[Baypiggies] Nested plone sites?
Ken Seehart
ken at seehart.com
Fri Oct 5 12:20:29 CEST 2007
Dennis Reinhardt wrote:
> At 03:09 PM 10/4/2007, Ken Seehart wrote:
>
>
>> www.seehart.com/foobar => http://seehart.webfactional.com/foobar
>> www.seehart.com => http://seehart.webfactional.com/seehart.com
>>
>
> wow! There are three technologies at work here: (1) host file system, (2)
> DNS, and (3) Plone/Zope/CMS.
>
> Let's start at (1). Your web files in an ISP account are generally under
> some top level directory such as htdocs, public_html, or some other such
> directory.
>
> It is good practice to then place separate websites under this:
>
> htdocs/seehart/
> htdocs/foobar
>
> These are then assigned to URLs via DNS. If you do not have separate
> domain names, then you yes, would have to access the sites as
>
>
>> http://seehart.webfactional.com/seehart
>>
> http://seehart.webfactional.com/foobar
>
>
Actually I do have several domain names.
http://seehart.webfactional.com/ is just the url given to me by my ISP.
> Your second URL example above is valid but likely does not parse the way
> you think it does. seehart.com is a subdirectory somewhere in the
> webfactinal file structure.
>
> Doing it this way, you are tied to webfactional.com and cannot move to
> another domain. That is why good practice is to have separate domain names.
>
End users will not use urls based on http://seehart.webfactional.com.
That's just for me to operate on when developing the sites. End users
will use my various domains such as www.seehart.com, which I currently
have hosted at Interlix. These urls will survive this and any future
host transitions.
> I know approximately nothing about Plone but nested domains are generally a
> bad idea. Suppose, your directory structure is
>
> htdocs/seehart/
> htdocs/seehart/foobar
>
> You can surely assign separate domain names via DNS. What is the
> problem? The problem is that any access to the foobar subdirectory from
> the seehart site will be satisfied by something which is not part of the
> seehart site. If/when foobar is split off you will have broken urls.
>
> Even with peer domains, a url using ".." to navigate up the directory tree
> and then back down to the other site directory has a chance of succeeding,
> depending on site hardening. This used to be a common attack but I have
> not seen it in my logs lately. My public Apache server blocks this while
> my local (only) IIS server allows it.
>
> Regards, Dennis
> ---------------------------------
> | Dennis | DennisR at dair.com |
> | Reinhardt | http://www.dair.com |
> ---------------------------------
>
>
I think we are talking about completely different things :-) In my
case, these are Zope folders, not filesystem directories. So allow me
to clarify....
The Zope root folder is automatically assigned to
http://seehart.webfactional.com which I will only use for administrative
purposes.
I plan to have everything under this one Zope instance, so the details
of the filesystem don't affect this. People accessing my site will not
use the http://seehart.webfactional.com/... url at all, but rather will
use urls such as http://www.seehart.com which will be assigned to
http://seehart.webfactional.com/seehart.com, and http://www.gameofy.com
which will be assigned to http://seehart.webfactional.com/gameofy.com
(these are currently being hosted at Interlix until I finish moving them).
So the three technologies that affect the urls are:
*DNS:* (makes *seehart.com* and *gameofy.com* et. al. show up at one of
webfaction's IP)
*URL *Rewrite rules: (which equates *http://gameofy.com* with
*http://seehart.webfactional.com/gameofy.com*)
*Zope:* Implements the tree starting at
*http://seehart.webfactional.com* independent of the filesystem.
That ".." hack is interesting. I tried it and it worked! The ".."
turns out not to be necessary due to acquisition, so for example,
www.gameofy.com/samplemove.com goes to www.samplemove.com. Not exactly
desirable, but it seems harmless in all of my cases that I can think of
(Zope and Plone security measures apply independent of the original
url). The issues of broken links and security problems are separate
from each other in the sense that security problems are abused
intensionally, whereas broken links are generally unintentional. I
don't see how people would acquire such messed up links by accident (the
users of each respective domain are not aware of the other domains, and
nothing would generate the messed up links that I can think of), so I
don't see a problem here.
Donna M. Snow wrote:
> OH no.. no nesty Plone sites (thought there is a product called
> SubPlone.. which works with pre-3.0 sites)..
>
> Side by side Plone sites are fine (and which version are you working
> with Ken? 3.0?)
>
Yes it will be Plone 3.0.1 I am at Plone 2.0.4 at my current host
(which is going out of business at the end of the year). I will
probably have questions about migration soon, but I want to take a crack
at it myself first.
> You can add as many Plone sites as you want in a Zope instance (just
> keep in mind performance will get worse and worse with each one you
> add) But you add them on the same level.. not inside each other..
>
> Acquisition becomes a major issue.. when you nest Plone sites
>
> It makes more sense to create a separate site for the two and then
> point to each site through DNS
>
> Also.. btw.. take a look at grok.net (still being worked on put
> looking pretty darned good!) for those who like Zope but don't love
> Plone..
>
Already going with WebFaction. Besides, I love Plone now :-)
> We may start implementing Grok sites in the future because we really
> like the way it's developing.
>
> Best Regards,
> Donna M. Snow, Principal
> C Squared Enterprises
> illuminating your path to Open Source
> http://www.csquaredtech.com
> imagination | innovation | brilliance
> Business 408.385.1812
> Fax 408.649.5543
>
Acquisition takes place after the rewrite rule is applied, so Donna's
answer suffices. I can set up all the plone objects inside the top
level folder (*http://seehart.webfactional.com)*, not nested, and apply
rewrite rules to make the urls do what I want. Better yet, I think
maybe I will just make www.seehart.com a Zope site instead of a Plone
site (there being obviously nothing wrong with "nesting" a Plone site in
a Zope folder :-) ). That makes the whole problem go away. But it's
nice to know how to do it anyway.
For educational purposes, I think the solution to my original question
would be this: *www.seehart.com/foobar* would be a plone site sitting
right next to the *www.seehart.com* plone site, but not be nested (they
would only /appear /to be nested).
Thanks for your answers, they were helpful.
- Ken Seehart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.python.org/pipermail/baypiggies/attachments/20071005/fb82350d/attachment.htm
More information about the Baypiggies
mailing list