Why is ColdFusion not suitable for shared Hosting

This is a topic we have to  deal with and attempt to explain quite often, and after some 12+ years supporting ColdFusion, and dealing with hundreds of developers on all levels, ranging from beginners to gurus, one thing we have come to learn quite well is that most developers do not really understand how things work on the server side.  

They know how to write code and upload it to the server, but most things beyond this tend to be somewhat of a “black box”,  and specifically the majority of CF developers also do not understand how ColdFusion really works and how/why it works differently from other scripting languages like PHP or Python or ASP.net.

Unfortunately this lack of knowledge  often results in the wrong type of hosting being used which can be very detrimental to a clients website performance and security, especially in a shared hosting environment and unfortunately tends to also result in “the finger of blame” being pointed at the hosting provider whenever there are problems, which often results in the pointless moving of sites between one host and another, which does nothing to address the inherent issues.  So hopefully this article will help to enlighten and inform as well as alleviate some of the misconceptions about ColdFusion hosting.

To put it simply, ColdFusion is a Java application, it runs on Java Servlet Engine (such as Tomcat) and this is where the problem lies, with Java rather than ColdFusion.

It is IMPORTANT to understand that Java (and thus ColdFusion)   is intended as an enterprise solution and as such is intended to run on dedicated hosting solutions and was  never built for, or suited to, shared hosting, due to the way it works, so when it is used in a shared hosting environment it tends to have performance issues and also has some security issues as well.

How ColdFusion processes web page requests

When we look at other common languages such as PHP, Perl, asp.net etc, these run as an NSAPI/ISAPI or CGI process, so, every website on the server spawns its own process to handle the requests. So, if there are say 20 PHP sites then there are 20 x PHP processes running (think of this like 20 separate instances of ColdFusion). 
So if site1 crashes php or ASP, it will generally have no effect on any other site because they are running php/ASP in a separate process. Of course there are occasions where these  processes can end up killing the web server as whole, but this is far less common and happens very infrequently.

ColdFusion on the other hand does not run this way.  

ColdFusion instead runs as a service (like your anti virus software for example).

This is the equivalent of a single process in the CGI/ISAPI world.  This means that essentially, every single web page on every single website on the server is going through the same process, and the end result of this is that any single website can cause problems for all the others.
Just as when your anti-virus software runs, it can slow your computer down and make it unusable for you because it consumes all your system resources.

Here is a diagram to illustrate.

 cf server diagram

Imagine the following (very common) scenario.

Lets say abc.com makes a cfhttp request to an external web service at xyz.com  to get syndicated content for its pages.
The web service at xyz.com goes down, which means all the pages on abc.com are now, potentially, going to have timeouts waiting for a response.  On a shared server this can very quickly result in all the ColdFusion maximum number of simultaneous requests to be consumed, and subsequent requests will then become queued behind them.  The result of this is that every other Coldfusion site on the server now becomes slow as well, as all their page requests have become queued behind the problematic site(s), and are now likely to also timeout as a result if they sit in the queue for too long.

An even worse scenario is where native java requests are concerned, such as database queries as these cannot be killed automatically, not even with FusionReactor, so will never timeout.  If a web page hangs in the middle of a database query because it is waiting for a response back from the database server, then this request will not ever timeout and will hang indefinitely, thus 1 cf thread is now permanently used up and no longer available. If this happens 10 times, now 10 cf threads are gone and no longer available to anyone else.  If the “maximum number of simultaneous requests” on the cf server is set to 10, then you now have 10 requests hung and 0 requests left and so the server will no longer be able to serve up any more ColdFusion pages and subsequently all websites on the server will now hang/timeout until the service is restarted.

If the original problem still exists then restarting the CF server will also not help, as the issue will simply return and continue until all the requests are again used up and all sites start to hang.  The only solution at this point is to find the site causing the problem and turn it off.

cf-requests

But my code has proper error trapping and caching and stuff, so this doesn’t affect me, right ?

Wrong,  I’m afraid.  On a shared server it doesn’t matter how brilliant your code is, or how well you have performance tested it, or how much error trapping you have.  This does not stop the other sites on the server from causing you problems or you causing them problems.

You could be lucky on a shared host for months, or even years, if you are on a server that doesn’t have many websites, or simple sites that are not problematic (at the moment), but it only takes one poorly written app to bring CF to its knees.

It is also important to realize that (in our experience), almost nobody using shared hosting has ever done any kind of load testing or performance testing on their website and, in most cases, do not even know what this means or how to do it, the result of this is that web site owners have no idea how their site will perform under load.  This results in another very common scenario which usually begins with a statement like, “Nothing has changed on my site and it has been running fine for years, so it must be your server”.
Again this is totally irrelevant in most cases, sure your site (or any other site on the server) may well have been running fine for years with 20-50  visitors per day, but what happens when it suddenly gets 1000 visitors per day as a result of some marketing or media attention?  Or if it starts getting hit by search engine bots? (which is very common) Suddenly this once stable site falls over horribly, due to poorly written or legacy code which simply cannot cope under load, as it was never load tested.

Let me give you an analogy.

You have a reliable little moped, you have been driving it around town for years with no problems at all and it has served you well, but it has never gone above 40 MPH. One day you need to take it on the motorway for the first time ever, so this would be the first time your reliable little moped has ever gone above 40 mph, but unfortunately it seems it was never built for this, and once you hit 70 mph the engine  overheats and the bike stops working. You are stuck right in the middle of the motorway, and are now causing a tailback as cars start to queue up behind you. The only way to resolve this problem, is for someone to remove you and your moped out of the way so that traffic can start flowing again.

When your engine cools down, you can probably get going again, but once you get up to 70MPH, the same problem with occur.

Security Issues.  

Everyone by now is aware of the prolific CFIDE hack which affected many CF servers around the world, and which we blogged about HERE.  This was only possible because CF runs as a service, and because that service runs under the SYSTEM account by default, which has full file system access, which allowed the uploaded hack to access every part of the server.  If CF worked like a CGI/ISAPI application (as it did in the days prior to CF6 before  it became a Java application), the effect of this hack would have been very limited, as on a properly configured server, the hack would not have been able to read/write files outside of the web root.

While there are ways to lock down ColdFusion (and yes we do this), this is more to protect the server and does little to protect  websites from one another, again due to the fact that ColdFusion is JAVA and runs as a service, so on a shared server there is simply no way to fully 100% secure your site  from being accessed  by the code in other sites what are written in CFML or any other Java application, not even when using security sandboxes, as any competent developer can easily circumvent these sandboxes, obviously we are not going to document how though.

So to put it bluntly,  if you are running an eCommerce site and storing customer details and/or card details, or any other kind of private or personal data, then you are putting this data at risk on any shared server, period. If that server runs any kind of  Java application server which runs as a service (such as ColdFusion), then the risk is greater.

Other common causes of performance issues

There are quite a few other common issues that occur on shared hosting which can cause problems for everyone.

  • Client variables
    A lot of developers will enable client variables in their code even though they do not use them, and worse will set them to use the registry or a database by default.
    When using the registry, this fills up the servers memory, and can cause it to crash.
    When using a database, this can affect performance considerably and make the site slow. A database bottleneck can also affect other sites on the server.
  • Database bottlenecks
    Badly written database queries, lack of caching or poorly designed databases will result in performance bottlenecks, which will get worse as a site gets more traffic.
    These performance bottlenecks will result in pages taking too long to execute, which results in timeouts, which results in queued requests. The end result as above is that all other sites end up going slow.
  • Caching
    When content and data is cached, this means the application does not have to go and get it each time for each page, which improves performance.
    Lack of caching can cause performance issues, especially with databases when grabbing large chunks of data, or when connecting to external feeds or web services for data.
    again this results in timeouts.
  • Too many requests
    On a shared server, remember that you are sharing everything with hundreds of other customers websites. This can easily overwhelm ColdFusion due to the way it works as the maximum number of requests can easily be exceeded when things get busy. If another eCommerce website on the server is having a major sale and has increased their traffic 10 fold, this will have an impact on everyone else.

But Railo is better right ?

When talking about the issues above, ultimately, No, I’m afraid, as Railo is also a Java application and so works the same way as CF, so the primary issues mentioned above, apply to Railo as well.

Railo is however an improvement over ColdFusion in many other ways.
Such as in that the security sandboxing, which  is automatically applied at website context root level (if you set this in your Railo server admin) and just works, and does not require admins to setup sandboxes for each site as with ColdFusion which is a sandboxing nightmare, which makes Railo better for shared hosting.  However, the sandboxes, like ColdFusion’s, only sandbox CFML and do not secure Java code.

Railo also has a per site web admin, allowing all customers to admin their own site, which is again a big improvement over ColdFusion, which has a single Admin which must be administered by the host, and customers cannot have access to this.  There is also no CFIDE folder, which has been the cause of many problems with ColdFusion.

So by using Railo you don’t have to rely on your host, you can pretty much do everything yourself, which is a big plus. So overall, Railo is a better solution in a shared hosting environment.

So what’s the solution?

The only solution is to do some research, educate yourself and use a bit of common sense, and consider, how important is your website to your business ?

As I mentioned, ColdFusion is, and always was, intended to be an enterprise solution, and as thus, run on dedicated hosting solutions.  It was never intended to be used for shared hosting and is not built to do this.  Don’t forget that ColdFusion as an enterprise solution also has a hefty price tag (£6,800 for the enterprise version), so ColdFusion hosting is always going to be more expensive too.

So the simple answer is, use the right tool for the job. CFML is a great language and ColdFusion/Railo are great tools, when used correctly, you wouldn’t use a chisel to hammer a nail right ?

If you just want to run a blog, personal website, or a simple brochure ware website and up-time/performance is not important to you, then you are a candidate for shared hosting, and these these types of sites are best served by somehting like WordPress for example, or other free open source site in a box/CMS type systems. For this type of site ColdFusion really is overkill.

If you run an eCommerce site or any kind of application which is mission critical, is your primary source of income, and needs to be secure, then you are a candidate for dedicated hosting.

If you love CFML and want to use it for everything you do, or have a custom built application, then you should consider the implications, and get yourself a VPS running Railo (or ColdFusion if you can afford it).  You then have full control over the security and performance, and also have the option to use multiple CF instances, so each of your sites run on a dedicated instance of Tomcat (or your preferred java servlet container), so you can still run multiple sites but avoid the shared hosting scenario and also lock down the security.

 

If you have any questions or need some advice or consultancy on this topic, please feel free to give us a call.

system Failure 28/06/2014: Vorlon-H4

We have had a system failure of one of the legacy HELM systems called VORLON-H4 (semi dedicated system).
Due to the age of the system it has been un-recoverable, and we are currently in the process of replacing it with a virtual machine and restoring data from backups.

We are working diligently to get everything back online ASAP.

Please check back here for updates.

update 13:24
===========
new virtual machine has been built and required software is being installed.
Due to the fact that all the software is also legacy, this has proved a bit of an issue also to find appropriate installers.

 update 16:40
=============
We have managed to restore all customer data from backups, and have PHP, ASP and HTML sites working.
We are still working on ColdFusion.  The old server was running ColdFusion7 (which  is no longer supported or downloadable ) and we were unable to get ColdFusion 7 working with current version of Windows 2003 SP2, so to expedite getting the system online ASAP we have had to use  ColdFusion 9 instead.

If any customers are using ODBC DSN’s, these have not been restored. But you can easily do so by logging into HELM and selecting the ODBC and clicking save, and it will be re-created.

update 20:26
==========
further to last update we discovered that there we no active CF sites on the server, so we have not restored any of the ColdFusion settings and will be disabling Coldfusion on this server as part of its retirement. We have emailed  customers for confirmation, but anyone using this server for CF will be migrated to a newer server.

Scheduled Maintenance Reminder (20/06/14 20:00): Service at Risk Maintenance for V-H2 Server

Title:

Service at Risk Maintenance for V-H2 Server

Event:

Engineering maintenance window scheduled for 20/06/14 20:00

Brief:

On July 7th, 2010, Microsoft ended mainstream support for Windows 2003 which has since been extended to July 2015. The product is soon to be no longer be supported by Microsoft and as a result we need to convert Vorlon-H2 physical server into a higher specification Virtual Server running the latest edition of Windows server 2012. For a full list of Microsoft lifecyle dates you can also visit their website here http://support.microsoft.com/lifecycle/search/default.aspx and enter the OS type

Impact:

The work requires moving 100′s GB of data across our network and convertion to the latest operating system. The activity involves turning on and off of the server several times whilst OS patches, updates and drivers are repaired and large volumes of data are moved. All grid services hosted on the server will be affected and sites will be offline during the 3-4 hours scheduled work.

Action:

We apologise for any inconvenience caused, but we appreciate our customers understand essential maintenance is required to deliverer the best quality of service.

 

Thank you,
BTI Status

 

New Scheduled Maintenance (21/06/14 04:00): Service at Risk Maintenance for V-H4 Server

 

Title:

Service at Risk Maintenance for V-H4 Server

Event:

A new maintenance window has been scheduled for 21/06/14 06:00

Brief:

On July 13, 2010, Microsoft ended all support for Windows 2000. The product is no longer be publicly supported by Microsoft and as a result we have to convert Vorlon-H4 physical server into a higher specification Virtual Server running the latest edition of Windows server 2012.

Impact:

This work will necessitate a series of actions to convert the Windows 2000 which will involve several upgrades, turning on and off of the server several times whilst OS patches, updates and drivers are repaired each time. All grid services hosted on the server will be affected and sites may be offline for up to 3 to 4 hours.

Action:

We apologise for any inconvenience caused, but we appreciate our customers understand essential maintenance is required to deliverer the best quality of service. The team will monitor the services and Virtual machines running on V-H4 to minimise any disruption caused. Please do not open support tickets during this time but do get in touch with us after you see the completion update if you have any concerns.

 

Thank you,
BTI Status

 

If you wish to unsubscribe from BTI Status notifications, you can do so here: http://blog.bluethunder.co

MySQL Pros and Cons

mysqlAlthough MySQL still remains one of the most popular relational database management systems in the world, it’s recently been losing supporters. Some believe that it’s actually on the way out, and that we’ll see it replaced by a better alternative in a matter of years.  We’re witnessing the slow death of the system, they claim; particularly since we’ve seen organizations such as Google ditch the database solution in favor of MariaDB, which is a popular drop in replacement for MySQL.

Such claims ignore the clear advantages MySQL can offer an organization – even in light of its drawbacks. Although the database solution certainly isn’t made for every situation (few are), it’s nevertheless considerably powerful in the right hands. Today, I’d like to take a look at some of its strengths – and shortcomings.

Advantages Of Using MySQL

It’s Easy To Use

 

MySQL is very easy to install, and thanks to a bevy of third-party tools that can be added to the database, setting up an implementation is a relatively simple task. In addition, it’s also an easy database to work with. So long as you understand the language and different engines.

Support Is Readily Available Whenever Necessary

Although Oracle’s history of supporting its customers can be spotty at best, the nature of MySQL – which got its start as an open-source platform – means that there’s a large and thriving community of developers and enthusiasts to which one can turn for help. This is due in large part to the popularity of the solution, the end result of which is no shortage of experts.

It’s Open-Source (Sort Of)

Oracle’s purchase of Sun Microsystems (and by association, MySQL) was met with some contention from the development community. The general fear was that Oracle would transform the tool into a closed, proprietary ecosystem. Thankfully, though Oracle has tightened its grip on MySQL somewhat, it  can still be considered an open-source database option, as the code is still available for free online.

It’s Incredibly Inexpensive

Depending on what you plan to use it for, a MySQL implementation could range in price from free to $10,000 or more, but the community edition which is the most widely used is  free. Although we have found that most customers  are unaware of other FREE alternatives, such as Microsoft SQL Server Express, which is more than powerful enough for most peoples needs and outperforms MySQL on just about every level.

It’s An Industry Standard (And Still Extremely Popular)

Although MySQL’s popularity has waned somewhat in recent years, it remains one of the most-used database systems in the world. It’s compatible with virtually every operating system, and is more or less an industry standard. This is, of course, in spite of all the folks who say it’s on the way out.

 

Disadvantages Of Using MySQL

It’s Got A Few Stability Issues

According to Digital Ocean, MySQL tends to be somewhat less reliable than its peers. These stability issues are related to the manner in which it handles certain functions (such as references, transactions, and auditing). While the database is certainly still usable in light of these problems, they do tend to make MySQL a poor choice for certain use cases.
We can also confirm in all our years of providing MySQL hosting that we have had our fair share of  issues with server fall over, 100% cpu consumption, corrupted table and poor performance. Compare this to Microsoft SQL Server which has been mostly flawless, performs better, no random corruptions etc.

It Suffers From Relatively Poor Performance Scaling

Although MySQL is equipped to handle a virtually limitless volume of data, it has a troubling tendency to come grinding to a halt if it’s forced to deal with too many operations at a given time. This relatively poor performance scaling means that anyone with high concurrency levels should probably look into an alternative.

“In my experience,” writes software engineer Koushik Ramachandra, “I have found that MySQL works better when you have a low write/read ratio, and offers low scalability as the read/write ratio grows.”

Development Is Not Community Driven – and Hence Has Lagged

Since Oracle has taken the helm of MySQL’s development, progress appears to have ground to a halt, with only one major release in the past several years. The company doesn’t accept community-developed patches, nor has it bothered to offer users any sort of roadmap for MySQL development. There’s really no way for developers to discuss the database management system with Oracle – and that’s a problem.

Its Functionality Tends To Be Heavily Dependant On Addons

 

Although MySQL is relatively easy to set up, it tends to have less out-of-the-box functionality than many other database systems on the market. Certain features – such as text search and ACID compliance – are dependant not on the core engine but on applications and add-ons. While it’s true that there exists a plethora of well-made applications for MySQL, tracking them down can sometimes be a pain, and might cause some developers to simply choose an alternative which – while not as easily installed – offers more immediate functionality.

Developers May Find Some Of Its Limitations To Be Frustrating

 

Not surprisingly, MySQL isn’t designed to do everything (nor should it be). The database isn’t fully SQL-compliant, and tends to be limited in areas including data warehousing, fault tolerance, and performance diagnostics (among others). Developers may find this relative dearth of functionality frustrating, particularly if they’re used to a more full-featured alternative.

 

Google Apps Vault: Protect your email data

As your business grows, retain your company’s critical information so you can find it easily.

 

 example yourdomain.com EMAILS & ATTACHMENTS

  • 500
  • 4,248
  • 170
  •  EMAILS SENT
  •  EMAILS RECEIVED
  •  ATTACHMENTS OPENED
 

Your team is sending and receiving a lot of emails. As your business grows, it may become susceptible to information loss, lawsuits and compliance risks. That’s why businesses like yours are using Google Apps Vault, which works automatically with Gmail to preserve your team’s emails and on-the-record chats.

Preserve emails despite turnover

If employees leave, Vault lets you retain their old messages and attachments. It’s a simple way to ensure business continuity.

Find what you need, fast

What was that prospect’s name again? Where did that contract go? Tap into your team’s email history for valuable information.

Be prepared in case of legal action

We hope it never happens, but your business may face a lawsuit someday. Use the power of Gmail search to gather evidence quickly and easily from across your emails, saving on legal fees.

For more information please contact us.

Major network outage

At 9.06am this morning we experienced a major network outage at our London DC which lasted until 9.48. After it was alerted to us through our normal monitoring channels and initial response was unable to remedy it our engineers were dispatched at 9.16am. It appears to coincide with a problem with BGP routing at a national level as were also alerted of a a service notice from BT at around the same time. Please note this is a live site so the yellow circles denoting network trouble will get smaller as they resolve exchange issues. 

http://downdetector.co.uk/problems/bt-british-telecom/map/

At this stage we are still investigating the exact cause and we will update this blog the moment we have the full conclusion.

VPN Server Access

As per earlier announcement, we had taken one of our Open VPN servers offline due to Heartbleed openSSL security threat as notified. We have now moved all customers to a different VPN server which is not vulnerable to heart bleed, and we have also reset the passwords as a security measure as well.

Note: We will leave the temporary “BTI” VPN login details that you were provided working until the end of this week.

To obtain new login details

For WHMCS/WebsitePanel customers, please login to client area and view/edit your profile, and you will find your new VPN login details here.

For everyone else you may request to have them sent via SMS.

VPN credentials can only be sent to customers via SMS as part of our security protocols, so please make sure that we have your mobile number listed on your account first.

For HELM customers, please login to helm and edit your personal details.
For WHMCS/WebsitePanel customers, please login to client area and edit your profile.

You may then open a ticket and request for your VPN details to be sent via SMS.

to open a ticket, please go to: http://www.myhostsupport.com/

How to connect to VPN

After getting the new VPN login details , you should simply be able to go to https://vpn.lnc.net/
And then connect with your new login details, and the new server will be added to your OpenVPN client (right right click OpenVPN icon in your system tray)

If this does not work, then please perform the below steps.

 

  1. First uninstall the existing OpenVPN client which you already have installed.
  2. Login to the https://vpn.lnc.net, you will be prompted for the username and password
    openvpn2
  3. Click on “Click here to continue” link to download the OpenVPN
  4. Download the installer
  5. Install the new OpenVPN client you just downloaded
  6. A reboot of your system is suggested now if you have un-installed previous version, otherwise it may still try to connect to old server.
  7. After rebooting, openVPN should be active in your system tray, just right click and choose connect. If openVPN is not currently loaded then simply double click on VPN Icon created on desktop
    openvpn
  8. You may prompted to give username and password again.

 

 

VPN Servers Offline Temporarily

Due to the recent and well publicized Heartbleed openSSL security threat, we have taken offline one of our VPN servers which was susceptible to this vulnerability (vpn.myhostcontrols.com). This is being rebuilt/replaced with a newer version of the software which is not susceptible by the OpenSSL vulnerability.

During this time customers will not be able to connect using their original login details.  Please open a support ticket to obtain temporary login details on one of our alternate VPN servers.

Customers using vpn.lnc.net are not currently affected, however connections may be sporadic  and may drop due to the increased level of hack attempts against software/servers which hackers believe to be vulnerable.

 

Less than 1 week left until Windows XP is no longer supported

Three quarters of UK businesses ‘still running Windows XP’

A huge number of organisations are still using Windows XP and once Microsoft stops supporting it next week, they are going to find themselves with gaping security holes.

What end of XP support means for you

  • XP users will be at risk from new viruses and malware
  • Businesses still using XP could potentially fail compliance or audit checks as they will be using an unsupported operating system
  • Research shows that XP machines could be responsible for up to 40% more unscheduled downtime and cost 1.5 times more in maintenance costs than newer devices
  • All XP machines will be vulnerable to security risks and viruses after 8th April – this also includes Windows 7 devices when XP mode is being run
  • Click here to read Microsoft’s blog about the risk of running XP after support ends

All users should be upgrading to Windows 7 or 8 now if they have not already. We would recommend Windows 7 to most customers as it still has a familiar interface and works much the same as Windows XP, whereas Windows 8 is vastly different in the way it works and looks and is aimed at touch screen devices.