (called Lucee), but unfortunately – and that was explored when I was firstly joined – , it wasn’t 100% compatible with the company’s projects. Therefore, we were stuck with the closed source one, and even though its official documentation is good, Adobe, who’s got the reins in managing the whole language, at times, doesn’t really care what’s going on with the community. So, they are only answering the community’s questions only if they are under pressure.

The guy who’s applying pressure is Charlie Arehart. He’s liaised numerous times between popular questions (especially at the administration side of CF), and he’s doing a really good job.

Managing CF service

My troubles started when I was called to manage a Coldfusion service programmatically. CF, comes in a service – server package, which runs and you have the option of “visiting” a specially crafted server URL where you can point and click administrative options, after being authenticated. Options like for example change the code mappings, as to where the Coldfusion code resides inside your server, or, say, refresh something Coldfusion calls “query cache”.

Long story short, I had to find a way to make all those changes programmatically, as in any serious enterprise, you just can’t deal with point and click changes, iterating every single server.

Coldfusion Admin API

So luckily Coldfusion is exposing those Administrative functions in a form of an api. Charlies Admin API Blog Post, is descriptive enough to guide you through the process. So if for example you want programatically create some database connections (in CF world they are called “Data Source Objects”) you can do so like this:

<cfscript>
// Login is always required. This example uses two lines of 
code.adminObj = createObject("component","cfide.adminapi.administrator");
adminObj.login("admin");
// Instantiate the data source 
object.myObj = createObject("component","cfide.adminapi.datasource");
// Create a DSN.
myObj.setMSSQL(
driver="MSSQLServer",
name="northwind_MSSQL",
host = "xx.x.xxx.xx",
port = "1433",
database = "northwind",
username = "sa",
login_timeout = "29",
timeout = "23",
interval = 6,
buffer = "64000",
blob_buffer = "64000",
setStringParameterAsUnicode = "false",
description = "Northwind SQL Server",
pooling = true,
maxpooledstatements = 999,
enableMaxConnections = "true",
maxConnections = "299",
disable_clob = true,
disable_blob = true,
disable = false,
storedProc = true,
alter = false,
grant = true,
select = true,
update = true,
create = true,
delete = true,
drop = false,
revoke = false);
</cfscript>

The API cfc files that are offered are the following:

CFC’s that can be included to administer a Coldfusion Server installation

Charlie in his blog says that he has asked the Adobe team to document the functions that each cfc exposes, but unfortunately Adobe, being Adobe, didn’t. They have merely documented 7 out of the 18 files, and the rest are left as they were.

If you wish to introspect the other files you can do so just by log into http://localhost:8500/CFIDE/administrator/index.cfm while running a CF Server installation, and then, head to Security -> RDS.

Change or setup an RDS password.

There you either disable RDS (not recommended for long run setups), or change the password.

After that you can simply follow the virtual path, ie, if you wish to introspect the runtime.cfc you can simply go to : http://localhost:8500/CFIDE/adminapi/runtime.cfc, and you will be met with the following page:

Or if you prefer a link, here

Just as you’ve guessed, this is all the CF API

So I went the extra mile and went and copied all the CF 2018 introspection code that Adobe is producing when visiting all the administrative modules listed in their server, by creating a complete “Coldfusion 2018 Admin API Documentation”.

You can just click the links below and you will get the html as it is being generated from the original Coldfusion Administration URL.

Base

Runtime

Access Manager

Collections

Datasource

Debugging

Event Gateway (care when you use this one, its severely outdated)

Extensions

Flex

Mail

Office

Runtime

Scheduler

Security

Server Instance

Websocket

I hope this simplifies the administration

My attempt was purely drafted to help people so that they wouldn’t have to search locally or in a server to have the tools to administer their installation.

Since Adobe stopped the process of documenting, I felt this must have been done somewhere, so I took the initiative of putting it here.

Stay tuned, I will come back with some more posts about crypto — my new hobby!

EDIT: I will create another post documenting the CF2021 ones, as we will be soon migrating there as well.

Monero Mining Ban or How to Ban yourself from Google

I’m back

I haven’t posted in a while. Mainly because I was really busy with my morning job, and a lot of other stuff in the between. For all of you who actually kept in line with my blog I would have to say I have done a lot the past 3 years, career-wise.

This post is going to be mainly for talking about Crypto Currency mining, and the related technology.

Fintech

I have worked a lot in the Finance Tech Sector, even before it was the hot word. Unfortunately I didn’t have enough time to actually delve into the Crypto Finance part, only up until recently.

I decided I should have a look at the technological / mining part of a Crypto Currency.

Of course since I am primarily an engineer and not a coder, I decided that the mining must be done in a distributed way and not in a dedicated way most people without any specific technical background do… And that was the issue unfortunately.

Monero JS Mining

 

Even though my current morning job doesn’t include a lot of JavaScript (or ECMAScript as they renamed it nowadays), I still have some juice left in me. So since JS rules the world language-wise, the logical approach would be a JS miner. There is only one js-miner.  And also a nicely laid-out service is  Coin-Hive (I’m not linking the site as it will be marked as a malware, more on that later). The crypto currency is Monero (XMR), and it is mainly developed for mining using a CPU and not any specific ASIC just as Bitcoin or Ethereum are. Which also makes it more profitable in my opinion to mine right now, without actually having a monster like computer, which is needed to mine all the other currencies…

Profitablility

Ok, lets face it mining using others pc’s is not that profitable.
Having something like 30-40 visits per day on your website with an average stay of 1-2 mins could probably give out something like 10 cents per day, with roughly 1M hashes.

So it turns out that a lot of people had the same idea as me (a few months back) by using the browser’s V8 to run mining software.

Unfortunately users do not appreciate this. They do not appreciate ads, but also not their CPU spiking up a bit as they like to browse a site they might benefit from.

Frankly, I find this offensive. Especially from google’s part since I managed to set up a distributed miner. I distributed it’s source code (based on a flavour of CryptoNight algorithm) and mining software between some of my sites, using my github account to host the files for the miner, and a few other freeware sites for proxying the traffic for the mining pool.

The Monero Mining Ban

My github account was banned. Also my sites as well. Google thought that all my sites have been hacked and that they were infected with a malware.

Google sent me a lot of e-mails that my sites were infected, and that I should clean them. Apparently it is illegal to serve these assets even if you specifically ask permission from the users (or just simply notify them for this). So, users don’t like ads, since they are using an adblocker, and they don’t like also using their CPU for mining. OK, I get it. We just have to pay for domains and servers for ourselves, for the code and the brain power we burnt to create the content, and just give this away for nothing. Nice. Even though if I somehow have a guy who still owes me a lot of money for a website I helped him create and I don’t want to put him out of business by just closing it down.

Should you need any more info let me know to help you if you want to setup your own JS mining rig.

PS. I have started working on another big open source project which is really nice, you will hear from me again.

Request Loop

It’s been a while since I last posted…

There is always a reason for that. My reason was a sum of many different variables. Just as the great mentor said, luck is the sum of many coincidences, that’s what happened in my case as well.

Where do I begin?

Jobwise: Capital controls, working day and night, a lot to do and no time to do it…

Blogwise: I had a very strange setup with my blog (and a very very outdated one I might add). Since I am using Heroku, they decided to change their stack and migrate from Cedar 10 to Cedar 14 . Ok I said what the hell lets do it.

Alas, I had a serious problem with libssl0.98 which was built inside my php module and was not supported in Cedar 14. (whoever wants to do the upgrade have a look here first).

Long story short I fixed it, and I also found that many posts I did with various hacks for the pg4wp plugin were incorporated into a single release from kevinoid : here

I will contribute also into some changes that have to be taken into account since the module is quite old and I have previously stated that it’s not at all well written.

That’s not the main point of this post though.

I wanted to share an experience I keep coming across lately.

Now according to popular trends we are experiencing (and will experience in the future) a huge bloom of the microserviced architecture. This guy here explains how and why they decided to go for the microserviced architecture.

I agree. There are many benefits when having a monolithic single (and obsolete at times) repo for web applications. It is a nice solution when your company is scaling, and you have to maintain a lot of different parts. Especially if you have different teams and each team wants to “do their own thing” about a solution.

However it’s not the solution to Everything!

I will elaborate more:

I recently had to debug an http step based procedure (client requests this page, books this ticket, goes there, etc.) that was using 3 different instances of different technologies over http. The one was python and wsgi, the second was php with apache and the third one was ruby with unicorn.

Try to debug this. I dare you. Seriously. I had in my local setup all 3 different instances running with 3 different IDE’s and all running their debugger. Ok, ok you say that Docker will simplify the installation. I agree it does, but it does not help the debugging at all.

The most important thing though isn’t the debug/testing of many different apps over http.

It’s the HTTP by itself.

And believe me, I have seen a lot of “Senior” Devs falling into the same trap of API’zation and doing over and over the same architectural error.

The Request Loop

You won't guess how many time's I've seen this happening...
You won’t guess how many time’s I’ve seen this happening…

Consider the following diagram:

This is the actual loop - when one request is still open, another comes along, and things get messy...
This is the actual loop – when one request is still open, another comes along, and things get messy…

The Browser  sends a request to the Frontend app. Now the Frontend App could forward it (or change it a bit) to the Backend App.

In our setup the backend app was a PHP app.

Now since PHP by default does not support threading (not pthreads), each HTTP request is a different PHP thread, served via apache.

This is very complicating, since you keep a connection (process) open and you open another one which could (at some point maybe) rely on data from the first one. You cannot access that data in between processes.

Not to mention that, you can not either debug this thing, since you insert a break point in the first request procedure, and the second request (which happens a few ms after) is being served without the debugging stopping at that point.

My point is that when you decide to go Microservice’d

Try to avoid request looping, when you need to do something that is synchronous. Or, use something different. Do threading. Use a message queue, or something else.

You will be surprised how much time you will spend trying to debug and understand what is wrong in this set-up.

I will close with the following meme:

Some people, when confronted with a problem, think, “I know, I’ll use threads,” and then two they hav erpoblesms.