sub-sub domains?
Permalink
Can I just say how much I love C5? I do. Is that weird? Doesn't feel weird.
Okay, here's the thing. Running into problems uploading images, and I'm wondering if it's related to the way I'm using sub-domains.
test.mysite.com
That works fine. But...
project.test.mysite.com
...I get a 401 error when I try to upload an image. Any ideas/notions? Or, should this work fine, and it's something else that's giving me grief?
Thanks in advance,
Mike
Okay, here's the thing. Running into problems uploading images, and I'm wondering if it's related to the way I'm using sub-domains.
test.mysite.com
That works fine. But...
project.test.mysite.com
...I get a 401 error when I try to upload an image. Any ideas/notions? Or, should this work fine, and it's something else that's giving me grief?
Thanks in advance,
Mike
Weird - is this an error with the flash multi-file uploader or with the single file uploader?
....we get it using the multi-file uploader in the dashboard. Flash, I guess. Do we need to update our installation to fix? Here's the specific error (on upload to abc1.concrete.ourcompany.com)
onHTTPError: buck_rogers.jpg httpError: 401
onHTTPError: buck_rogers.jpg httpError: 401
This is an error that we've most frequently encountered when using mod_security on a server, which doesn't like the way flash sends its HTTP stream sometimes.
Can you disable mod security for file uploads?
Can you disable mod security for file uploads?
We have a GS account at MediaTemple for staging various LAMP stuff. Has been working pretty well so far.
The error message, plus your mention of security, led me to disable HTTP authentication (we had usernames/passwords on the front of the staging sites to make the clients feel better). Now we can upload images, so that's good.
Would be nice to figure out how to authenticate users again, though -- there's some security through obscurity, I guess.
More importantly, we have a couple clients considering using C5 as an intranet CMS (with obvious authentication requirements) -- I doubt they would be very excited about anything related to disabling security.
Any thoughts on that?
The error message, plus your mention of security, led me to disable HTTP authentication (we had usernames/passwords on the front of the staging sites to make the clients feel better). Now we can upload images, so that's good.
Would be nice to figure out how to authenticate users again, though -- there's some security through obscurity, I guess.
More importantly, we have a couple clients considering using C5 as an intranet CMS (with obvious authentication requirements) -- I doubt they would be very excited about anything related to disabling security.
Any thoughts on that?
Flash's uploader doesn't have the same session/rights as the user account who authenticates with the apache authentication... So when uploading to the script it's like you never logged in through the initial authentication prompt in the first place.
Regarding security: Could you lock down everything using C5 permissions? Perhaps make it so that everything is available only to "Registered Users" using the access section in the settings area of the dashboard? Then only accounts that you create in the users section can get in to do anything (plus, obviously, only administrative users will ever see the dashboard.)
Regarding security: Could you lock down everything using C5 permissions? Perhaps make it so that everything is available only to "Registered Users" using the access section in the settings area of the dashboard? Then only accounts that you create in the users section can get in to do anything (plus, obviously, only administrative users will ever see the dashboard.)
There's a long story here, but I'll try to summarize. For the clients considering C5 as a base intranet CMS, they're thinking short-term and then long-term.
Short, they would restrict access to the intranet by IP address (at the firewall, or perhaps the web server, level). Doesn't sound like that would cause us any problems. Restricting access to registered users would be unrealistic, since they have lots of employees -- 8000 in one case, 2000 in the other.
Long, they're going to want to integrate with directory services (likely Microsoft Active Directory) -- at which point C5 would have to become "user/group aware" and be able to adapt behavior based on authentication data. That's down the road a ways, but it's being noodled on.
Short, they would restrict access to the intranet by IP address (at the firewall, or perhaps the web server, level). Doesn't sound like that would cause us any problems. Restricting access to registered users would be unrealistic, since they have lots of employees -- 8000 in one case, 2000 in the other.
Long, they're going to want to integrate with directory services (likely Microsoft Active Directory) -- at which point C5 would have to become "user/group aware" and be able to adapt behavior based on authentication data. That's down the road a ways, but it's being noodled on.
We're already looking at OpenID as a requirement for really good forums... extending that to be 3rd party authentication from anywhere would be relatively easy and is very much on our road map..
the htaccess lock down is tricky. I agree, its a simple and comforting thing to see before you can load any page.. but if 8000 people are all given the same user/pass... it's really a huge hole waiting to happen no? In that case isn't there a risk of creating a sense of security with out the real world delivery behind it?
"oh our site's secure, we have a password on it.."
"yeah but you never changed the password from '1' - wonder why your ex-employees seem to be able to get secure info.."
ip firewall sounds much safer.
just my 2cents.
the htaccess lock down is tricky. I agree, its a simple and comforting thing to see before you can load any page.. but if 8000 people are all given the same user/pass... it's really a huge hole waiting to happen no? In that case isn't there a risk of creating a sense of security with out the real world delivery behind it?
"oh our site's secure, we have a password on it.."
"yeah but you never changed the password from '1' - wonder why your ex-employees seem to be able to get secure info.."
ip firewall sounds much safer.
just my 2cents.
