Tuesday, 29 April 2014

ColdFusion 11: "Select ColdFusion Server Profile"

I'm just getting rid of the ColdFusion 11 beta on my machine, and installing the release version. Straight away there's an intriguing new feature that wasn't in the beta:  "Select ColdFusion Server Profile":

The help text says this:
  • Development Profile: Use this profile only for development purposes. Note that features like Server Debugging and RDS are enabled by default for this profile.
  • Production Profile: Use this profile for production purposes. All debug features and RDS are disabled for this profile.
  • Production Profile + Secure Profile: Use this profile for a highly-secure production deployment that will allow a more fine-grained secure environment. For details, see the secure profile guide (http://www.adobe.com/go/cf11_secureprofile).
Allowed admin IPs are the client IP addresses that can access the ColdFusion administrator. They can be a comma separated list of IP addresses (for example,,, etc.). IP addresses can range from 10-30, or * wild cards. Both IPv4 and IPv6 addresses are supported.
When the installation completes, please lock down your Server as per the guidelines provided in the ColdFusion Lockdown Guide (http://www.adobe.com/go/cf11-lockdown-guide).

The page linked-to there doesn't really give much more info:

Secure Profile for ColdFusion Administrator
ColdFusion allows you to secure ColdFusion server furthermore by enabling or disabling selected settings on the ColdFusion Administrator. When installing ColdFusion, you can enable Secure Profile by selecting the option when prompted on the Secure Profile screen. Further, you could provide a comma separate list of IP addresses that may be allowed to access the ColdFusion Administrator. For more information, see Enabling Secure Profile for ColdFusion Administrator.
I'm gonna try the hardcode one, and see what we get. This is only a dev machine, so I don't need it, but let's have a look anyhow...

A coupla screens later (after the one picking stuff like ODBC, Solr, .net integration), there's another new screen:

This is interesting. And... disabling Flash forms. Yes please! I'm gonna disable the whole lot, actually.

[another mouse click]

Oh FFS. They still enforce their idea of a secure password, which basically requires all the variations of password character one might think of: mixed case, numbers, punctuation (or "special characters" as they so quaintly put it. Because a "!" is such a special character). My default secure password pattern has all of those except mixed case. So it's annoying that the rule is enforced. Suggested? Sure. But it bites that it's enforced. Oh well. My admin password will be "Password1!" Secure as f***, that is.

I can't recall if this is new, but I think it is:

I don't need to be able to do that, so I'm leaving the box unchecked.

The next two steps are familiar: picking where to install, and which web server to use. Also on the web server page I see what I think is another new option:

Is that "Configure WebSocket Proxy..." option new? I'm buggered if I know what it's for (other than inferring the obvious), and there's no longer any F1 help in this installer, so I will just select it and hope for the best ;-)

After putting in another password, I'm on the summary screen:

It seems to be slightly out of date, I think, because I selected a lot more options with these new settings, but they don't seem to be listed here. Surely they should be? Shall I file a bug (if so: that didn't take long, eh?).

Anyway, I've pressed "GO" and it's installing...

[blurk, this is gonna take an age... I'm gonna go to something else in the mean time...]


I'll just use this time to remind people that ColdFusion 11 also as a "ColdFusion Express Edition" which is a simple "unzip and run" version. Which I now wish is what I chose to run with.

[literally 1015min has passed since I clicked "Go", btw]

OK, 18min later - thankfully Brad has been amusing me on Twitter in this time - I'm installed.

The first thing I try is to access CFAdmin via my local IP address (ie: not just the loopback one), and... surprisingly... I get in OK. I thought if I say "one can only access CFAdmin via", then I must access it only via (or localhost, sure)? It should not consider my machine's IP address as the same should it, just 'cos it's on the same machine? Maybe I'm mistaken.

Anyway, it's up and running OK, so I'm gonna switch off all that bloody secure stuff now. Starting with the need to use "Password1!" to login to CFAdmin.