Optimise Lucee Resource Mapping for /farcry

#1

When setting up a FarCry web app its usual to configure a resource mapping for /farcry to grant the application access to the framework. It’s also very common to create a specific admin virtual/alias on the web server that points direct to the the /webtop.

For example on NGINX, you might use something like:

    location /webtop {
        alias /var/www/farcry/core/webtop;
        try_files $uri $uri/ $uri.index.cfm $uri/index.cfm;
    }

Note, you can always just dump the entire framework into the webroot but mapping resources is a much better approach.

For the /farcry mapping in Lucee there are two very important settings:

  1. Inspect Templates: set this to Once (Good); this will give you a significant performance boost whilst still allowing you to make changes to files while you are developing
  2. Web Accessible: set this to blank or Unchecked; flagging the resource as not accessible via the web adds additional security to your environment, and makes sure you don’t accidentally expose a vulnerability in your application by allowing malicious users to address templates out of context directly via the web

If you are adjusting your lucee-web.xml.cfm configuration file directly, then a correctly configured /farcry mapping would look something like:

<mapping 
  inspect-template="once" 
  physical="{web-root-directory}/farcry" 
  primary="physical" 
  toplevel="false" 
  virtual="/farcry"/>

Note, toplevel="false" is the flag for “Web Accessible”.

[closed] Paradigm Shifts are like climbing mountains with a blindfold
#2

Setting this value to Never in production is best, but means you can’t change .cfm/.cfc files and see them recompiled by Lucee without restarting the server; not great for development.