Tutorial: Setting up a production Windows 2008 server with IIS7 & Railo
Tuesday, June 29th, 2010
In which Gary explains his new found appreciation for anyone who calls themselves a sysadmin.
I’m not a sysadmin. I like to make websites. It’s what I do, what I’ve always done.
Dealing with servers is the un-planned love child of my long term affair with website development. A horrid child that demands constant attention and gives nothing back in return.
In the past, I would point clients in the direction of a decent web host and let them get on with it, but as it turns out these clients would still phone me as the first point of contact when their servers went down, making me a mediator between them and their hosts. Frankly, I figured if I’m spending my time doing this anyway, I may as well get paid into the bargain.
Well, after four years of hosting client’s websites I can quite categorically state that sysadmins have one of the most difficult jobs imaginable. Anything can go wrong, at any time. Running a tight system involves research, dedication, and genuine enjoyment of high level tinkering.
If I’m ever in a position to employ a sysadmin, they will be treated well. I will make them tea. And cake. And give them sympathy.
Recently, after a long and gruelling battle with the most unreliable hosting company I’ve ever used, I finally took the plunge and set up my own Windows VPS using IIS7 & Railo.
The decision making process:
In which Gary explains and attempts to defend, his reasoning.
“Why use IIS?!” I hear you scream at your monitors, which proves that I do in fact possess super-human hearing abilities… Well, as I’ve taken great pains to explain, I am not a sysadmin. Years ago I ran a linux server that was hacked to pieces because I didn’t know enough about securing said system.
Windows and IIS, for all its faults – and there are a great many – is a GUI based system. What this means in the real world is that there’s an icon for everything. So, as a non sysadmin trying to setup and run a server, having an icon for every conceivable thing I’d want to do, serves to actually indicate what I might want to do in a way that a collection of config files simply doesn’t.
Also, having used it for a while now, I have to say that IIS7 isn’t half bad. It’s a damn sight better than IIS5 and IIS6, both of which I’ve had the dubious pleasure of using during the course of my career. Also, Server 2008 is a lot nicer than previous incarnations. Sitting here typing this post in Word 2007, on Windows 7, talking about Server 2008, I have to say that Microsoft seem to be taking an interest in user experience. They’re a long way off Apple, but they’re finally doing something half decent. Well done them.
“So why Railo?”
Well, initially this was an issue of cost. Frankly I can’t afford to shell out for an enterprise CF licence. I’m not a big company, I’m one man making awesome websites for very small companies. So I thought I’d give open source a go, and see how it compares.
I have to say I tried Railo about a year ago and found that it was lacking in too many places to be a viable solution. There were a few tags missing, a few things it just seemed to handle differently, and given that my sites generally like to nudge a few boundaries, it just wasn’t up to the task.
Well, all that has changed. Railo this time around was an absolute pleasure. A steeper learning curve to set up compared to Adobe ColdFusion, granted, but what you’re rewarded with is a blisteringly fast ColdFusion experience, a much higher level of control over your environment, entry into a knowledgeable and welcoming community and a general feeling of wellbeing that can only be gained from not giving Adobe three grand of your hard earned cash.
Hacking my server 101:
In which Gary, in an attempt to offer help to others in a similar situation, provides a step by step guide to the setup of his production server, and hopes that malicious people don’t use it to bring the thing crashing to its knees.
In the beginning, there was the welcome screen and the server was without services.
So, let’s assume that you’ve got yourself a nice sparkling new Windows 2008 server/vps set up.
Depending on how your hosting company has set this up, you may need to install various Windows updates, so it’s best you do this before anything else. Go to Windows update. Go directly to Windows update. Do not pass go, do not collect $200.
Usually I’d advocate installing Anti-Virus software next, but bitter experience tells me it’s best to install that at the end, after installing the various components we’ll need to get the server working.
And the sysadmin said, “Let there be services, and let the server use them to serve pages to the masses”.
Firstly you’ll need to install IIS and various roles. I’m not any kind of an expert on this, so I won’t suggest which roles are right for you. Best practice as I understand it, is to only install what you need for the task at hand, thus minimising the chance of attack.
I’m using Windows 2008 Web Edition, which comes with literally nothing but IIS. If you’ve got a better version of 2008, you may want to install the DNS role, email, any number of others. Go wild, have fun.
One way or another you’ll need to install all the IIS6 roles, as well as the IIS management role.
I’m using MailEnable, basically because it’s free and does the job. When I spoke to my new hosting company about this, they strongly suggested trying ‘SmarterMail’ as a better alternative. Give them a look and make a decision.
Guides to install MailEnable are here:
You’ll need to open ports on your firewall to enable… umm… MailEnable… so don’t forget. This includes Windows Firewall as well as any hardware firewall you may have set up.
Incoming: 110 & 25
If you want to use your server as a nameserver, (and frankly, if you need to read this tutorial to set up a production server, you’re unlikely to be the kind of person who’ll have a separate DNS server, so I’m talking to you!) you’ll need some kind of DNS service.
I’m using the cut down cheap-ass ‘Web Server Edition’ of 2008 server for which Microsoft have deemed fit to not include DNS services. So, like most of the planet, I’m using Bind.
It’s fiddly to get your head around if you’re unfamiliar with the concepts of DNS, but once you get the hang of what’s happening it’s all very straight forward.
Take a look at this tutorial: http://alex.charrett.com/bind-on-windows-mainmenu-3
You’ll also need to register your domain with the nameserver authority – or more accurately you’ll need to get your domain registrar to do this. A lot of registrars have an automated section in their control panels where you can do this. Others you’ll have to email. But basically, you need to have a domain name pointing to your IP address on the main database of nameservers. This usually takes about 24 hours.
You’ll also need to open your firewall up for BIND services:
Port 53, inbound and outbound, both TCP and UDP
Initially, I thought it best to use the IIS built in FTP 7.5… However, after much messing about I decided it wasn’t up to the task.
If, like me, you like to have a ‘private’ folder outside the webroot to keep cfcs and the like, I’d recommend ditching it for FileZilla server.
I’ve left instructions for FTP 7.5 here for posterity.
Windows server 2008 has a new FTP module, FTP 7.5. It’s supposedly better for a million reasons, but what I like about it is you no longer have to create windows users to authenticate an FTP session. I’ve never much liked windows user permissions, gimme a username and a password and I’m happy.
It does take a bit of messing about to get the new user system working though. A very handy tutorial exists here:
The FileZilla server is a much nicer solution in my opinion, it works much as I’d expect an FTP server to work, and doesn’t require as much messing about with IIS users and the like.
There’s not much in the way of tutorials out there, but it’s so simple to set up I’d be surprised if you need one. Nevertheless, here’s a link to one for good measure:
Once you’ve set that up, you’ll want to set up the firewall for FTP.
That means opening up port 21, as well as enabling PASV mode with the following command:
netsh advfirewall set global StatefulFtp enable.
Yeah, even though we’re coding awesomeness in CFML, there’s always going to be some client who wants to use PHP for something or other. Usually it’ll be a WordPress installation, which, I’m sorry, is just a better blogging platform than the CF offerings. There, I said it. I feel better.
This tutorial should guide you through the pain:
Personally, I found that I needed the IIS7 Administration Pack. I can’t for the life of me remember why, but I’d suggest you just install it and stop asking questions. ‘k? ‘k.
The URL Rewrite module is a bit more obvious – you want this. It allows us IIS users to do what Apache bods have been doing happily – and somewhat smugly I’ll add – for years… Rewrite URLs using RegEx. Again, if you’re slapping WordPress on any of your domains, you’ll need this for friendly URLs.
Well sure, no-one uses Perl anymore, but it comes in handy having it on your server. Especially if you intend to install a stats package like AWStats. As it happens, AWStats is such a bitch to get working correctly that I wouldn’t bother, but still… Perl = good.
There are a few different things you may have to do to get this running on IIS7, including enabling a 32-bit application pool if your server is 64bit. Check out the instructions here:
Initially I had detailed instructions on installing AWStats here, but basically… just don’t bother. Get all your clients’ sites on Google Analytics. It’s a better package anyway. Honestly, you’ll thank me for that advice.
MySQL is fairly straightforward to install, but if you need a hand explaining the various options, there’s a tutorial here:
If you need it, now would be the time to install phpMyAdmin.
One thing this tutorial isn’t clear on, is setting up the linked-tables feature. Several comments note the error, but none show how to fix it. You need to create a database specifically for these features. Instructions here:
And the sysadmin looked at the server, and saw that it was good. And the sysadmin said “Let CFML pages be served, that web developers may rapidly develop and deploy applications”.
Installing Railo on Tomcat on IIS7 with multiple sites… I could write out step by step instructions, but why re-invent the wheel? I followed an excellent tutorial by Doug Boude, and you should too:
At some point, this guide will ask you to download a DLL file to connect Tomcat to Railo – the URL in the guide is out of date, but I found the DLL here: http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/
It’s also worth noting that the guide expects you to be using version 1.2.28 of the ISAPI Redirect URL, however there is a newer version, 1.2.30 available. Do NOT use this version! It took me a while to figure out, but 1.2.30 makes everything run incredibly slowly. Don’t ask me why! I moved back down to 1.2.28 and everything worked fine.
One thing that this guide doesn’t mention, is how to handle default documents. You can see in the comments, a suggestion that adding ‘/*=wlb’ to the worker properties file will push all files through to Tomcat, which will indeed handle default documents. However, this will also put all static files, images, js and the like, through to Tomcat. Not only is this overkill (although I didn’t notice a performance hit), but also in my experience Tomcat has difficulty returning static files 100% of the time. I noticed certain images and JS returned as 404 errors, even though they existed.
Cue a helpful bit of info supplied by the Google Railo group.
This will allow you to set up default documents the *correct* way, leaving your static files to be handled by IIS as they should be. Don’t skip this step, it’s important!
And the server was able to serve CFML and the sysadmin saw that it was good. And the sysadmin said “Let there be protection, that viri may not penetrate the goodness of the server”
Finally, you can install Anti Virus. I’m using McAfee, since I happen to have a copy I’m not using.
Be careful to edit your preferences to ensure that not all files are being scanned – otherwise it’ll kill the server very quickly. Choose to scan files on writing to disk, and only the ‘default files plus additional’ option.
You’ll also want to stop McAfee from blocking any emails sent by the server. In the access protection settings, under the rule for blocking mass email worms, add ‘Tomcat6.exe’ to the list of excluded services.
And the sysadmin saw that McAfee was using way too many system resources on boot, but that it settled down after a few minutes, and the sysadmin saw that it was good enough. And the sysadmin said “Let’s make sure I don’t have to do this shit again!”.
A backup system is a good idea. If you’re smart, you’re using online version control and so losing the files and files of code you’ve carefully crafted, simply isn’t an issue. If not, check out Kiln or Git. I use Kiln and it’s an absolute pleasure. Don’t use SVN, because it’ll cause no end of hassle in the long run… and who needs a VCS subfolder in every single folder in their app anyway?
For MySQL, I’m using a batch script that exports every database, once a day. I built on top of the script in this guide: http://www.iis-aid.com/articles/how_to_guides/backing_mysql_automatically_using_batch_file
My version only holds one backup of each database on the server per day, but FTPs them down to my dev server which holds multiple copies. Have a look here: MySQL Backup Script