Jump to content
Sébastien

Multisite: prevent files and folders access between sites

Recommended Posts

Hello everyone,

I recently started using ProcessWire and already manage to accomplish several things on my own, but I keep asking myself a lot of questions, among which the following:

After installing a multiple sites version (first method), everything works for now as desired, but I realize that all the files seem accessible by all the domains.

Let's say that site1.com can access the asset files, template or other ressources of site2.com folders and vice versa by specifying only and for example:

site1.com/path_to_a_site2_folder/one_file
or
site2.com/path_to_a_site1_folder/one_file

Would you know if there is a simple way to prohibit this kind of behavior in order to clearly distinguish each site and thus ensure the confidentiality and separation of content?

I prefer to avoid the entities to be considered as a single set by crawlers and prevent access the elements belonging to each domain from another domain.

Thanks for your help. Sébastien.

Share this post


Link to post
Share on other sites

Hello again everyone!

Nobody for my multisite problematic?

Sorry if I have posted in the wrong forum or if I am not been clear enough (I'm not English fluent).

Maybe I have to do some terrible htaccess wicked magic or to separate my PW installations?

But if there is an option somewhere and easy good pratices, you are welcome too!

Share this post


Link to post
Share on other sites

Hi @Sébastien,

Welcome to ProcessWire and the forums.

Perhaps not the response you were looking for but I am a bit curious about what you mean by this?

On 6/2/2020 at 4:57 AM, Sébastien said:

that all the files seem accessible by all the domains.

What do you mean by all files? Web accessible (public) files will be available to the world, so to speak (e.g. image files in your assets folder). Protected folders/files will not be visible. Could you please clarify and/or give examples?

On 6/2/2020 at 4:57 AM, Sébastien said:

Would you know if there is a simple way to prohibit this kind of behavior in order to clearly distinguish

Please clarify this. I don't understand whether you are talking about manual or programmatic access. 

On 6/2/2020 at 4:57 AM, Sébastien said:

thus ensure the confidentiality and separation of content?

Similar to my previous comment, please clarify what you mean by confidentiality. From whom? Things like images, css, js, cannot be hidden and the path to those assets are visible to the world. They need to be public. What type of files are you trying to hide?

On 6/2/2020 at 4:57 AM, Sébastien said:

I prefer to avoid the entities to be considered as a single set by crawlers

This is interesting. I don't have much knowledge about crawlers and others with a better grasp might chime in. My understanding though is that crawlers treat your entities as belonging to a domain? 

 

On 6/2/2020 at 4:57 AM, Sébastien said:

prevent access the elements belonging to each domain from another domain.

Please clarify how this access would happen. By another domain, you mean one our you site-* domains?

I use multisite option 1 myself, by the way. 

Share this post


Link to post
Share on other sites

Hi @kongondo,

First of all thank you for the welcome message and for taking the time to answer me! :)

Then and indeed, I probably lacked clarity and it may be questioning around a non-problem.

We fully agree on the principle that these are public content, by confidentiality I mean that each entity should be considered as not hosting another compared to the file tree.

To further illustrate my previous post, let's say that for example I have two separate sites on the same PW installation.
A site for artists and a site for cars with respectively a "site-artists" and a "site-cars" folders.

I don't really understand the logic of making it possible to access the resources of one site or another by simply modifying the url. It seems to me that this does not happen in a Wordpress multisite network environment (but maybe I'm wrong) and that the cars site should not have access to the artists site, and vice versa.
cars.com/site-artists/images/david-bowie.jpg
artists.com/site-cars/images/volkswagen.jpg

That said, after performing some initial tests with the "Httrack" site vacuum tool, nothing was recovered outside the domains concerned, even the main domain did not manage to recover the contents of the hosted sites, I imagine that this is linked to the fact that no resources clearly point to the other entities.

So far so good! Thank you again for your help and your attention. :)

Share this post


Link to post
Share on other sites
6 hours ago, Sébastien said:

I don't really understand the logic of making it possible to access the resources of one site or another by simply modifying the url. 

I see your point. However, imagine if the two were separate sites. This:

6 hours ago, Sébastien said:

cars.com/site-artists/images/david-bowie.jpg
artists.com/site-cars/images/volkswagen.jpg

Would be this:

Quote

cars.com/site/images/david-bowie.jpg
artists.com/site/images/volkswagen.jpg

What is the difference between the two except for the fact that they are not directly sharing a parent folder? i.e. web/parentofsites/site-1 and web/parentofsites/site-2 versus web/somesite1/site (for 1) and web/somesite2/site. It is almost just an issue of semantics. They are in the same web server and there are no security issues at all. Not even SEO issues to the best of my knowledge. The sites are not talking to each other (although you can make them talk if you want) and are not accessing each other's resources. The only common thing they have is wire.

6 hours ago, Sébastien said:

So far so good! Thank you again for your help and your attention. 🙂

No worries 😄 Feel free to ask away! 🙂 

  • Like 1

Share this post


Link to post
Share on other sites
14 hours ago, kongondo said:

They are in the same web server and there are no security issues at all. Not even SEO issues to the best of my knowledge.

Yes, it was my main fear and I am now reassured after our discussion, especially for the SEO part.
I also deduce that unless somebody knows the paths and resources it is highly unlikely to be able to guess and find them by tinkering the urls.
So everything, I hope, should go. Thank you so much for all these clarifications! 😉

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Robin S
      Add Image URLs
      Allows images/files to be added to Image/File fields by pasting URLs.

      Usage
      Install the Add Image URLs module.
      A "Paste URLs" button will be added to all image and file fields. Use the button to show a textarea where URLs may be pasted, one per line. Images/files are added when the page is saved.
       
      https://github.com/Toutouwai/AddImageUrls
      https://modules.processwire.com/modules/add-image-urls/
    • By Guy Incognito
      Have read loads of similar threads but can't find the deifnitive answer. I'm bootstrapping ProcessWire into a Magento installation. Everything is working fine in terms of expected PW API functionality, however I cannot get the paths for images in the site work correctly.
      ProcessWire is installed in a subfolder called 'pw'.
      If I load the PW site directly e.g. visit mainsite.com/pw everything loads fine and all image paths are correct. If I load the parent site in the root folder with the PW bootstrapped page content rendered within it, the image paths don't contain the subfolder and so are broken. So I get
      https://mainsiteexample.com/site/templates/img/test.jpg instead of
      https://mainsiteexample.com/pw/site/templates/img/test.jpg I've tried updating the rewrite base in the .htaccess file but it doesn't seem to make any difference. Have also tried various settings in the config file to no avail. Wondering if rewrite base perhaps isn't working as intended because I'm behind a NGINX/Apache hybrid environment?
    • By ajt
      Hello!
      I want to keep sort some pages in my page tree within a single parent, but then have the URLs for those pages ignore their topmost parent.
      So for example, if the page is at: [home]/buildings/architect-name/building-name
      I want the URL to be /architect-name/building-name
      I've search around the forum, and the solution that comes up everywhere is a version of the code from this post: 
      /** * This hook modifies the default behavior of the Page::path function (and thereby Page::url) * * The primary purpose is to redefine blog posts to be accessed at a URL off the root level * rather than under /posts/ (where they actually live). * */ wire()->addHookBefore('Page::path', function($event) { $page = $event->object; if($page->template == 'post') { // ensure that pages with template 'post' live off the root rather than '/posts/' $event->replace = true; $event->return = "/$page->name/"; } }); And I can use a version of that to successfully get buildings/architect-name to appear as /architect-name
      But /buildings/architect-name/building-name still appears as /buildings/architect-name/building-name
      Is there a way to get URLs to ignore/remove that topmost parent even when the page has a grandchild?
      Any help much appreciated!
    • By iipa
      Hi everybody!
      I have been reading about Multisite, but it kinda bugs me that every topic talks about having both admin and database same for multiple sites.
      I have a project where customer tests it by adding content to the site, while I still need to do some changes here and there in code, maybe some in database. If something crashes for a while, customer can't keep testing, which is a bit problematic.
      Is there any way that I could have two separate versions of one site ("production" and development) that share the same database, but are otherwise independent? Just the thought of having to migrate database every time I want to show client something new gives me anxiety 😁
    • By sins7ven
      Hi community, I am wondering if its possible to display languages based on what host/domain has been requested.
      The use case is the following: I have one installation of PW - and within this installation I set up 5 different languages (default, english, spanish, french, dutch). Now I have 3 different domains (domainA.com, domainB.com, domainC.com) and I want to decide which languages to make available based on what domain has been navigated to. 
      For example:
      domainA.com
       - default (domainA.com)
       - english (domainA.com/en)
      domainB.com
        - default (domainB.com)
        - french (domainB.com/fr)
        - dutch (domainB.com/nl)
      domainC.com
        - default (domainC.com)
        - dutch (domainC.com/nl)
      So what I want to achieve is making only these particular languages selectable in the language switcher on the frontend. Since all pages share the same templates and overall site structure I don't see the benefits of running this installation as a multisite setup or would it be better to do so? But I assume that this would be difficult to handle since the default language might change as well. (On the french version of the page, french should be the default language and so on). Any suggestions how to accomplish that? Thanks!
×
×
  • Create New...