[Commandbox 4.3] SNI or multiple domain/cert support

I have run into a snag converting some of our sites over to use commandbox built in webserver. we have some applications that in IIS have many bindings with many domains and certs attached. I see that Undertow supports SNI ( https://issues.jboss.org/browse/UNDERTOW-750 ) but I am not seeing any way to configure it in commandbox. Is there a way to pass more than one cert in the server.json? or a way to hook into a SNI callback to pick the cert like in Node?

Right now you would need to sit CommandBox behind IIS and terminate your certs there to do that.

https://www.youtube.com/watch?v=8q7sSZ7gK3E

I’m open for you to create a ticket however for us to support this in the future.

Thanks!

~Brad

Developer Advocate
Ortus Solutions, Corp

E-mail: brad@coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com

The IIS/AJP proxy explained in the video almost solved my problem. However I had alot of trouble with sub apps nested under multilevel virtual directories. But ultimately the kill shot for the AJP workaround was what seemed to be a hefty time cost when running requests through it. here is a side by side left running through IIS with AJP the other directly to commandbox. I went ahead and put in a ticket for SNI support. Thank you for your help, I learned a ton on the in process of trying to get it setup.

I had alot of trouble with sub apps nested under multilevel virtual directories.

Can you elaborate? I don’t use virtual directories much myself, but I have a client implementation of Boncode and CommandBox in production whose site runes ENTIRELY out of virtual directories and it seems to be working fine so I’m curious what issues you had.

a hefty time cost when running requests through it

So this one is very interesting. I’ve never been aware of any difference in performance between BonCode and hitting your server directly. I was going to reply and tell you that there must be something wrong with your setup but I tested it quickly on my local machine with a simple hello world page hitting CommandBox’s HTTP listener directly and then hitting it through IIS/Boncode.

I was pretty surprised to see that my direct traffic averages about 10ms per call. However, hitting it through IIS bounces back and forth between 10ms and ~500ms. It’s uncanny.
Tailing the debug logs while hitting the page shows that the requests reach CommandBox instantly but the delay seem to be on the reponse side of things.
I have no idea if what I’m seeing is related to what you were seeing and I’m curious if the slowless is 100% of the time for you or only sometimes. Just now, hitting the page 10 times-- it was fast 3 of the times and slow 7 of the times. Very interesting.

I can’t say I’ve ever noticed boncode being slower but in my case, half a second could go fairly unnoticed. I haven’t restarted my system or tried a second site or anything yet as a control. Have you checked that you don’t have logging or anything enabled in Boncode-- it can generate some hefty log files if it’s turned to the highest level. Also make sure you don’t have tracing or anything enabled in IIS. If the issue persists, I’d recommend putting in a ticket in the Github repo for Boncode. Bilal is usually pretty responsive and would take any performance issue seriously. I’m hoping there’s just something wrong int he config through. A lot of people use Boncode and I don’t think a big slowdown would have gone unnoticed.

I went ahead and put in a ticket for SNI support.

Awesome, Thanks!

I was not seeing alot of fluctuation but I did end up finding out a portion of the overhead was due to the boncode not maintaining a connection pool to the commandbox server. I set 500 in the boncode config and that sped it up quite a bit. However I then had trouble will command box timing out the connection and could not find a way to set the connection timeout on the server to infinite as recommended in the docs.There is still what seems to be about 150-200ms delay on each request when using the boncode connector with pooling enabled.

You opened the an issue for it here but there has been no action as far as I can tell Undertow AJP tuning options · Issue #133 · cfmlprojects/runwar · GitHub

I am not entirely sure what the root cause of the virtual directory issue was I ended up switching to an app that was less reliant on them for my experiments. I will try to circle back in the near future and nail it down.

I know this is an old thread, but I wanted to let you know CommandBox’s new Multi-site features is bringing SNI support finally. I’d love for you to help test it if you can.

I appreciate it, and would help test if possible but we have not used CF for many years now.

1 Like