Moving components folder outside webroot

LEGEND ,
Jul 17, 2017 Jul 17, 2017

Copy link to clipboard

Copied

Hello, all,

We've been getting a ton of bots hitting our components folder, and each hit generates an email letting us know that someone/thing was trying to access a component directly.

The boss wants me to look into what we have to do to get our components folder out of webroot, so the bots can't reach the CFCs.

My primary concern, however, is that if we do that, then any- and everything that submits a form to a CFC via AJaX will stop working.

Is there a way to move the CFCs outside of webroot, but still use AJaX to access?  I have a feeling the answer is 'no'. 

V/r,

^ _ ^

Views

760

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct Answer

Guide , Jul 17, 2017 Jul 17, 2017
Do all of your components need to be web-accessible, or only some of them (for AJAX purposes)?  I would suggest moving any that don't need to be web-accessible to a folder outside the webroot, and then set a mapping (either via Application.cfc this.mappings or via CFAdmin).  Components needed for AJAX will still need to be web-accessible.  However, you could create AJAX proxies that either extend non-web-accessible components or write new AJAX components that instantiate the non-web-accessible o...

Likes

Translate

Translate
New Here ,
Jul 17, 2017 Jul 17, 2017

Copy link to clipboard

Copied

Try using "Server Settings \ Mappings".

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Jul 17, 2017 Jul 17, 2017

Copy link to clipboard

Copied

I can do that.. but I have questions.

1) Won't bots also be able to access the mapping?

2) That only works for one project; the server hosts several.  Unless I give each project it's own component mapping with unique id (I tried to make more than one mapping called "components" - CFAdmin didn't allow it.)

V/r,

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Jul 17, 2017 Jul 17, 2017

Copy link to clipboard

Copied

Also, how does CFAdmin mapping differ from this.mapping['/components'] = ExpandPath(blahblahblah)?  I could just set the mapping in the application.cfc, right?

V/r,

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jul 17, 2017 Jul 17, 2017

Copy link to clipboard

Copied

I believe using "ExpandPath" could be an alternative... and yes, you would have to create a mapping for each host. Are you using session variables to validate whether or not the requester is authorized; something you could check (probably in the application.cfc) before accessing the component?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Jul 18, 2017 Jul 18, 2017

Copy link to clipboard

Copied

samh60076132  wrote

Are you using session variables to validate whether or not the requester is authorized; something you could check (probably in the application.cfc) before accessing the component?

The sites don't require a login to be accessed; they are publicly available, so checking for a session variable wouldn't work.

V/r,

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guide ,
Jul 17, 2017 Jul 17, 2017

Copy link to clipboard

Copied

Do all of your components need to be web-accessible, or only some of them (for AJAX purposes)?  I would suggest moving any that don't need to be web-accessible to a folder outside the webroot, and then set a mapping (either via Application.cfc this.mappings or via CFAdmin).  Components needed for AJAX will still need to be web-accessible.  However, you could create AJAX proxies that either extend non-web-accessible components or write new AJAX components that instantiate the non-web-accessible ones and provide "remote" proxy methods as needed.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Jul 18, 2017 Jul 18, 2017

Copy link to clipboard

Copied

https://forums.adobe.com/people/Carl+Von+Stetten  wrote

Do all of your components need to be web-accessible, or only some of them (for AJAX purposes)?

Aaaaaaaah.. good question.  I'll have to check.  I believe most of them are accessed via AJaX.

https://forums.adobe.com/people/Carl+Von+Stetten  wrote

However, you could create AJAX proxies that either extend non-web-accessible components or write new AJAX components that instantiate the non-web-accessible ones and provide "remote" proxy methods as needed.

This sounds like a great idea.  I've never worked with AJaX proxies, before.  Difficult??

V/r,

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guide ,
Jul 18, 2017 Jul 18, 2017

Copy link to clipboard

Copied

I should have put "proxy" in quotes.  I meant conceptually - the new AJAX components would just be wrappers to the original CFCs (if those CFCs had functions that weren't set to "remote".

You still might get bots trying to hit those new components though (just as they can continue to hit CFM files).

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Jul 18, 2017 Jul 18, 2017

Copy link to clipboard

Copied

Carl,

I have been reading up on CFAJAXPROXY (there are some who do NOT like it, at all), and started experimenting.  I am happy to report that my efforts have been SUCCESSFUL!!!  Thank you!

I have implemented the CFAJAXPROXY tag to refer to the new location component folder and specific .cfc, and it was a bit tedious to alter my JavaScript code to work with it, but it is working.  I am still testing it, to make sure that it is still secure and operable for our production environment, but I have a good feeling about this.

And it wasn't as difficult as I had imagined.  Tedious, but not difficult.

V/r,

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guide ,
Jul 19, 2017 Jul 19, 2017

Copy link to clipboard

Copied

LATEST

I've never used CFAJAXPROXY, so I can't comment on it.  Sounds like you have a viable solution!

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines