You can run it from the offline server console using a locally installed browser or wget/curl etc. The URL will look like this:   http://localhost:{listening number for instance}/generate_request.cfm   Usually, the listening port for the built-in CF web server will be 8500, I think.   ... View more

As far as I know, there aren't any true memory leaks in CF because CF is built in Java, which doesn't allow you to introduce memory leaks. And you partially answer your own question by pointing out how many old gen objects you have on the Java heap. Changing GC settings isn't going to do anything about old gen objects, because they're not garbage. So to ultimately solve your problem, you have to figure out how to reduce the number of old gen objects, or accommodate your environment to handle larger numbers of them.   To that end, I'm going to echo @BKBK and @Charlie Arehart and probably a bunch of others in asking you to block bots, which can easily create a lot of long-lived Java objects as part of the Session scope. This may fix your problem, but even if it doesn't, it should help you narrow the search.   ... View more

I think the names without spaces should be fine. I have no idea why HTTPS would be used here unless you specifically configured it to be used. Maybe, after you've changed the names and retested and things still don't work, look into that more.   ... View more

I agree, and the second one was why I asked what the instance names were. I should probably look that up for the next time.   ... View more

Does naming the cluster and the instance same matters ??   No, they're not really the same, but if you prefer naming the cluster something else, this is a great chance to do it!   ... View more

I honestly don't know what the naming requirements are, but I'd replace the spaces with underscores and see if that fixes your problem.   ... View more

ColdFusion is a J2EE application, so it needs Java to run. I recommend just downloading and installing the version of Java that @RaviShankar Chagnur pointed out. It's an Oracle JDK, and it's compatible with ColdFusion 11. By the way, CF 11 is REALLY OLD now, and is vulnerable to all sorts of bad things, so you might consider upgrading that in the future.   ... View more

I am new to this, I have setup clusters and two instances in each cluster. one instance is up and running and the sites are also working fine. i am on window server and using IIS. sending traffic from cloudfront to the server ( http bindings) when i start the second instance in the cluster i am getting errors and the site is not available, when i check the log file i see these errors ...   What steps did you follow to set up the second cluster instance? What are the cluster member names?   ... View more

This doesn't sound like a CF problem, really. It sounds like a networking problem or a web server problem. It seems like the more we're talking, the less I understand! Anyway, though, try setting up a static web site for testing using the public IP first.   ... View more

I don't know the answer to your question. But here are some things I'd try. First, what happens if you make the paths absolute instead of relative?  Second, what happens if you run this on a licensed production server where you don't get the "developer/trial" watermark?   ... View more

Has using a public IP address ever worked with your Apache instance at all? Do you think this is a CF issue, or a web server configuration issue, or a networking issue?   ... View more

What are the necessary changes you made to the Apache configuration?   I hesitate to mention this, but you could still use IIS instead of Apache here. Just change the webroot in IIS to wherever it is in Apache, and everything should work.   ... View more

Are you using downloadObject or downloadToFile? Files aren't objects. See @Charlie Arehart 's previous replies.   ... View more

I think you'd need to change your web server's listener to your public IP. That should be enough. The web server will still talk to CF via the localhost IPs (IPv4 and IPv6). To change the web server's listener, you'll need to edit httpd.conf, which should be in C:\Apache24\conf.   Out of curiosity, is there a reason you're using Apache on Windows instead of IIS? Not that there's anything wrong with that.   ... View more

You should enable debug output for both environments. See what's going on behind the scenes in each. This might help you post useful code snippets and CF administrator settings.   ... View more

I'm glad to hear that - and not all that surprised.   ... View more

I suspect CF 2023 won't just use your CF 2018 cacerts file and keystore as-is. I suggest you retrieve the certificate chain for the intermediate and root servers (in that order) using openssl.   openssl s_client -showcerts -connect :{your.cfldap.server}:636   Copy the retrieved certificates from the command prompt and paste them in your cacerts file. Then try adding these arguments to jvm.config:   -Djavax.net.debug=ssl,handshake,verbose -Djavax.net.ssl.trustStore=/path/to/your/jdk/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit   I'm assuming you haven't changed your password yet, nobody bothers to do that. If you have changed it, change your jvm.config accordingly! You probably don't need the trustStore location in there, but it won't hurt.   This should either fix your problem, or at least give you more information about your problem. Good luck!   ... View more

Wow, that's a shock to me. My condolences to his family as well.   ... View more

Did you check the error logs?   ... View more

Did you stop and restart CF immediately prior to that? Do you see anything in the error logs after that? Is this happening in multiple environments, or just this server? If you have multiple environments, can you update CF to update 10 on one of them and retry?   ... View more

I tried grabbing the previous files just to see if it would make the scanner happy. I removed them after it had no effect. This solution was suggested by a member of the security team, so I figured I would give it a shot.   This is a terrible suggestion. How would a member of the security team know what CF is going to do with additional files that were outdated by the new file?   Anyway, you should ask for a waiver from the security team, since you can prove that you're right and Tenable is wrong. You have a Tenable support ticket now, and hopefully they'll resolve that bug before your next scan.   ... View more

The way CFML interacts with the file system is kind of complicated, and it very well may have changed between updates. But I suggest that instead of trying to figure out the underlying root cause, you modify your code per @BKBK 's suggestions and move on. Reading and deleting files sequentially can cause trouble. There are other ways you could deal with this problem, too. For example, you could choose not to delete the file immediately, then have a scheduled process delete all the undeleted files if there aren't any in use, or delete the files you know aren't in use, etc.   Dave Watts, Eidolon LLC ... View more

Do you have an idea when your sys admin will give you that information? It's going to be hard to identify the problem without it.   Dave Watts, Eidolon LLC ... View more

There's an old joke that goes like this: someone goes to a doctor and complains "it hurts when I do this". The doctor replies "don't do this". That's what your question reminds me of. Don't try to escape hash marks in the middle of an expression the way you're doing. You might be able to get it to work, but there's almost certainly an easier way to do what you want.   Dave Watts, Eidolon LLC  ... View more

I'm not Charlie, and I don't know exactly what your FOSS-Process department does or what German law requires, so please forgive me in advance if I make incorrect assumptions. But you are not licensing these products, Adobe is. Why does Adobe have to provide you with the license text at all? Adobe may not be using the same license as you would be required to use if you downloaded the third-party product and installed it yourself.   Also, as Charlie notes, you can remove some components using the module install/uninstall stuff. But you won't be able to uninstall everything that Adobe's included, like Tomcat or Log4J. Some of those may be open source products, others may be proprietary. Again, for the open-source ones, Adobe should (I think) be responsible for licensing them, not your company.   I do agree that Adobe should provide a manifest of third-party libraries and components so that you can deal with supply chain issues, but that's a different discussion I think. You might consider opening a support ticket about that.   Dave Watts, Eidolon LLC ... View more

Can you install a recording proxy and see what's going on with the update site responses?   Dave Watts, Eidolon LLC  ... View more

I like the batch file suggestion. I seem to recall that working consistently. But if you didn't want to put everything in a batch file for some reason, you could also try something like this:   <cfexecute name="c:\windows\system32\cmd.exe" arguments="/c \path\to\node.exe testcase1.js">   Dave Watts, Eidolon LLC ... View more

I've read through all those numbers, and I can't point out much that's clearly wrong - but it's definitely giving off a bad code smell. One thing I can clearly point out is this:   Q: What is the value of "Queue Timeout Settings" (in the ColdFusion Administrator)? A: 560 seconds; this value was defined by the dev team, this is because we have processes that take a long time to be executed, according to what the dev team indicates this delay is normal. If for example, we lower this value to 60 seconds, timeout errors begin to be reported by system users.   560 seconds is a REALLY HIGH value for any global timeout setting. If I ran into this as a load tester, and I didn't know anything else about the code, I'd try to identify the specific reasons why it was originally set this high. If a page or module takes this long to execute, why is that? Is it happening across the board, or are some pages and modules taking this long while most aren't? What do those pages and modules share in common? Are they interacting with specific database tables, or performing operations that are known to be long-running like PDF generation, or calculating reports that are more complex than the rest of the application? I dunno, but I'd look for that. If you could set a long timeout just for these pages, and a short default timeout for everything else, that would probably improve performance and reduce memory use significantly.   Here's another potential bad practice.   Q:Does your application use Application.cfc? If so what are the values for: A: sessionmanagement="Yes" clientmanagement="yes" sessiontimeout="#CreateTimeSpan(0,6,0,0)#" setclientcookies="true"   That is a REALLY LONG session timeout - SIX HOURS! A session is normally kept for thirty minutes or less, the lower the better. Unfortunately, HTTP doesn't have a built-in session tracker so you have to guess how long users will wait around before clicking a button or a link, etc. Sessions are stored in memory, and this is going to use a lot more memory than required. If a user comes to your site, does something in the first hour, then closes the browser window, your server will still keep that session around for another five hours! So, what you might think of as not memory-intensive may turn out to unnecessarily hold onto memory it doesn't need to. Try setting this to thirty minutes or less in a test environment, and see what happens. If your developers say "we need it to be this long because of blah blah blah" that's a good sign you need new developers.   The rest of my objections are just code smells like I mentioned before, but this application seems to need a LOT more memory than, well, nearly any other CF app I've seen. I'd be really interested to see how much memory you actually need. You shouldn't need a 64GB max heap size unless there's some heavy-duty stuff going on. I really doubt you'd have 250 concurrent users if you had reasonably short sessions.   I'd probably disagree with or at least question some of the other advice you've received. For example, if you increased the min heap size to 64GB as well, that's going to take a while to restart - my wild guess is twenty minutes or more. That's why you get two different values to set. If your max heap isn't that large, or if you have a cluster of web and/or application servers, it will often make sense to set the min heap the same so there isn't so much reallocation going on after startup, but if your max heap IS that large and you have a single application server, you probably don't want all that allocation going on before the machine can start working. But that's my opinion and just a minor quibble. I would definitely start reducing the actual memory allocation needed during the app's runtime. Performance analysis load testing will be your friend here, unless you like developing on production. (Seriously, don't develop on production.)   Finally, and this is sort of unrelated, you want to stop using searchImplicitScopes=true as quickly as possible. This is a critical security issue. Yes, you will have to go through your entire codebase to fix this. It's a giant pain. But there's some help out there! Pete Freitag's Fixinator tool can find and fix these unscoped variables, and Adobe has released a patch that will log these variables. You can find out all about that by scrolling to the bottom of this page:   https://www.petefreitag.com/blog/cf-searchimplicitscopes/   Dave Watts, Eidolon LLC ... View more

There will probably be a patch, but (a) this isn't an official Adobe product support channel so it's unlikely you'll find out when the DataDirect patch will be released, and (b) you can probably avoid this by switching to the vendor's own JDBC driver. It's not ideal, but it should work.   Dave Watts, Eidolon LLC  ... View more

I'm pretty sure this isn't included with ColdFusion. So I don't think you can mitigate it in ColdFusion. It's a Node.js package I think.   https://security.snyk.io/package/npm/crypto-js/3.1.2   https://github.com/brix/crypto-js - apparently it's now discontinued in favor of the Crypto module built into Node.js   Dave Watts, Eidolon LLC ... View more