Skip to main content
F
faheemitian
Inspiring
August 7, 2019
Answered

Running CF in distributed mode with IIS inside Docker Container

  • August 7, 2019
  • 1 reply
  • 3762 views

We are moving CF applications to Docker containers from Windows Server 2016 servers. We are using Windows authentication so have to rely on IIS for the webserver. I am trying to configure the IIS with 64bit version of isapi_redirect.dll under mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2019 but getting the following error:

HTTP Error 500.0 - Internal Server Error

Calling LoadLibraryEx on ISAPI filter "C:\ColdFusion\config\wsconfig\1\isapi_redirect.dll" failed

Error details in Win Events:

TimeCreated                     Id LevelDisplayName Message

-----------                     -- ---------------- -------

8/7/2019 8:29:30 PM           2268 Error            Could not load all ISAPI filters for site 'DEFAULT WEB SITE'.  Therefore site startup aborted.

8/7/2019 8:29:30 PM           2214 Error            The HTTP Filter DLL C:\ColdFusion\config\wsconfig\1\isapi_redirect.dll failed to load.  The data is the error.

isapi_redirect.properties file has the following contents:

extension_uri= /jakarta/isapi_redirect.dll

log_file= C:\ColdFusion\config\wsconfig\1\isapi_redirect.log

log_level= info

worker_file= C:\ColdFusion\config\wsconfig\1\workers.properties

worker_mount_file= C:\ColdFusion\config\wsconfig\1\uriworkermap.properties

iis_buffer_enable= true

auth_complete= 1

iis_skip_custom_errors_enable= false

The connector is not creating any logs. The connector and configuration work fine on the Win2019 host but never inside the container. I have tried the tomcat connector and it's working fine just the CF connector is not working. Any help would be highly appreciated.

This topic has been closed for replies.
Correct answer faheemitian

Windows authentication via Tomcat (the built-in CF web server) is complicated. But do you really need Windows authentication there, or do you just need to know the username, or can you even get away with just knowing that the user was authenticated by IIS in the first place? If the latter, then you don't really need to worry about anything. If you just need the username, you can extract it from the Authorization variable that will be passed along by the reverse proxy as discussed here.

https://stackoverflow.com/questions/7364736/http-server-behind-iis-pass-authentication-headers

If you really need credentials on the CF server to perform additional Windows authentication requests, this might be helpful.

Apache Tomcat 8 (8.5.43) - Windows Authentication How-To

All that said, this is really getting complicated at this point. Can I ask what you're trying to accomplish by separating IIS from CF, exactly? I might be able to recommend a better solution than what I've recommended so far. (No promises there, of course!)

Dave Watts, Eidolon LLC


Hi Dave,

Finally, I have it working now but let me answer your questions first. Adobe CF team has released Linux only base docker images and our applications are currently running on IIS with Windows authentication. ColdFusion is not directly accessible by the end-users. CF Apps, however, do look at the remote_user/auth_user headers to validate the user. I am thinking we can use distributed mode to use Adobe CF base images on Linux nodes and run IIS as web server for Win Auth on Win Nodes. We can create and maintain our Windows Based CF images but that will be just more work. Also, I don't want to change the application.

Reverse Proxy method you mentioned doesn't support Windows authentication since re-write actually happens before the authentication -> IIS URL Rewriting and ASP.NET Routing | Microsoft Docs

Now, for the solution, thank you Priyank for pointing me towards the VC++ redistributable. I had the command to install the redistributable in the docker file but it wasn't executing correctly and didn't error out either. I assumed it was CF error but it was it ended up to be the Docker error in the end. Also, I guess Tomcat connector doesn't rely on the redistributable and it threw me off. I had the command as:

SHELL ["powershell"]

RUN C:\temp\vcredist_x64.exe /quiet /install

It's only after I verified the installation inside the container I realized that the redistributable was not installed. *sigh*. This is not normal. I have spent over 30 hours looking into this issue. I looked into it and Microsoft recommends using CMD shell to execute the installer correctly. Powershell doesn't work well with the executable for some reason. Following syntax works:

SHELL ["powershell"]

RUN cmd.exe /s /c "c:\temp\vcredist_x64.exe /install /passive /norestart /wait"

Thank you Priyank, Dave, and Charlie. I wasn't expecting this level of support on a public forum but you guys came up with genuine recommendations. I appreciate your help.

1 reply

Charlie Arehart
Charlie Arehart
Community Expert
August 7, 2019

The answer is in your "subject". :-) With IIS being in one container and CF in another, there's simply no way (out of the box) that the the named isapi_redirect.dll is going to be found on the IIS image. You have no ColdFusion2018 folder there, right?

What you are trying to achieve is what CF has indeed long called "distributed mode", as you say in your subject. With that, the web server is on one machine and CF is on another. And therefore you need to put the needed web config files on the web server, not the CF server.

But the wsconfig tool (running on the CF box) doesn't know how to do that (nor could it be expected even to be able to put files on the "other server", or in your case the "other container").

Over the years various resources have talked about how to solve this, and the same solution they show for any "other server" will apply as well to an "other container" running IIS (or Apache). Of course, one challenge is that you may want to do the steps on a host and copy the needed files into the image at build time (or container at run time).

Here are a couple of resources discussing the distributed mode process, one from Adobe with less detail, and one from Benjamin Reid with more (his is in comments, and is about IIS, despite the post being about Apache):

Setting up ColdFusion in distributed environment - ColdFusion

ColdFusion 2016 Distributed mode Apache web server - ColdFusion

I've been meaning to put something together more specifically for Docker deployment, and I will in time. Until then, hope this helps.

/Charlie (troubleshooter, carehart. org)
F
faheemitianAuthor
Inspiring
August 8, 2019

Charlie, thank you for getting back to me so promptly. I have actually looked at Benjamin's comment and I indeed have the wsconfig files copied over to the IIS container. Just the config folder, not full-blown CF. As I said, when I replace the isapi_redirect.dll in the IIS container with the tomcat's version, the filter loads correctly. I am wondering if isapi_redirect.dll needs anything else on the IIS server. I would really appreciate any insight into debugging the issue.

Charlie Arehart
Charlie Arehart
Community Expert
August 8, 2019

I have confirmed the bitness for the connector and the AppPool. It's all 64 bit. I also tried the configuration with 32bit version with 32bitness enabled on the AppPool still got the same error.

I could have been more descriptive in the question. My bad.


So to be clear, you are confirming the bitness of the app pool in the IIS within the container, right? Not in the host, where you built and then imported into the container the files? How are you confirming it in the container, without an IIS UI? (I know that you can. I’m just trying to make sure you’re not missing something.)

/charlie

/Charlie (troubleshooter, carehart. org)
Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices