Configure WEB-INF outside the webroot by default

[zspitzer]

it would be really good to add moving the WEB-INF folder outside the webroot by default, to provide a much better locked down experience out of the box.

It's only a simple change to the \tomcat\conf.web.xml file

<init-param>
      <param-name>lucee-web-directory</param-name>
      <param-value>c:/Lucee/web-contexts/{web-context-label}</param-value>
      <description>Lucee Web Directory (for Website-specific configurations, settings, and libraries)>/description>
</init-param>

https://docs.lucee.org/guides/installing-lucee/windows/installing-the-boncode-connector-and-mod_cfml.html#optional-relocating-web-inf-files-outside-the-web-root

the only minor problem is that by default the context directory names are just a hash, as opposed to something human readable like the context names which mod_cfml generates

https://luceeserver.atlassian.net/browse/LDEV-150

[utdream]

Going to wait to see how Lucee handles this before moving forward with something on my end.

[michaeloffner]

When we started Railo one of the goal was to make it better fit for a shared hosting environment (because of that we have the server/web admin concept backed in). An other approach was to be able to use it on any java hosting by simply copy the war in place. one of the restriction you normally have in a shared hosting environment is that you do not have access to the filesystem outside the webroot. So we decided to setup the web config inside the WEB-INF folder, because this is the most secure place within the webroot. You can argue times changed and a shared hosting environment is not the typical environment Lucee lives in. That is the reason we are working on to make the web admin optional. What i see as an option, that we move the web config next to the "lucee-server" folder and name it "lucee-webs/{instancename}", a setup i use in all installations i do. We can do a change like this in Lucee 6. But like i said, my goal is to make the web config optional. Out of the box Lucee will only have the server admin and within that you can enable/disable the web admin, but only if you have more than one web context.

[Bilal-S]

@michaeloffner Thanks for clarifying. I would agree that taking the web admin out and making it optional is a good idea. I would encourage us to think further. Many years ago (maybe 7) I had suggested that we look at a pure run engine that is that is already configured to execute cfml. I did not call it serverless but described the concept. I still think this is the way to go and anything moving us along that path is a good step.

[andreasRu]

Please see my comment on https://github.com/viviotech/lucee-installer/issues/103#issuecomment-633304322

[utdream]

My hesitation on a uniform directory to house the Lucee Web Admins is two fold:

1) It would require admins to learn where the files are relocated. This causes a lot of time lost for users when things aren't where they "used to be".

2) In the past, directories that are centralized in this way are "encoded", and it's difficult to figure out which site each directory belongs to. This also adds to system administration time. This might have changed since I last tried it though...

The way things are now, it's easy to know that a WEB-INF directory belongs to a specific site because that WEB-INF is in a specific directory that usually only belongs to one site. Plus, this is the way it's always been, so folks are used to it this way.

[utdream]

@michaeloffner In Lucee 6, would it be possible to name the directory of each context based on the context name in the servlet container? That would solve the problem of figuring out which directory belongs to which site, and if the change happened in a major version update, it would be easier for sysadmins to learn. IE: after Lucee 6 site-specific configs are now located in a universal "lucee-webs/" directory.