August 31, 2018
ColdFusion Debugging on Production
Comments
(5)
August 31, 2018
ColdFusion Debugging on Production
Newbie 12 posts
Followers: 7 people
(5)

Today’s short note is brought to you by “Don’t Do That On Production!” At CF Webtools often times we get called in to help troubleshoot servers that are failing to perform well. We often hear the same sort of symptoms that goes like this. The server has been running fine for months then suddenly for no reason it’s slow, CPU usage is high, and it hangs or crashes multiple times per day. This always prompts us to ask the same question. “What was changed just before these symptoms started?” And the answer is usually “Nothing was changed (as far as they knew)”. In all reality the person we’re talking to may not the be only person with access to make changes to the server. Or they may not in fact have access at all and they are relying on information provided to them by an IT team member. We take notes, assume nothing, and question everything (on the server).

We had this scenario play out a few times in the past few weeks with three servers from three different companies. The reason I’m writing this note is the same problem occurred on each server. The short answer is someone enabled ColdFusion Debugging on the production server. ColdFusion is a very powerful rapid development platform, but it has a few gotchas if you are not careful. Such as enabling debugging on a production server. Debugging output provides a massive amount of information and for obvious security reasons we never want this enabled on a production server. Yes, I know you can restrict debugging output to a certain IP address, but that does not prevent the debugging output from being generated. It’s just not displayed. The generation of debugging output takes more CPU power and at times more JVM memory. On a low load web application you may not notice a difference. However, on a high load, high traffic production web application the extra resources needed to generate the debugging output may in fact cause all those symptoms described above.

In each of the cases we saw these past few weeks, we were reviewing the servers settings, looking at the results of Fusion Reactor, and reviewing ColdFusion settings. On the first server we almost missed the fact that debugging was enabled. By the time we were troubleshooting the third server with similar symptoms we were checking to see if debugging was enabled before we did anything else. Disabling debugging resolved the bulk of the performance issues. We then used this time to review each server and offered additional performance tuning recommendations based on each servers resources and application needs.

This falls into the category of “Don’t Do That On Production!” Please leave debugging to your development and staging servers.

CF Webtools is here to fill your needs and solve your problems. If you have a perplexing issue with ColdFusion servers, code, connections, or if you need help upgrading your VM or patching your server (or anything else) our operations group is standing by 24/7 – give us a call at 402-408-3733, or send a note to operations @ cfwebtools.com.

5 Comments
2018-09-06 08:08:41
2018-09-06 08:08:41

Hi Wil and Charlie,

IMHO, the “Debugging IP Addresses” feature should IP-restrict the _generation_ of debug output (not just the display of it).

Adobe can/should this be ‘fixed’? Something I’m missing?

Thanks!,
-Aaron

Like
(2)
>
itisdesign
's comment
2018-09-06 11:40:08
2018-09-06 11:40:08
>
itisdesign
's comment

Yes, I would agree it should (only generate and show debug info for listed ips).

I’ve seen situations where it did and did not, over the years. Not sure of when it has and has not worked as we would expect, and what may affect that if anything.

Another variation is whether it should generate when cfsetting showdebugoutput is enabled. That’s less obvious, as it does say only don’t “show” it, but see https://tracker.adobe.com/#/view/CF-4201076 where recently I was working with a client who experienced an impact in that situation.

That said, note that he reported ONLY seeing the impact for a request from an ip in the debugging list.

Curiouser and curiouser.

Like
>
Charlie Arehart
's comment
2018-09-11 09:46:17
2018-09-11 09:46:17
>
Charlie Arehart
's comment

Hi Charlie,

FWIW, IMO, cfsetting(showdebugoutput=true) shouldn’t allow the generation of debug output if 1) “Enable Request Debugging Output” is disabled or if 2) “Debugging IP Addresses” is populated but doesn’t contain the user’s IP.

And, conversely, IMO, cfsetting(showdebugoutput=false) shouldn’t prevent the generation of debug output if 1) “Enable Request Debugging Output” is enabled and 2) “Debugging IP Addresses” is empty or contains the user’s IP.

Thanks!,
-Aaron

Like
2018-09-03 05:59:19
2018-09-03 05:59:19

Thanks For the article. Never thought that enbaling Debugging will cause performance issue.
I always thought that debugger will run only if there is an error.

Like
2018-09-02 11:54:44
2018-09-02 11:54:44

Always a good reminder for folks. Thanks, guys.

Like
Add Comment