Hi All,
i want to realize a download/upload system for me, my family and some friends, important private documents. My system (Apache-Server) is running on my Debian-Lenny machnie. During my searching i found the modules "private upload/download". I am beginner and the documentation for these modules are a bit to slim for me.
The configuration of "private download" consists:
RewriteEngine on RewriteBase /system/files/private RewriteRule ^(.*)$ $1 [L,R=301]
Does this mean that the download destination is /path-to-my-homepage/sites/default/files/private/ ?
How can i set up "private download" for use with an extern folder outside my hompage-folder?
I need a secure sharing system only for private use. I thought about using my ftp-server:
client <--> homepage <--> ftp-server
But this would be an alternative way to these modules "private download/upload". Maybe you have some further interesting ways and howtos?
regards Markus
Comments
.
First, you should realize that it is unclear what module you are talking about. There are lots of different modules or instructions trying to do similar things, some of them buried in forum replies.
Drupal core supports private downloads. You can enable them in the admin/settings/file-system page and you can specify a filesystem path outside the web root directory. Then the files will be served to authorized user with paths like "/system/files/yourfile" (or "/base_path/system/files" if your site's URL contains a base path).
About the module that you mentioned, what I can infer from what you said is that
- it only supports directories inside the web root (otherwise it would have no use for .htaccess rewrites)
- when such a file is requested, it redirects to a "/system/files/private" path (or "/base_path/system/private" if your site's URL contains a base path)
Modules which do that often prevent direct browsing of the files using
Order deny,allowandDeny from allin an .htaccess file, so that the files can only be read from the filesystem and not from the web server. But this one may be doing it differently, with that rewrite/redirection.Hi rusty, i am talking about
Hi rusty,
i am talking about the modules "private upload" and "private download". An alternative way would be over ftp. But i don't know a module which could handle ftp.
My homepage lays under /var/www/my-side.de/, but my files should be located at a different destination /home/markus/documents/. The settings in admin/settings/file-system does not solve this problem. My homepage and my files should be parted, because i do not want to backup every day files over 1GByte. My homepage takes about 20MByte without my files.
Modules which do that often prevent direct browsing of the files using Order deny,allow and Deny from all in an .htaccess file, so that the files can only be read from the filesystem and not from the web server. But this one may be doing it differently, with that rewrite/redirection.
Have you a concretize solution for my problem?
regards Markus
.
About files in a different directory, sure, you can use a symlink:
That should create a symlink named "whatever", which will behave like a directory containing the files which exist in /home/markus/documents. You can use that "whatever" directory as your private files directory in your "private" module's settings. Usually this needs to be somewhere under your "files" directory.
To restrict direct server access use whatever your "private" module suggests in .htaccess, and make sure that the *URL* base path (not the filesystem path) is correct in the redirects.
Do i need only read or
Do i need only read or read+write acces? The module "private upload" gives me the message:
Very bad! Your private files are not private!
I am not sure why? In my /path-to-my-homepage/sites/default/files/ are some other files which maybe belong to themes???
What do i have to do to solve the problem with my message "Very bad! Your private files are not private!" ?
regards Markus
.
Those directories are fine where they are. Judging from their owner, they have been put there by drupal modules. The permissions are also fine, so that the files can be listed/read/written using filesystem functions.
What the error message is about is Apache's permission for showing the files to browsers. That needs to be solved with an Apache directive in an .htaccess file.
I already mentioned how this is *usually* done, with a "deny from all" directive in an .htaccess file in the "private" directory. However you need to do whatever the instructions in your module tell you to do in the "private" directory.
Hi rusty i made to
Hi rusty i made 2 directories. One for upload "/var/www/my-side.de/sites/default/files/upload/" and one for download "/var/www/my-side.de/sites/default/files/download/"
The path under file-system says "sites/default/files". I added another line with "Deny from all" to "/var/www/my-side.de/sites/default/files/.htaccess" and "/var/www/my-side.de/sites/default/files/upload/.htaccess". The upload system seems to create 2 .htacces files. And i get this messages:
My files are not private! Do you have any hints why? My Apache Server ignores Options in ".htaccess" files (AllowOverride None), could this be the problem?
For my private download i made the following settings:
private download directory: download
htaccess content: RewriteEngine on RewriteBase /system/files/download RewriteRule ^(.*)$ $1 [L,R=301]
But he tells me "The RewriteBase path does not equal /system/files/download in htaccess content."
What do i have to insert for my RewriteBase?
regards Markus
.
There is only one way to find out for sure if your files are private or not. Upload a picture, try to browse it directly, and see if you can view it. Any other method which the code may be using to show that message can't be 100% reliable in all servers.
For the .htaccess directive in the first case, use this
but don't do it in you public "files" directory. Only in the private one.
About your last question, do you have this in separate lines?
This may or may not be right, depending on the URL of your site (you may need to change it if your site is http://example.com/something and not just http://example.com).
About "private download",
About "private download", each command is not in one line, because i am using the fckeditor, which seems to not break the lines. When i switch to the simple editor he shows me:
<p>RewriteEngine on RewriteBase /system/files/download RewriteRule ^(.*)$ $1 [L,R=301]</p>in one line. And every time i refresh my window he do overwrite the word "download" by "private".
So i just breaked these lines manually in the simple editor and then saved it. This works. he creted a folder named download and a file download/.htaccess. This file contains then my commands in different lines, but with the special character "^".
About "privat upload" when i create a new thread in my forum and try to attach a new file, he gives me the error:
I am using the bitcache module, but don't know what it does exactly? It seems to be needed by the modules file, attachments. But i can go to "Data Storage/Repositorys/Standard" and then "Ubload bitstream". But i think that is not what i want. Any hints?
regards Markus
.
Edit that .htaccess file with a good text editor (what OS are you using?), remove those "^" special characters, and upload it again.
The problem with the bitcache module may be unrelated. I don't know if it is a module configuration problem or a bug in the module. There are several similar bug reports its issues which generally remain unanswered.
I am using debian Lenny with
I am using debian Lenny with drupal 6.16. I read at http://bitcache.org/ that it depends on "ruby". I do not have ruby installed. Do i have to do this? Further on i could try the dev version.
About my private/public problem. My apache config looks like this:
http://pastebin.com/T0pU6qZ4
I am not sure whether "AllowOveride None" is a problem?
.
Yes, "AllowOverride None" is a problem. All your .htaccess files are ignored.
You need to change it to "AllowOverride All" or to any other setting which covers what you are doing in .htaccess (but not "None"), at least in the Directory sections of your vhost and under it.
Other improvement:
to be able to use rewrites
and
because the way it is now ("order deny,allow" and "allow from all") is meaningless because you can't deny to anyone any more.
About bitcache, I have never used it and I can't help there.
Hi Rusty, i disabled module
Hi Rusty,
i disabled module per module and after i disabled the module "file" i got the option under "manage/settings/file-system" for private or public download.
Do i need the module "file" for upload and download? Or can i set up this module for use with private download?
I am not sure. file depends on bitcache and rdf. So maybe this is an alternative to the default private/public option in the "manage/settings/file-system". But when i am right, how to set up this?
regards Markus
.
I am guessing that you are talking about a module from the "file framework" package which needs bitcache. I have never used the file framework package, so I can't tell what it does. If you didn't install it for some particular reason, then you are better without it.
Generally, you are mixing together too many different modules which mess with the same things (file uploads). That can't be good.
You are right. mixing is not
You are right. mixing is not good. I am just testing which way is the savest and easiest one. I do not want the full comfort. Savety is more important for me.
I tried without the modules "file, bitcache, cck ...". When i make a new thread in my forum and attach a file i choose private, but then i can not access this file. The error message is:
The file adress is "https://my-side.de/?q=system/files/upload/console_log.txt". When i go directly to "https://my-side.de/sites/default/files/upload/console_log.txt" he says:
When i choose public i and the rest of the world can access this file.
https:/my-side.de/sites/default/files/console_log.txt
But this is only the upload System. How can i use the download system. There is no framework coming with the module "private download"?
When i go to "https://feldland.dyndns.org/sites/default/files/download/1.txt" i can not access my file and get the message:
.
(the threading is too narrow here)
Here is a list of my recent
Here is a list of my recent .htaccess files:
/var/www/my-side.de/sites/default/files/.htaccess
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options +FollowSymLinks
/var/www/my-side.de/sites/default/files/download/.htaccess
Order Allow,Deny
Allow from All
Options +FollowSymLinks
RewriteEngine on
RewriteBase /system/files/download
RewriteRule ^(.*)$ $1 [L,R=301]
/var/www/my-side.de/sites/default/files/upload/.htaccess
SetHandler This_is_a_Drupal_security_line_do_not_remove
Order deny,allow
Deny from all
What shall i modify?
When i try
When i try https://my-side.de/sites/default/files/upload/README.txt whether i am logged in or not i get the README.txt file. So he seems to be right, all my files are public.
Thanks rusty, maybe there are
Thanks rusty,
maybe there are some fine tunings, but the big part should work now.
thanks and regards markus
.
In Drupal 6, in the admin/settings/file-system page, you must select "Private" or "Public" from the beginning and never change it. If you change it, you will have "Page not found" errors for the already uploaded files.
That is probably what happened with "Page not found" error for the file which you attached using the "upload" module included in core.
Those other 2 modules which you tried, "private upload" and "private download", are intended to be used only when you have selected "Public" in admin/settings/file-system but you want additionally to have a private files directory.
From what I read, the first one (private upload) uses node attachments just like the core "upload" module, but lets you make some attachments private. The other one (private download) is for files which you upload yourself with FTP and doesn't do any uploading.
So,
- If you are going to use exclusively Drupal's "Private" download method in the future, then you don't need any of the other modules.
- If you want to use Drupal's "Public" download module (for faster file access and less memory consumption), then you may need the other two modules for your private files. One for your node attachments and the other for FTP uploads.
So the modules "private
So the modules "private upload" and "private download" have no advantage in security? If i want to use the builtin private option of from drupal, then i have to reinstall my homepage?
Until now i din't uploaded files for productivity only for testing.
I want a few forums, forum1, forum2 ... where the users can only see the attached files in there own forum. For example user1 is member of group1 and group2. Forum1 depands on group1 and forum2 depands on group2, so user1 can see into forum1 and forum2 and see the files which are attached to these forums.
When i disabled "private upload" and "private download" and set my file-system to private, then i can still access "https://my-side.de/sites/". This is because i changed from public to private? And i can still acces files for example "https://my-side.de/sites/default/files/nautilus-debug-log.txt"
.
They have no security advantage compared to Durpal's "private" system. Actually they both make use of that system (the "system/files" paths are produced by Drupal's "Private" system).
They have a usability advantage, because in Drupal 6 you can't have "Private" and "Public" enabled at the same time and you need to choose one. With these modules you can set Drupal's download method to "Public" and then use these modules to keep some subdirectories "Private". Especially the "private_upload" module seems a good idea to combine the two ways, similar to what is going to happen in Drupal 7.
Only the already uploaded files may have path problems because of changing Drupal's setting from "Public" to "Private". The new ones should be fine. However, it is again up to you to prevent direct access to the files, because Drupal is not asked when someone browses there.
This can be done in two ways.
- In admin/settings/file-system, select private and set the files directory to a path outside your web root (outside public_html), so that the files don't even have an URL. No way to browse there. This is entirely secure, but then those two other private modules can't keep up and won't work.
- Or, let the files where they are, and use a small .htaccess file with the two lines mentioned to deny web access from all.
I think i got it, at least
I think i got it, at least the upload system. :-) My apache config looks now like (line 12 to 35):
http://pastebin.com/V1usXTzP
Also when i am logged in i can not go to "https://my-side.de/sites/default/files/gdb-pulseaudio.txt". This only works over my node-link in my forum. :-)
And my file "https://my-side.de/sites/default/files/.htaccess" consists only the line:
How can i list my content at "/home/markus/Documents/" ? What do i have to do when i make a new thread in my forum? I want to make a new thread in my forum with a listing of my content in the folder "/home/markus/Documents/", where the files can be downloaded by clicking on it.
regards Markus
.
I see that you have denied web access to everything under "sites/", which means that no uploaded files are public now, and everything has to be served only by Drupal.
Don't your theme's css and images have a problem with that? Or is your theme not under "sites/default/themes" but somewhere else?
What is your "download method" in admin/settings/file-system now? is it "Public" or "Private"?
The "/home/markus/Documents/" directory is outside you web space (this doesn't matter much now that you have denied all web access to any files anyway), but it is also outside the "sites/default/files" directory where Drupal looks for files (this matters). So, you will need to create a symlink somewhere under your sites/default/files/ to link to that directory, as I explained.
Or else, you can set that directory as your files directory (instead of sites/default/files) in admin/settings/file-system, using the "Private" download method.
If Drupal doesn't know anything about the files in that directory because they are not node attachments, it can't list them. If they have been uploaded as node attachments, then they will appear in the listed nodes.
I changed some of my apache
I changed some of my apache settings a bit http://pastebin.com/V1usXTzP. Nothing seems to missing, but i am not sure whether my navigation bar changed a bit. But all functions are here. I set up my "download method" in admin/settings/file-system to private.
I made a symbilic link:
I made a new directory-listing in "HOME/create content".
http://img541.imageshack.us/img541/2247/pic3oo.jpg
So i can list my files here.
http://img810.imageshack.us/img810/7075/pic1f.jpg
But i try to open one it says "Page not found".
http://img824.imageshack.us/img824/9992/pic2s.jpg
Do you have any idea?
regards Markus
Do you have any idea? I think
I think i got further. I set up in my a new directory-listing in "HOME/create content/Directory Listing" the option "folder-rights/download manager" to private and then i can download my files.
http://img715.imageshack.us/img715/1932/pic4v.jpg
Are my steps ok?
How can i insert this list in a new thread in my forum?
.
I don't know what module is that in your last screenshots and what it can do. If it provides its file list in a block or with an api function you could probably do something.
------ Edit:
That is the filebrowser module, isn't it? Those directory listings are nodes, so you could add the "directory listing" node type to the allowed types of your forum vocabulary in admin/content/taxonomy.
Then, when you create a dir listing node you can select to post it in a forum.
works :-) Do you have any
works :-)
Do you have any hints for me, how to check how secure my side is? Further on i noticed that my homepage design changed. :-( but did not loose any functions.
http://img813.imageshack.us/img813/6301/pic5q.jpg
My apache settings are to restrictive i think?
regards Markus
.
No hints, except to check that the
http://example.com/sites/default/files/Documents/filename
links are not accessible from the web and that only the
http://example.com/?q=system/files/Documents/filename
links are accessible.
About the theme, I don't have anything to compare what changed. Is a logo missing or some css not applied?
My logo is missing and the
My logo is missing and the theme has not my pretty colors, only grey.
Yes i am using the module filebrowser. I don't know wherefore css is using for in drupal, ok i know it is to form the design, but i don't know what exactly it is for.
All content is align to the left side and from top to bottom. So this could be the css Problem.
.
This is because of those directories under sites/default/files: "color", "css", "js", and maybe "ctools". You may need to allow web access to them, or better, to deny web access only to the ones that you want private.
Some of them store aggregated css an js because of your settings in admin/settings/performance.
Also, color picker won't work any more to create new color schemes, unless you switch to public temporarily to create new color schemes.
Would the next apache config
Would the next apache config save my folder /home/markus/Documents/ ?
Are there any other important data under /var/www/my-side.de/ ?
.
(deleted) - I'll get back to this ASAP.
Subscribe. @cog.rusty
Subscribe. @cog.rusty Really great support.
Contact me for drupal projects in English, German, Italian, Drupal Hosting Support.
Hi All, i just noticed that
Hi All,
i just noticed that my side is accessable but my color and java, css is not available. I only changed the name of my directory from
"/var/www/my-side.de/sites/default/files/" to "/var/www/my-side.de/sites/default/23dad3agf4/"
here are my current important settings:
The rights of my "files" folder are the same as my renamed folder "23dad3agf4". Any idea?
Therefore i renamed my old folder "files" to "files.old". When i rename this folder back, then it works. My filesystem settings are setup for the new folder named "23dad3agf4".
regards Markus
regards Markus
The first though is: When you
The first though is: When you created the new folder (23dad3agf4) did you also reviewed the access permissions ?
chmod 755 ../default
Sometime when you create new folder on your host may happen that you get the default permission set that might be not compatible with
the permissions that Drupal needs to work properly.
Contact me for drupal projects in English, German, Italian, Drupal Hosting Support.
Hi Wolfflow, both folders
Hi Wolfflow,
both folders have the permissions 750, and it works with the old folder. Both have the same owner and group "www-data". I suppose that there is a problem with some interal links in the Mysql Database, but i am not sure. The ".htaccess" file contain the same content.
Hi @feldmaus, let me
Hi @feldmaus, let me understand better what you did.
1. At the beginning, after fresh Drupal install you have a sites/default/files folder.
2. At admin/settings/file-system in FILE SYSTEM PATH you have sites/default/files
3. You decided to change the files folder name.
-- I guess
4. You changed the folder name from files to 23dad3agf4
5. Testing, Drupal will not be able to read any files inside this 23dad3agf4 folder because
the FILE SYSTEM PATH is not updated
6. Before testing you also changed the FILE SYSTEM PATH to sites/default/23dad3agf4
7. Testing Drupal still does not read any files inside this folder because many database table still contain the old path
8. Mostly the tables are: cache, cache_content, cache_filter, cache_menu, files, menu_links, menu_router, system, users, variables
-- The workaround
9. rename your sites/default/23dad3agf4 back to sites/default/files
10. test and let Drupal work normally.
11. Clear cache : admin/settings/performance
12. Run cron job: admin/report/status
13. Open http://localhost/phpmyadmin and export your drupal database and name it drupal_backup.sql
14. make a copy of drupal_backup.sql and name it drupal_modified.sql
15. Open with a text-editor application your drupal_modified.sql file and replace with the search and replace feature
all text with "files" with "23dad3agf4" (without quotes naturally) paying attention to the above listed tables.
16. Save and import the drupal_modified.sql.
-- The end
17. Test it. This is really an extreme workaround, but it should work, except for few URL.
Contact me for drupal projects in English, German, Italian, Drupal Hosting Support.
More better for point
More better for point 15:
make the search for the FILE SYSTEM PATH folder "files"
using "sites/default/files" as to exclude eventually the noun "files" in some of your nodes
and also to be sure you change the right paths
Regards
Contact me for drupal projects in English, German, Italian, Drupal Hosting Support.
Thanks Wolfflow, works I will
Thanks Wolfflow,
works
I will post, if some further error occurs.
regards Markus
I'm glad my suggestion did
I'm glad my suggestion did work for you. You are welcome.
Regards Wolf
Contact me for drupal projects in English, German, Italian, Drupal Hosting Support.