Moving From Adobe to Lucee+CommandBox

At work (Fairbanks Scales) I have (had) a server running Adobe ColdFusion 11 that connected to a UPS API to request shipping costs for ecommerce orders. Recently (November 16ish, 2017), UPS started being more strict about security. From what I can glean, they now reject TLS 1.0 connections and require TLS 1.2. It seems that CFHTTP doesn’t handle that very well. So orders stopped, money stopped flowing and the situation was urgent.

After a quick search to see what it would take to get CFHTTP on CF11 to work with TLS 1.2 requirements, the idea of working further with an Adobe product soured. It didn’t help that I had recently staged Lucee servers in preparation for modernizing the stack for the company I work for. A quick test showed that CFHTTP on Lucee worked as expected with the API call. This seemed an opportunity.

What’s more, CommandBox had been capable of running an embedded server, Rails or Node style, for some time.

So with a quick download of the latest version of CommandBox and integration with my dotfiles repo (more on that another time), I could dpkg -i cb.deb and then box server start to have a full on Lucee server running.

So at Fairbanks, there are a few necessities for our server setup. We need to host several sites on the same server, and we need to force SSL where possible (a viable option thanks to Certbot/Let’s Encrypt).

Step one was to get SSL working and non-SSL requests to flip over to 443. Running certbot --apache did the trick, selecting the “redirect” option after the cert was created and added to a new .conf file automatically.

Step two was to get the CommandBox embedded Lucee server to answer an Apache proxy, since the embedded server can’t answer multiple hosts on the same port (as far as I can tell, if you know otherwise, I’m curious as to whether Apache can be removed from the stack). So that’s handled by adding

ProxyPreserveHost On
ProxyPass /
ProxyPassReverse /

to the auto-generated /etc/apache2/sites-available/ Of course, this only works if the CommandBox embedded server is answering on port 8001 instead of a random port, and if SSL is enabled.

So now it’s time to start testing things. If all goes well, then we’re ready to alter DNS settings to point the domain at this new server. In the meantime, we’ll set it up on a subdomain.

Moving Adobe code to Lucee is usually painless, though a bit tedious, for sites that don’t do anything drastic. Aside from some adjustments to Application.cfc, there were three issues that took a bit of work.

The first is with getPageContext() which exposes different methods on Lucee than it does on Adobe. I use a call to getPageContext().getCFOutput().getString() to return a string of the page’s HTML after all processing (including headers, running formatting functions, etc). The function getCFOutput() doesn’t exist in Lucee. Why they changed that, I’ll never know. I’m sure there was a reason.

Fortunately, my short sight was fixed with some help from, where a kind fella pointed out that getOut() was the Lucee equivalent to Adobe’s getCFOutput(). Go figure.

The second puzzle was that PDFs over SSL seem to crap out on Chrome. I didn’t even bother figuring out why. I just added

RewriteCond %{SCRIPT_FILENAME} !^\/documents\/.*

to the redirect in /etc/apache2/sites-available/ to that all the PDFs served don’t use SSL. Since it was a one-line addition, I don’t particularly care that it’s a band-aid on a biopsy.

The last puzzle was another that I applied a hacky solution that I’m not really satisfied with. We have a need to redirect to a more complicated url for marketing/seo and all that jazz. Adding Redirect permanent /ups "" to /etc/apache2/sites-available/ wasn’t doing the trick. The mystery is why.

So instead I just added a /ups folder and put a cflocation in the index.cfm file that performs the same task.

But with all that done, we now have a site running on a CommandBox embedded Lucee server with all the features it had with Adobe but the added functionality of using TLS 1.2 with the UPS API.

There are no comments