Copy link to clipboard
Copied
Hello, all,
We've been getting a ton of bots hitting our components folder, and each hit generates an email letting us know that someone/thing was trying to access a component directly.
The boss wants me to look into what we have to do to get our components folder out of webroot, so the bots can't reach the CFCs.
My primary concern, however, is that if we do that, then any- and everything that submits a form to a CFC via AJaX will stop working.
Is there a way to move the CFCs outside of webroot, but still use AJaX to access? I have a feeling the answer is 'no'.
V/r,
^ _ ^
Do all of your components need to be web-accessible, or only some of them (for AJAX purposes)? I would suggest moving any that don't need to be web-accessible to a folder outside the webroot, and then set a mapping (either via Application.cfc this.mappings or via CFAdmin). Components needed for AJAX will still need to be web-accessible. However, you could create AJAX proxies that either extend non-web-accessible components or write new AJAX components that instantiate the non-web-accessible o
...Copy link to clipboard
Copied
Try using "Server Settings \ Mappings".
Copy link to clipboard
Copied
I can do that.. but I have questions.
1) Won't bots also be able to access the mapping?
2) That only works for one project; the server hosts several. Unless I give each project it's own component mapping with unique id (I tried to make more than one mapping called "components" - CFAdmin didn't allow it.)
V/r,
^ _ ^
Copy link to clipboard
Copied
Also, how does CFAdmin mapping differ from this.mapping['/components'] = ExpandPath(blahblahblah)? I could just set the mapping in the application.cfc, right?
V/r,
^ _ ^
Copy link to clipboard
Copied
I believe using "ExpandPath" could be an alternative... and yes, you would have to create a mapping for each host. Are you using session variables to validate whether or not the requester is authorized; something you could check (probably in the application.cfc) before accessing the component?
Copy link to clipboard
Copied
samh60076132 wrote
Are you using session variables to validate whether or not the requester is authorized; something you could check (probably in the application.cfc) before accessing the component?
The sites don't require a login to be accessed; they are publicly available, so checking for a session variable wouldn't work.
V/r,
^ _ ^
Copy link to clipboard
Copied
Do all of your components need to be web-accessible, or only some of them (for AJAX purposes)? I would suggest moving any that don't need to be web-accessible to a folder outside the webroot, and then set a mapping (either via Application.cfc this.mappings or via CFAdmin). Components needed for AJAX will still need to be web-accessible. However, you could create AJAX proxies that either extend non-web-accessible components or write new AJAX components that instantiate the non-web-accessible ones and provide "remote" proxy methods as needed.
Copy link to clipboard
Copied
https://forums.adobe.com/people/Carl+Von+Stetten wrote
Do all of your components need to be web-accessible, or only some of them (for AJAX purposes)?
Aaaaaaaah.. good question. I'll have to check. I believe most of them are accessed via AJaX.
https://forums.adobe.com/people/Carl+Von+Stetten wrote
However, you could create AJAX proxies that either extend non-web-accessible components or write new AJAX components that instantiate the non-web-accessible ones and provide "remote" proxy methods as needed.
This sounds like a great idea. I've never worked with AJaX proxies, before. Difficult??
V/r,
^ _ ^
Copy link to clipboard
Copied
I should have put "proxy" in quotes. I meant conceptually - the new AJAX components would just be wrappers to the original CFCs (if those CFCs had functions that weren't set to "remote".
You still might get bots trying to hit those new components though (just as they can continue to hit CFM files).
Copy link to clipboard
Copied
Carl,
I have been reading up on CFAJAXPROXY (there are some who do NOT like it, at all), and started experimenting. I am happy to report that my efforts have been SUCCESSFUL!!! Thank you!
I have implemented the CFAJAXPROXY tag to refer to the new location component folder and specific .cfc, and it was a bit tedious to alter my JavaScript code to work with it, but it is working. I am still testing it, to make sure that it is still secure and operable for our production environment, but I have a good feeling about this.
And it wasn't as difficult as I had imagined. Tedious, but not difficult.
V/r,
^ _ ^
Copy link to clipboard
Copied
I've never used CFAJAXPROXY, so I can't comment on it. Sounds like you have a viable solution!