Redirect Issue with SES via ISAPIRewrite on IIS

I am experiencing a very frustrating problem and hoping someone can illuminate me on why. Here is the situation:

  1. Site is running under ColdFusion 9.x on Windows 2003.

  2. We are using the ISAPIRewrite/3 for SES URLs

  3. The routes.cfm has been modified so that it does not include the index.cfm

  4. Routes.cfm is using cgi.http_host for the setBaseURL

  5. There is an SSL interceptor that checks to see if the user is accessing the site via HTTPS. If not, it redirects them to the SSL

  6. RequestDecorator has been extended to change the default from for the SSL parameter to true

EVERYTHING works fine for a while. Then suddenly, the system starts redirecting the user to the IP address. Normally, this is the IP that the SSL is bound to (but in a couple of cases, not). When this happens, the system thinks it is running in production mode, rather than test or development mode.

This problem is only happening on the TEST server, which is separate from the production site. The coldbox.cfc does implement the environment features, but the default is currently set to production unless the site has the hostname that includes api-test or api-dev.

The only way I have found to resolve this issue is to reboot the server, or stop/start IISAdmin and CF.

Note that on the production system, there is also a site that uses the same features, however, it is not using the URLRewrite/3 modules and it includes index.cfm.

If anyone can recommend a solution, it would be much appreciated!

Cheers and a great weekend to everyone.

Kevin S. Anderson | President

Superlative Solutions, Inc.

1475 Casson Ct. | Colorado Springs, CO 80919

Tel: 719.630.1529 | Fax: 866.708.5599 | Cell: 719.930.2599

kevin.anderson@ssiwt.com | www.superlativesolutions.com

Kevin,

I can think of a few reasons this could occur, but, without getting into the weeds I don’t think I can help isolate the cause. However, I do think I can help you with a solution regardless of why this is happening.

I’ve attached an interceptor which you can use that will guarantee the environment ColdBox runs in regardless of the domain used to construct the app.

Aaron Greenlee
http://aarongreenlee.com/

EnvironmentDetector.txt (820 Bytes)

In the event the attachment has issues you can also access the code here: https://gist.github.com/1174783

Hi, Aaron:

This is good info and I appreciate your direction on this. Only issue I see is that the code would not necessitate separate machines for each environment (which is best practice but not always practical).

Based upon your idea, however, I modified the coldbox.cfc to include detectEnvironment() function, which reads an ini file located above the webroot, which stores the environment setting. Since it is above the webroot, this appears to do the trick while supporting multiple environments on the same machine without compromising security.

Does this make sense? Are there any security issues I should be concerned with on this, based upon your experience?

Cheers!

Kevin

Kevin,

That seems like a fine solution.

-Aaron