Skip to main content
WolfShade
WolfShade
Legend
July 17, 2017
Answered

Moving components folder outside webroot

  • July 17, 2017
  • 2 replies
  • 1611 views

Hello, all,

We've been getting a ton of bots hitting our components folder, and each hit generates an email letting us know that someone/thing was trying to access a component directly.

The boss wants me to look into what we have to do to get our components folder out of webroot, so the bots can't reach the CFCs.

My primary concern, however, is that if we do that, then any- and everything that submits a form to a CFC via AJaX will stop working.

Is there a way to move the CFCs outside of webroot, but still use AJaX to access?  I have a feeling the answer is 'no'. 

V/r,

^ _ ^

    This topic has been closed for replies.
    Correct answer Carl Von Stetten

    Do all of your components need to be web-accessible, or only some of them (for AJAX purposes)?  I would suggest moving any that don't need to be web-accessible to a folder outside the webroot, and then set a mapping (either via Application.cfc this.mappings or via CFAdmin).  Components needed for AJAX will still need to be web-accessible.  However, you could create AJAX proxies that either extend non-web-accessible components or write new AJAX components that instantiate the non-web-accessible ones and provide "remote" proxy methods as needed.

    2 replies

    Carl Von Stetten
    Carl Von StettenCorrect answer
    Legend
    July 18, 2017

    Do all of your components need to be web-accessible, or only some of them (for AJAX purposes)?  I would suggest moving any that don't need to be web-accessible to a folder outside the webroot, and then set a mapping (either via Application.cfc this.mappings or via CFAdmin).  Components needed for AJAX will still need to be web-accessible.  However, you could create AJAX proxies that either extend non-web-accessible components or write new AJAX components that instantiate the non-web-accessible ones and provide "remote" proxy methods as needed.

    WolfShade
    WolfShadeAuthor
    Legend
    July 18, 2017

    https://forums.adobe.com/people/Carl+Von+Stetten  wrote

    Do all of your components need to be web-accessible, or only some of them (for AJAX purposes)?

    Aaaaaaaah.. good question.  I'll have to check.  I believe most of them are accessed via AJaX.

    https://forums.adobe.com/people/Carl+Von+Stetten  wrote

    However, you could create AJAX proxies that either extend non-web-accessible components or write new AJAX components that instantiate the non-web-accessible ones and provide "remote" proxy methods as needed.

    This sounds like a great idea.  I've never worked with AJaX proxies, before.  Difficult??

    V/r,

    ^ _ ^

    Carl Von Stetten
    Carl Von Stetten
    Legend
    July 18, 2017

    I should have put "proxy" in quotes.  I meant conceptually - the new AJAX components would just be wrappers to the original CFCs (if those CFCs had functions that weren't set to "remote".

    You still might get bots trying to hit those new components though (just as they can continue to hit CFM files).

    S
    samh60076132
    Participant
    July 17, 2017

    Try using "Server Settings \ Mappings".

    WolfShade
    WolfShadeAuthor
    Legend
    July 17, 2017

    I can do that.. but I have questions.

    1) Won't bots also be able to access the mapping?

    2) That only works for one project; the server hosts several.  Unless I give each project it's own component mapping with unique id (I tried to make more than one mapping called "components" - CFAdmin didn't allow it.)

    V/r,

    ^ _ ^

    WolfShade
    WolfShadeAuthor
    Legend
    July 17, 2017

    Also, how does CFAdmin mapping differ from this.mapping['/components'] = ExpandPath(blahblahblah)?  I could just set the mapping in the application.cfc, right?

    V/r,

    ^ _ ^

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices