Enterprise policy
# cfml-generalt
TEMann
09/16/2022, 8:03 PMEnterprise policy
b
bdw429s
09/16/2022, 8:07 PM@TEMann Can you elaborate on the policy? CommandBox is approved on the Gov DoD software list and powers nearly half of Docker-hosted CF servers (per the SOTCFU survey). Does your Enterprise have a policy that explicitly disallowed CommandBox, or is there a "box" CommandBox doesn't check that your Enterprise requires?
bdw429s
09/16/2022, 8:09 PMI'll also add CommandBox is secure by default with an entire CF-specific lockdown policy in place out of the box which is more secure than any other web server you'd need to manually configure.
t
TEMann
09/16/2022, 8:09 PMI can’t elaborate but the fact that it DOD approved will help me make my arguments to up stream management.
TEMann
09/16/2022, 8:10 PMBrad - what about CommandBox in the cloud on AWS. Shouldn’t even be an issue, huh?
b
bdw429s
09/16/2022, 8:10 PMThe DADMS software list is the one it's on
bdw429s
09/16/2022, 8:10 PMWe have a sponsor in the US Navy
bdw429s
09/16/2022, 8:11 PMCommandBox in the cloud on AWSCommandBox doesn't care where you deploy it. If your company is ok with Tomcat on AWS, I don't see why CommandBox on AWS would be any different
bdw429s
09/16/2022, 8:12 PMUnder the covers, a CommandBox server is just a WAR deployment on JBoss/Redhat Undertow, the same servlet container that powers JBoss Wildfly and EAP.
bdw429s
09/16/2022, 8:15 PMHere's a list of security rules enabled by default in CommandBox. They are custom catered for Lucee/Adobe administrators, flash remoting, and other files and paths specific to CFML
https://commandbox.ortusbooks.com/embedded-server/configuring-your-server/server-rules/baked-in-rules
bdw429s
09/16/2022, 8:16 PMWhile you can sit IIS, Nginx, or Apache in front, there's a dwindling list of reasons why. We even support PKI client cert auth (like DoD "CAC" cards) out of the box now
e
Evil Ware
09/16/2022, 9:38 PMThis is nothing against Brad or command box, as We (my colleges and I) love this product. if you want to get down to the technical differences, command box uses Wildfly, as its server containment engine. Wildfly is neat, and ultra configurable with a smaller memory print than Tomcat, however it crashes under HEAVY load. Tomcat under the same load will just spit out errors but not crash. For us, having a 4XX or 5XX is better than a completely locking up box as the 4xx errors return back in under a 1 ms, where a complete crash will wait the full length of the tcpip window time out value. Under smaller sites, Commandbox default configuration is faster, cleaner.