Jump to content

Multisite: prevent files and folders access between sites


Sébastien
 Share

Recommended Posts

Hello everyone,

I recently started using ProcessWire and already manage to accomplish several things on my own, but I keep asking myself a lot of questions, among which the following:

After installing a multiple sites version (first method), everything works for now as desired, but I realize that all the files seem accessible by all the domains.

Let's say that site1.com can access the asset files, template or other ressources of site2.com folders and vice versa by specifying only and for example:

site1.com/path_to_a_site2_folder/one_file
or
site2.com/path_to_a_site1_folder/one_file

Would you know if there is a simple way to prohibit this kind of behavior in order to clearly distinguish each site and thus ensure the confidentiality and separation of content?

I prefer to avoid the entities to be considered as a single set by crawlers and prevent access the elements belonging to each domain from another domain.

Thanks for your help. Sébastien.

Link to comment
Share on other sites

Hello again everyone!

Nobody for my multisite problematic?

Sorry if I have posted in the wrong forum or if I am not been clear enough (I'm not English fluent).

Maybe I have to do some terrible htaccess wicked magic or to separate my PW installations?

But if there is an option somewhere and easy good pratices, you are welcome too!

Link to comment
Share on other sites

Hi @Sébastien,

Welcome to ProcessWire and the forums.

Perhaps not the response you were looking for but I am a bit curious about what you mean by this?

On 6/2/2020 at 4:57 AM, Sébastien said:

that all the files seem accessible by all the domains.

What do you mean by all files? Web accessible (public) files will be available to the world, so to speak (e.g. image files in your assets folder). Protected folders/files will not be visible. Could you please clarify and/or give examples?

On 6/2/2020 at 4:57 AM, Sébastien said:

Would you know if there is a simple way to prohibit this kind of behavior in order to clearly distinguish

Please clarify this. I don't understand whether you are talking about manual or programmatic access. 

On 6/2/2020 at 4:57 AM, Sébastien said:

thus ensure the confidentiality and separation of content?

Similar to my previous comment, please clarify what you mean by confidentiality. From whom? Things like images, css, js, cannot be hidden and the path to those assets are visible to the world. They need to be public. What type of files are you trying to hide?

On 6/2/2020 at 4:57 AM, Sébastien said:

I prefer to avoid the entities to be considered as a single set by crawlers

This is interesting. I don't have much knowledge about crawlers and others with a better grasp might chime in. My understanding though is that crawlers treat your entities as belonging to a domain? 

 

On 6/2/2020 at 4:57 AM, Sébastien said:

prevent access the elements belonging to each domain from another domain.

Please clarify how this access would happen. By another domain, you mean one our you site-* domains?

I use multisite option 1 myself, by the way. 

Link to comment
Share on other sites

Hi @kongondo,

First of all thank you for the welcome message and for taking the time to answer me! :)

Then and indeed, I probably lacked clarity and it may be questioning around a non-problem.

We fully agree on the principle that these are public content, by confidentiality I mean that each entity should be considered as not hosting another compared to the file tree.

To further illustrate my previous post, let's say that for example I have two separate sites on the same PW installation.
A site for artists and a site for cars with respectively a "site-artists" and a "site-cars" folders.

I don't really understand the logic of making it possible to access the resources of one site or another by simply modifying the url. It seems to me that this does not happen in a Wordpress multisite network environment (but maybe I'm wrong) and that the cars site should not have access to the artists site, and vice versa.
cars.com/site-artists/images/david-bowie.jpg
artists.com/site-cars/images/volkswagen.jpg

That said, after performing some initial tests with the "Httrack" site vacuum tool, nothing was recovered outside the domains concerned, even the main domain did not manage to recover the contents of the hosted sites, I imagine that this is linked to the fact that no resources clearly point to the other entities.

So far so good! Thank you again for your help and your attention. :)

Link to comment
Share on other sites

6 hours ago, Sébastien said:

I don't really understand the logic of making it possible to access the resources of one site or another by simply modifying the url. 

I see your point. However, imagine if the two were separate sites. This:

6 hours ago, Sébastien said:

cars.com/site-artists/images/david-bowie.jpg
artists.com/site-cars/images/volkswagen.jpg

Would be this:

Quote

cars.com/site/images/david-bowie.jpg
artists.com/site/images/volkswagen.jpg

What is the difference between the two except for the fact that they are not directly sharing a parent folder? i.e. web/parentofsites/site-1 and web/parentofsites/site-2 versus web/somesite1/site (for 1) and web/somesite2/site. It is almost just an issue of semantics. They are in the same web server and there are no security issues at all. Not even SEO issues to the best of my knowledge. The sites are not talking to each other (although you can make them talk if you want) and are not accessing each other's resources. The only common thing they have is wire.

6 hours ago, Sébastien said:

So far so good! Thank you again for your help and your attention. 🙂

No worries 😄 Feel free to ask away! 🙂 

  • Like 1
Link to comment
Share on other sites

14 hours ago, kongondo said:

They are in the same web server and there are no security issues at all. Not even SEO issues to the best of my knowledge.

Yes, it was my main fear and I am now reassured after our discussion, especially for the SEO part.
I also deduce that unless somebody knows the paths and resources it is highly unlikely to be able to guess and find them by tinkering the urls.
So everything, I hope, should go. Thank you so much for all these clarifications! 😉

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...