Confused getting dev environment set up

@bdw429s WAIT!!! Are you saying that CommandBox is NOW able to run different webroots within just one single CommandBox instance?? If so, then this is an absolute game changer Brad!!! Especially for those guys who host own sites and want to host different applications within one single JVM instance.

Thank you bdw429s. You’re far more generous than I deserve. I know i’m bitching and it’s not a help. i’m sorry.

I dont actually want ACF at all I have it now. I’ve been working with ACF since v4.0 which is I think 25 years but finally I’ve got sick of being all alone with no one to help me, and it costing me several hundred bucks a month to have an ACF server. All my current work is, to verify that my sites will work on Lucee as they have under ACF (or a reasonable equivalent) and then get rid of ACF comletely goodbye, it’s been nice, dont let the door hit you in the ass on your way out.

Moving into the future (see how i avoided a corporate buzzword there?) I want to be able to manage the 11 sites i have responsibility for, and any other that might come along in the future. I see lots of opportunities with Lucee that either i didnt know about or didn’t exist under ACF. n My dev environment consists of a bigass Win10PC and some laptops of varying age and power and i want to be able to make changes to my current code, upload to the production server with the minimum of fuss. (i.e. I want to concentrate on building web sites and helping my clients build their businesses not on running a server.)

As you say there are 37 ways to do that, as I’m learning. Also as you say, I expect once i get it set up I’ll like it. It’s precisely the way it happened with my existing setup. I guess i’ve been trying to build a Lucee environment to match my ACF environment when really what i ought to be doing is learning a way to use Lucee to achieve what i want - efficient managment of my web sites.

So: [A] if i use the CommandBox approach to this - suppose i need two or three web sites being worked on simultaneously on my machine (yes it happens- humour me ) am I going to have to start a copy of CommandBox in the root of each of those sites? I notice that when i start a server, it opens a home page for teh site on a url like But another site opens with teh same address but a different port. I get why that is, but will it always be the same port number?

[B] Are you saying i ought ot just do away with IIS altogether? If so, on my dev machines as well as my Viviotech server? ( I Guess Viviotech knows a LOT more than i about what I’ll need but i should ask)

Thanks again for helping me, and I’m sorry i let my frustration get away with me.

Mike Kear

@mikek all depends very much how you want to setup up your environment. Comparing with 20years ago, you have way lot more options to develop and run cfml. You can run it the classic old way, or use pure jvm containers, run it with CommandBox, run it with docker, or setup some type of hybrid way.

Most work you’ll have to find the best option or flavour that fits your needs.

I was there too, I’ve modernized my setup, but’s more a “hybrid” classic way. Today I develop locally the npm way (using webpack & co with sass, tailwindcss, ES6 using the -watch option, sourcemaps etc), and the final bundled (minified) files get deployed locally to get deployed per sFTP to the prod servers the old style. I love it that way, because from my perspective you can use all the modern npm dev development stuff all together with CFML. Maybe it’s time to share that somehow somewhere.


At the moment I’m restricted to the Classic Old way because i’m working with client’s working businesses. I have to move to a new server because Viviotech want to take the existing one away and throw it in the trash its that old. So I dont have time to do any development now. I just need to get everything on the new box and running the way it was on the old box. THEN I’ll look at other ways to do web development, and improvements i can suggest on the client sites… Frankly all these things have motivated me the way i havent been motivated in a long time. Maybe I’ll be coming back to you looking for help then.

In the mean time, i have these two questions i need ot decide about. Can you help me with those please?

Mike KEar

I have installed Lucee. Not the latest version - but the version previous. I think the issue might be to do with the Install.exe file.

I cleared out all Lucee files and emptied my Recycle bin. I checked nothing was left still running. I used Regedit to remove any records in the registry containing the string 'Lucee" or “Tomcat”. Then I restarted my machine and began again.

I still got the same error, tellilng me “:Unknown error while running c:\lucee\AJP13\Connector_Setup.exe /Verysilent /suppressmsgboxes /log /sp- /nocancel /norestart” I went to run Connector_Setup.exe without the /verysilent option so I could see any error messages as it ran. Only there wasn’t a connector_Setup.exe file to run, or even a AJP13 directory.

I thought it’s a possible fault with the Installation.exe so i repeated the delete-and-erase-the-registrry routine then downloaded the previous installer, version This installation file installed completely in about 1.5 minutes and opened a “Welcome to Lucee” page.

Progress!!! Now I need to learn how to make IIS work happily with the Lucee server and I’m away at the races1!!

What’s the procedure to report this possible problem with the installation file for v5.3.9.133 ?

Mike Kear


@mikek Glad you are making progress!!! Just in case you didn’t know it: have you watched the Video Guide for installing Lucee on a clean Windows 2019 Datacenter? It might help you!

Thanks. I am pleased to have got past the installation of Lucee after 4 days now. But that’s as far as I’ve got. I can’t see how to make IIS connect web site files and Lucee server.
The videos might be useful but they are only for Windows Server and dont cover IIS on Windows10. The two versions of IIS are quite different. For example the first part of the video playlist is about setting roles in IIS. There’s nothing whatsoever in the Win10 version that’s about roles. And as far as I can see there’s no text file help for that either. So I’m stuck how i was before, but about 2 paces further on that’s all.

(Sigh) that;s 6 days on this now and i havent got a single site running.

Mike Kear

On Windows 10 installing IIS and Lucee is very, very similar. You just need to activate the roles stuff for Win 10. You might need to google a little. Please see e.g.

If I remember correctly, you just need to activate the IIS roles and activate the IIS feature and then installing Lucee is just the same as with Win 2019.

@andreas Yes! A client sponsored this feature. I’m finalizing the docs for today, but you can read all the details on the ticket: [COMMANDBOX-1411] - Welcome

@mikek So if you are going the Boncode/mod-cfml route, then you are funneling them through a single Lucee instance (which is the traditional Adobe CF way you’re using to). If you want each site separate (which is what I do for local dev) and don’t need all the sites on all the time, then you just fire up what you need when you need it

server start site-6
// fix some stuff...
server stop site-6

I actually have 226 local CommandBox servers right now because I’m testing stuff all the time. They are all 100% isolated and I can start/stop them whenever I want with whatever settings I want, and then server forget them when I’m done. (I usually forget that last part, lol)

For people who use CommandBox for 1 or more instance in production, you can create a Windows service to start the site (and we have a paid module that helps with that as well)

So with CommandBox, you can pretty much customize and configure every possible thing you can think of, but out of the box if you just say, “Hey start a server!” then we just default the heck out of stuff. We’ll bind the site to localhost and pick a random-unused port on your machine. The same port will be re-used until you forget the server, but you can choose any port you want as well

server set web.http.port=8080

This and more is all covered here in the CommandBox docs: Server Port and Host - CommandBox : CLI, Package Manager, REPL & More

And that’s just the basics. There’s a handy module called commandbox-hostupdater that will add all your local sites to your hosts file for you so you can set any you want. And even better, that module binds every site to a different 127.x.x.x IP so you can re-use the same port on all sites if you want. Just one of the 37 ways to do it, and a very popular one for local dev.

# one-time install
install commandbox-hostupdater

# one-time set global default HTTP port for all sites
config set server.defaults.web.http.port=80

# set up a specific app
server set
server start

** for the example above to work you’d need to have IIS stop binding to all adapters on port 80.

I’m saying you can if you want. I really like my local dev setups to be as darn simple as possible with as new moving parts, and as few dependencies on any operating system specific web servers (looking at you, IIS). CommandBox has an enterprise level web server built in that uses JBoss Undertow (by Redhat) and it does rewrites, HTTPS, AJP, virtual directories, basic auth, and secure lock-downs out of the box with nothing else you need to install or configure outside of your server.json file. This means a Mac dev and Windows dev can all work on the same local site and then deploy it to Linux and you don’t have 3 separate setups you’re managing.

Now, a lot of people still use IIS because it’s what they’re familiar with, it’s what their ops team knows, and they’re just so used to using it that they think they need it for some reason. I’ve done site-by-side performance tests on IIS, CommandBox/Undertow, and Apache httpd and they all had the same throughput. And CommandBox’s web server is the only one that’s secure-by-default with a built-in CF-aware set of lock-down rules. So basically, you can do whatever is easiest for you, but CommandBox CAN be your one-top shop for a complete, portable local dev environment.

Yes, it’s possible to host on CommandBox in production, but just to simplify, I’d worry about dev for now. To be Honest, Vivio’s staff probably knows very little about CommandBox. They usually have a guide they are used to following for setting up and configuring CF, and it uses the standard Lucee installer.


The Old classic way works and doesn’t cause you glaring security headaches, nor keep command line history, nor timestamp everything down to the millisecond, or agree to licensing terms and conditions on your behalf.

Just like old coldfusion, you backup your config files and code and you are fine.

Just keep the boxes patched.

As I understand it, Mike has some sites using Lucee and some using ColdFusion on his DEV computer and he prefers to use IIS for both. An alternate way to have both Lucee and ColdFusion sites using IIS on the same DEV computer is to set the handler mappings at the site level defined in web.config rather than the default top IIS level.

I have Lucee and BlueDragon both running on IIS on the same DEV computer. The same principle should apply to a Lucee and ColdFusion mix. After installing both Lucee and BlueDragon remove the Lucee related handler mappings at the IIS top level then at the Lucee site web.config remove the BlueDragon handler mappings and replace them with Lucee’s as in the example below.

            <remove name="BlueDragonServerJX-HTM" />
            <remove name="BlueDragonServerJX-CFML" />
            <remove name="BlueDragonServerJX-CFCHART" />
            <remove name="BlueDragonServerJX-CFM" />
            <remove name="BlueDragonServerJX-CFC" />
            <add name="Lucee-HTM" path="*.htm" verb="*" type="BonCodeIIS.BonCodeCallHandler,BonCodeIIS,Version=,Culture=neutral,PublicKeyToken=ad590a40d40745cf" resourceType="Unspecified" preCondition="integratedMode" />
            <add name="Lucee-CFM" path="*.cfm" verb="*" type="BonCodeIIS.BonCodeCallHandler,BonCodeIIS,Version=,Culture=neutral,PublicKeyToken=ad590a40d40745cf" resourceType="Unspecified" preCondition="integratedMode" />
            <add name="Lucee-CFC" path="*.cfc" verb="*" type="BonCodeIIS.BonCodeCallHandler,BonCodeIIS,Version=,Culture=neutral,PublicKeyToken=ad590a40d40745cf" resourceType="Unspecified" preCondition="integratedMode" />

Peter is correct. And to be clear, that’s also what I suggested 2 days ago :wink:

but perhaps it wasn’t clear. Just like Boncode, Adobe CF’s wsconfig tool also lets you choose only the sites you want it to proxy. To run all your sites side-by-side you’d basically need to create two versions of each site in IIS on two different host domains, each one proxying to either Adobe CF or Lucee.

Thanks, I"m 'gradually getting there. I think you guys in this community (Generally not specifically you personally) are more used to people a lot more knowledgeable about the nuts and bolts of servers. I’ve spent my most of my last 20 years or so building actual sites and coding people’s pages rather than concerning myself with the intricacies of servers. Once I had my server set up i have tended to leave it and get on with site building, and so it’s not been something i’ve touched very often.

I dont want to have both ACF and Lucee going simultaneously. At least not once I’ve finished the migration to Lucee. I want rid of Adobe from my life completely. (After I get this migration out of the way I’m starting on finding alternatives to Adoobe Audition and Photoshop. )

Here’s why i need to have several sites running at once.

[1] I have my CMS and my public sites in separate sites. So i need to be able to be running some maintanence in site and be able to check the overeall result in and go back and forth between them (Yes i know that’s old fashioned and could be done better in one site - but i have what i have and i’ll totally rebuild another day)
[2] i have quite a few tools - code writers, syntax checkers etc - written in cfm in their own web site. I’d like to be able to have that site running too.
[3] the software i use to run my radio shows is written in cfm. When I’m on the air i need that going at the same time as the site that’s the public facing site for the show, so i can go back and forth.

All of these can be re written. But not in a day or so. Right now i just need to get migrated to Lucee and run them as before with the minimum number of changes Then come back and look at updating them or changing the way they work when i have this migration out of the way. Does that make sense?

Perhaps it’s my fault for not saying i didnt understand it.

         <directoryBrowse enabled="true" />
             <add name="Lucee-HTM" path="*.htm" verb="*" type="BonCodeIIS.BonCodeCallHandler,BonCodeIIS,Version=,Culture=neutral,PublicKeyToken=ad590a40d40745cf" resourceType="Unspecified" preCondition="integratedMode" />
            <add name="Lucee-CFM" path="*.cfm" verb="*" type="BonCodeIIS.BonCodeCallHandler,BonCodeIIS,Version=,Culture=neutral,PublicKeyToken=ad590a40d40745cf" resourceType="Unspecified" preCondition="integratedMode" />
             <add name="Lucee-CFC" path="*.cfc" verb="*" type="BonCodeIIS.BonCodeCallHandler,BonCodeIIS,Version=,Culture=neutral,PublicKeyToken=ad590a40d40745cf" resourceType="Unspecified" preCondition="integratedMode" />

I’ve changed my web.config to read like this. And IIS is not running now. How do i set Command Box to allow me to run several Lucee sites at once? I have CommandBox 5.5.1 running sweet and fast. I love this now!!! I’m nearly at the point where I just put my head down and get on with managing the sites and stop worrying about the server end of it.

I know I’m being a bloody nuisance but i’m almost there And i am so very grateful to you.

Mike Kear
Windsor, NSW, Australia

My Take on Commandbox
Commandbox uses Undertow, good bad or indifferent as the last time i checked they still are using a very outdated and very insecure version of this Java Server. Its a good product for development on some of the most minimal of hardware, but I wouldn’t dare put anything in production on something that has a known glaring security issue.

The “stable” version I tested uses Undertow, which is listed here Redhat Undertow : List of security vulnerabilities

The exploit only requires malformed characters, which is a nice way of saying someone puts an Umlaut or some other characterset in a form and your server could be crashed or worse.

Please stop spreading misinformation on CommandBox. This is the second post you’ve done this.

  • CommandBox ships with the latest stable version of Undertow (2.2.17.Final)
  • There are no known unfixed vulns in Undertow (I’ve looked)
  • Undertow powers JBoss Wildfly which powers their Enterprise Application Platform (JBoss EAP). It is industry standard and a rock solid choice for running java apps.
  • Undertow is used in secure, enterprise deployments around the world, both for CF and regular Java.
1 Like

Can you elaborate on “not running”. Is there an error message? I don’t normally edit the web.config file directly just since I don’t trust myself not to screw it up. You can also add the handlers via the IIS GUI. There’s some missing information here such as how you’ve installed Boncode. For example, is it already installed at the server level?

Ensure you’re on CommandBox 5.5.1 and run this command in the directory of your default/root site where you start the server.

server set web.ajp.enable=true
server set web.ajp.port=8009
server set modcfml.enable=true
server set modcfml.sharedKey=your-secret-here

This will give you the following server.json (plus anything else you may have already had set)


Then find the Boncode settings file (where this is depends again on how you’ve installed boncode) and set the same shared key into the XML file. Your boncode.settings file will look something like this


Not at all, we love helping anyone willing to learn. I know you’ve gotten pulled out of your comfort zone, but I promise you’ll be a better developer for it :slight_smile:

Is that the entire file contents? If so you’re missing the XML prolog right at the top:

<?xml version="1.0" encoding="UTF-8"?>

Also, my BonCode handlers are a little different to the ones you’re using, although that may not matter. You can compare with what I use in this very old post on the subject (not all of which will apply as you’re using CommandBox/modcfml):

1 Like

Correction, now ships with… Staring with version 5.5.0

Version 5.4.2 released in 10/21 included an insecure version of undertow

When did Version 5.5.0 include the latest version of undertow, - 6 Days ago.

The version I was using with the Undertow glaring security hole

Then We look at.

When did I state this was an issue with Commandbox? 9 days ago… On this forum.

Just pure coincidence ? I Think not!

Is commandbox neat? Yup
Is commandbox technically really cool? Yup

Does IBM,who owns Redhat use Undertow, HELL NO
Neither does anyone else.

Yes, actually. We always update Undertow on every CommandBox release and Undertow has been getting bumped on the bleeding edge of CommandBox’s builds for months. CommandBox 5.5.0 released the same day Lucee 5.3.9 did, just like I’ve been promising it would.

Yep, undertow is a product which has had CVE’s before. 20 of them according to your link. Apache Tomcat has had 184 of them so I’m not sure what you’re trying to prove.

Wow! a lot all at once. But I’m getting excited now. I think i can see teh finish line for this migration and then i can have my life back.

By “IIS” not running I mean I have not started it at the last reboot. It’s still installed but not in the mix now. I’ll uninstall it I guess after I have a working sytem.

Boncode was installed with Lucee Installer lucee- (I didnt use the lastest one v5.3.8.133 because that apparently has a missing element or two). So I find Boncode in the directory C:\lucee\AJP13

Yes, I;m on CommandBox 5.5.1 its the only one on my system, and I veryify it with the command 'Version" and get the response “CommandBox 5.5.1+000562”

I move to the default/root site at d:\sites\wwwroot which is where i am putting the default site

  <AllowEmptyHeaders>False</AllowEmptyHeaders>  <ResolveRemoteAddrFrom>HTTP_X_FORWARDED_FOR</ResolveRemoteAddrFrom>

Now i can start any site i like with the commandbox command: Server Start (servername)

I am a happy camper!!!

I assure you i love to learn. I prefer not to learn from my mistakes but learning is always good. A little anecdote then i’ll get back to work … when my son was about 3 months from graduating high school he said to me “Oh Dad i can’t wait till I leave school then i wont have to LEARN any more!” The look of horror on his face when i told him that i spend about a third of my time learning things - some of which are important and some aren’t but it’s part of life to learn. And that he can expect to keep learning things until the day he dies. And there’s nothing that’ll accellerate the pace of learning things more than getting married.

Thanks for all your help

Mike Kear
WIndsor, NSW, Australia