tracker issue : CF-3494728

select a category, or use search below
(searches all categories and all time range)
Title:

Using ColdFusion as a custom 404 handler in IIS causes hanging requests

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/Duplicate

Reporter/Name(from Bugbase): Nikolas Stephens / Nikolas Stephens (Nikolas Stephens)

Created: 02/01/2013

Components: Web Container (Tomcat)

Versions: 10.0

Failure Type: Crash

Found In Build/Fixed In Build: Final /

Priority/Frequency: Critical / Some users will encounter

Locale/System: English / Win 2008 Server R2 64 bit

Vote Count: 7

Duplicate ID:	CF-3488063

Problem Description:
When setting the 404 url in IIS to use a ColdFusion file, we get hanging requests when our PCI compliance scanner scans our application.  This happens on certain GET requests to 404'd paths, where content-length request header is greater than 0.

Steps to Reproduce:
STEP 1 - Install ColdFusion 10 on a clean installation of Microsoft Windows Server 2008 R2. Make sure to install the CF 10 mandatory update and the most recent CF update 7.

STEP 2 - Configure CF connector for IIS using default settings and procedures as outline by Adobe's installation guides.

STEP 3 - Set the 404 handler in IIS for the Default Web Site to point to a ColdFusion file.  For example, this is the line from my applicationHost.config file for IIS 7.5:
<error path="/404.cfm" prefixLanguageFilePath="" responseMode="ExecuteURL" statusCode="404" />
You can use an EMPTY 404.cfm file for this example.

STEP 4 - Download and install the Nessus Vulnerability scanner on any workstation you have available. http://www.tenable.com/products/nessus

STEP 5 - Type in the URL of the site you configured in Steps 1 + 2, and choose a PCI compliance scan.

STEP 6 - After the test is underway for about 10 minutes, you will begin to see a small handful of 404 requests hanging.  Not all 404 requests, just certain ones that appear to have a content-length request header greater than 0.  We are using FusionReactor to monitor the server.  

Actual Result:
These requests will never end, and eventually enough of them will pile up that your all your active requests are used up and any further requests to the server will just get queued.  Effectively a denial of service....


Expected Result:
Requests should complete normally as all other 404 requests do.

Any Workarounds:
Currently, the only way to mitigate this is by using the connectionTimeout setting in the AJP connector in server.xml:
<Connector port="8012" protocol="AJP/1.3" redirectPort="8445" tomcatAuthentication="false" maxThreads="500" connectionTimeout="60000" />

This will terminate the hanging requests after 60 seconds.  HOWEVER, this is NOT a solution, as if you happen to get more than 10 of these requests in a minute (the Default), your server will STILL go down.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3494728

External Customer Info:
External Company:  
External Customer Name: Nik S.
External Customer Email:  
External Test Config: My Hardware and Environment details:



Windows Server 2008 R2

VMware host, 2cpu, 6GB RAM

IIS 7.5

ColdFusion 10, Update 7

Attachments:

Comments:

Yet again, I am prevented from rolling out CF10 in my production environment because of another flaw in the IIS connector. I surely can't be the first person using CF10 with IIS 7.5 running an app that uses CF to handle 404's?
Comment by External U.
16400 | February 01, 2013 09:31:07 AM GMT
Furthermore, we have discovered that this persists for other types of requests as well. Any non-standard request.method will hang the request as well. After blocking all of those, I'm still seeing hanging requests of method="POST" with various invalid header info. The examples are numerous, I'm not going to list them all out here. Suffice to say, there is a lot broken with the IIS connector in ColdFusion 10 that was not in 9.
Comment by External U.
16401 | March 04, 2013 04:57:04 PM GMT
i use this functionality and need it working as expected as well before continuing to roll out CF10
Vote by External U.
16402 | March 05, 2013 01:02:22 PM GMT
I'm experiencing the exact same issue on the same setup.
Vote by External U.
16403 | March 06, 2013 02:09:21 PM GMT
I'm having the same problem. This is a huge problem for us because we've invested quite a bit of time into our custom 404 error handler, which is being used by about 30 of our clients. Unfortunately we have to disable our custom 404 handlers until this is fixed, which basically breaks a portion of our CMS. This may also be related to this bug: https://bugbase.adobe.com/index.cfm?event=bug&id=CF-3488063
Vote by External U.
16404 | March 19, 2013 11:27:19 AM GMT
I am experience the same exact issue. When IIS encounters a 404, I am using a custom ColdFusion template and 90% of the time, it's totally blank. Very frustrating for my clients right now.
Vote by External U.
16405 | April 02, 2013 01:59:51 PM GMT
Same here. Connection reset error when hitting IIS 7.5's 404. Chrome returns this message: Error 103 (net::ERR_CONNECTION_ABORTED): Unknown error. Preventing roll-out of CF10 to production.
Vote by External U.
16406 | April 11, 2013 03:43:46 PM GMT
Similar issue here. non CFM pages give either truncated page or connection reset. CFM 404 pages return blank.
Vote by External U.
16407 | May 09, 2013 12:28:33 PM GMT
Similar issue here. non CFM pages give either truncated page or connection reset. CFM 404 pages return blank.
Vote by External U.
16408 | May 27, 2013 03:07:31 AM GMT