Mini Secure URLs to Auto Login a User and Download a File
Yeah that's a long title, but that's basically what its for. Have you ever given a user a url and told them to use a certain username and password only to end up spending time on the phone, or emails back and forth trying to figure out what they are typing wrong in their password? This feature aims to solve that. You provide one simple URL that they can just click on, and that is it. Sure you could do this if all your files were available to the "anonymous" account, but that's not secure.
This allows you to build a URL that will tell CrushFTP to login a user using a specific username and password, and point them at a specific location.
For example: https://www.crushftp.com/d
That will log you into https://www.crushftp.com/demo/ using the username of "demo", and the password of "demo". If I wanted to be more secure instead of "d", I could have done something like "XJT59wR" with the same effect. I could also have directed that URL to "/documents/stuff/last year/vacation planning.pdf". For something that long, you can see how a shorter url is helpful.
Mini URL's can also be set to auto expire. So you can make a URL that is only valid for say 1 day and then it invalidates itself. That adds another layer of security to them. You know the URL won't be floating around for a few months because you forgot to delete it.
There is one important note about these mini URLs. When authenticating a user, if you direct them to a specific file, they are still logged into the WebInterface. So don't use it as a security measure. A crafty user will know how to see the folder that contained the specific file you pointed them at. They can only access the files that the user they are logged in with has access to, but its not a way to limit them to a single file.
Forgot Password Reminder
The WebInterface now has a few more useful features. Features just keep trickling in. You'll notice on the login.html page you now have a link for "I forgot my password, email it to me." This allows you to automate a common thing users do. They forget their password! No fault of theirs as they have so many to remember. So how do you enable and get this feature working? Their are three parts to enabling this feature. Don't worry, they are all easy.
Step#1 : Configure the SMTP server settings in the server preferences. This is the same setting that used to be located on each and every user event. Its now been moved here. It will automatically be populate for you if you open a user and click on an event that used to have the SMTP server set for it. CrushFTP copies that setting then to the server preferences if it doesn't already exist.
Step#2 : Enter an email address associated with the user on the upper right of the events email tab of the user manager. This email is the email that will be used in the 'To:' address for outgoing emails.
Step#3 : Enable permission for the user to request that their password be emailed. You enable this option under the admin tab of the User Manager in CrushFTP.
Now you can test this feature out. If you don't have access or something isn't configured, you will get a message telling you why you can't use the link.
Custom Login Page for Virtual Domains
You can now deliver a different custom login page based on the domain a user used to reach your site. For example, www.crushftp.com, and www.benspink.com both point to my machine. but I can have a custom login.html page for each domain. You may want to do this to have custom logo's, custom layout, styles, etc. Once logged in, its up to your individual user customizations to control the layout of the WebInterface.
To get started, duplicate the login.html page. Then begin editing it with either a text editor, or a HTML editor. The main critical piece in that page is where a line of javascript passes the form to a function for login. Save your new page with a different name besides login.html...maybe something like benspink_login.html. Then in the server preferences, under WebInterface, add a new login.html virtual domain mapping and point it at your new file. Thats it!
Sunday, July 8, 2007
Saturday, March 10, 2007
What is this WebInterface? (FAQ)
"I thought CrushFTP was an FTP server...what is this WebInterface thing?"
This is a common confusion with CrushFTP. Quick bit of history. CrushFTP 1.0 and 2.0 were strickly FTP servers. CrushFTP3 provided HTTP upload capability and some rudimentary HTML customizations. CrushFTP4 brought about a full scale WebInterface utilizing all the current technologies so that you can fully customize every aspect about it. Its not just an FTP server anymore.
The WebInterface allows users to access the files on your server with a WebBrowser. They can download, upload, rename delete, make directories, etc. All from a nice modern WebInterface. When they go to upload files to you, they get realtime feedback as to the speed of the transfer, a progress bar, and estimated time remaining. If you tried to do this without CrushFTP, you would have to have several custom PHP configurations, various config changes to your web server, PHP script files, and HTML / javascript. With CrushFTP, you double click on the application, and this is all immediately available without any other work. Talk about easy! And that's not all, there is also the CrushUploader that provides drag and drop support and compression for file transfers. Just keep reading.
"What makes CrushFTP's WebInterface special?"
First, lets talk about how customizable it is. Sure you can jsut enable it and go, but if you have someone who is up on their HTML standards, they can really go a long way with it. The layout of it, the color schemes, graphics & logos...everything can be modified. It just takes editing the XSL file and the changes take affect right away.
Uploading to the WebInterface is portentially faster than any other protocol. This is because it has a built in CrushUploader that will zip the files you are sending on the fly. Say you have a folder with 100 images, and text files in it (like a website). When you upload that with a normal FTP client, it has to send each file individually. If the file is big, things go as fast as your connection can handle. But when you start getting hundreds of small files, it can take a long time to upload each tiny file as much of the time is taken by the setup of the transfer and not by the transfer itself. The CrushUploader allows you to drag and drop, copy and paste, or "Browse..." for the files to upload. You can then choose to upload them as a ".ZIP" or normal. If your uploading a single large file, use "Normal", otherwise, you are probably better off using "Auto Zip". The "zip" feature doesn't make you wait while it builds a .zip file of your files before the upload starts. It zips directly to the CrushFTP server, no local files are ever made, and there is no delay before the upload starts. On my demo site, I have a folder with 400 files in it. It takes about 2 seconds to upload all 400 files. They are all small, but if they were uploaded "normally", then they would take close to 7 minutes! The zipping not only benefits multiple files being uploaded, but it also saves bandwidth allowing you to upload bigger files in less time.
http://www.crushftp.com/demo.html
And it goes both ways. You can also select a folder, or several files to download and click the ".ZIP" button. You will get a single .zip of those items generated on the fly directly to you. Otherwise it could get pretty painful clicking on 400 items individually... Then simply decompress the .zip you downloaded and you have allt he files you wanted!
The WebInterface supports resume downloads, and the CrushUploader supports resuming uploads as well.
"But if users are uploading .zip files, I have to decompress them before I can access them, right?"
Actually there is a built in plugin to handle this called the "AutoUnzip" plugin. You can access it in the Preferences of CrushFTP. You set it up to decompress uploaded .zip files once they finish. So a user will upload a .zip, then CrushFTP will decompress it and delete the original file. It will all be transparent to you and the user. Its an end to end solution allowing for compressed fast transfers.
"What is WebDAV?"
WebDAV is another part of the WebInterface. If you have heard of Apple's iDisk, it is essentially WebDAV. You connect from the OS X Finder to a WebDAV server and can mount it just like any other server on your desktop. You can read, and write to it, open files and edit them directly. So there is no need to use a web browser, or an FTP client. You can't get any more integrated or natural feeling to your end user than that. Check out the WebDAV server on my demo site to get a feel for how it works.
Easy to Configure!
And best of all, both WebDAV and the WebInterface run on one single port. No complex router / firewall configurations. Simply open up one port (default is 8080) for HTTP/WebDAV, or for SSL HTTPS / SSL WebDAV (default is 443). No issues with "passive" ports. Additionally from a server standpoint, you can monitor what your users are sending you better. FTP doesn't allow for the FTP client to tell you how big of file is being sent. WebDAV and the WebInterface do! So you will see estimated time remaining telling you how long you have to wait before the upload is complete!
This is a common confusion with CrushFTP. Quick bit of history. CrushFTP 1.0 and 2.0 were strickly FTP servers. CrushFTP3 provided HTTP upload capability and some rudimentary HTML customizations. CrushFTP4 brought about a full scale WebInterface utilizing all the current technologies so that you can fully customize every aspect about it. Its not just an FTP server anymore.
The WebInterface allows users to access the files on your server with a WebBrowser. They can download, upload, rename delete, make directories, etc. All from a nice modern WebInterface. When they go to upload files to you, they get realtime feedback as to the speed of the transfer, a progress bar, and estimated time remaining. If you tried to do this without CrushFTP, you would have to have several custom PHP configurations, various config changes to your web server, PHP script files, and HTML / javascript. With CrushFTP, you double click on the application, and this is all immediately available without any other work. Talk about easy! And that's not all, there is also the CrushUploader that provides drag and drop support and compression for file transfers. Just keep reading.
"What makes CrushFTP's WebInterface special?"
First, lets talk about how customizable it is. Sure you can jsut enable it and go, but if you have someone who is up on their HTML standards, they can really go a long way with it. The layout of it, the color schemes, graphics & logos...everything can be modified. It just takes editing the XSL file and the changes take affect right away.
Uploading to the WebInterface is portentially faster than any other protocol. This is because it has a built in CrushUploader that will zip the files you are sending on the fly. Say you have a folder with 100 images, and text files in it (like a website). When you upload that with a normal FTP client, it has to send each file individually. If the file is big, things go as fast as your connection can handle. But when you start getting hundreds of small files, it can take a long time to upload each tiny file as much of the time is taken by the setup of the transfer and not by the transfer itself. The CrushUploader allows you to drag and drop, copy and paste, or "Browse..." for the files to upload. You can then choose to upload them as a ".ZIP" or normal. If your uploading a single large file, use "Normal", otherwise, you are probably better off using "Auto Zip". The "zip" feature doesn't make you wait while it builds a .zip file of your files before the upload starts. It zips directly to the CrushFTP server, no local files are ever made, and there is no delay before the upload starts. On my demo site, I have a folder with 400 files in it. It takes about 2 seconds to upload all 400 files. They are all small, but if they were uploaded "normally", then they would take close to 7 minutes! The zipping not only benefits multiple files being uploaded, but it also saves bandwidth allowing you to upload bigger files in less time.
http://www.crushftp.com/demo.html
And it goes both ways. You can also select a folder, or several files to download and click the ".ZIP" button. You will get a single .zip of those items generated on the fly directly to you. Otherwise it could get pretty painful clicking on 400 items individually... Then simply decompress the .zip you downloaded and you have allt he files you wanted!
The WebInterface supports resume downloads, and the CrushUploader supports resuming uploads as well.
"But if users are uploading .zip files, I have to decompress them before I can access them, right?"
Actually there is a built in plugin to handle this called the "AutoUnzip" plugin. You can access it in the Preferences of CrushFTP. You set it up to decompress uploaded .zip files once they finish. So a user will upload a .zip, then CrushFTP will decompress it and delete the original file. It will all be transparent to you and the user. Its an end to end solution allowing for compressed fast transfers.
"What is WebDAV?"
WebDAV is another part of the WebInterface. If you have heard of Apple's iDisk, it is essentially WebDAV. You connect from the OS X Finder to a WebDAV server and can mount it just like any other server on your desktop. You can read, and write to it, open files and edit them directly. So there is no need to use a web browser, or an FTP client. You can't get any more integrated or natural feeling to your end user than that. Check out the WebDAV server on my demo site to get a feel for how it works.
Easy to Configure!
And best of all, both WebDAV and the WebInterface run on one single port. No complex router / firewall configurations. Simply open up one port (default is 8080) for HTTP/WebDAV, or for SSL HTTPS / SSL WebDAV (default is 443). No issues with "passive" ports. Additionally from a server standpoint, you can monitor what your users are sending you better. FTP doesn't allow for the FTP client to tell you how big of file is being sent. WebDAV and the WebInterface do! So you will see estimated time remaining telling you how long you have to wait before the upload is complete!
WebInterface Changes and Security Issues
Goodbye template.html
As of CrushFTP 4.1, there won't be any real "html" templates anymore. CrushFTP 4.1 uses XML and XSLT to generate the entire web interface allowing it to be completely customizable. All the data is provided in the XML, all you need to do is just decide how you want it formatted. The XML is then rendered either server side or client side to HTML to display.
As a result, the template.html file is now gone. One single file provides the WebInterface, template.xsl. You can make copies of it and individualize it for your various needs. Each user can have their own dynamic customized WebInterface. Easily incorporate your company's logos and CSS styles. The CrushFTP logo is provided as a template, but you don't need to keep it there. Simple replace the logo.gif with your own file and brand the WebInterface to your liking.
Security
A little about security. If your using HTTP for logins, you run the risk that someone could be watching your network traffic and gain access to your user and password for the server. So if this is soemthing you're concerned about, CrushFTP can do HTTPS as well. As it "ships", HTTPS is configured on the default port of 443. So if you point your browser to "https://your_ip/" you will be asked about a certificate not ebing valid. Click continue and you can then login. Everything is then encrypted and secure.
Self Signed Certificate
The warning about the certificate is because the certificate hasn't been given from a certificate authority. That cost around a minimum of $70 per year for a SSL certificate. What would it provide for you? If you are worried about someone hijacking your connection and providing their own CrushFTP instance with their own certificate generated that looks like yours...then you could be compromised. If your not the government or some kind of banking site...you probably won't have that concern. I can come up with far fetched scenarios where it could happen, but its pretty unlikely it would.
Anonymous Access
If you create an account named "anonymous" then no user/pass will be asked when a user connects to CrushFTP. Anonymous is just like any other account in CrushFTP, except it accepts any password. There is a link on the WebInterface allowing a user to "login" to see theirfiles. I highly recommend you never give "anonymous" upload rights. An example for an anonymous account is how you downloaded CrushFTP from me. I provide anonymous access to teh CrushFTP applications for anyone to download. Never think that because you didn't give your IP out to anyone that that makes you secure. Just be safe and only give the "anonymous" user access to files you truly wouldn't mind anyone having. If you don't make a user named "anonymous" then you have nothing to worry about.
As of CrushFTP 4.1, there won't be any real "html" templates anymore. CrushFTP 4.1 uses XML and XSLT to generate the entire web interface allowing it to be completely customizable. All the data is provided in the XML, all you need to do is just decide how you want it formatted. The XML is then rendered either server side or client side to HTML to display.
As a result, the template.html file is now gone. One single file provides the WebInterface, template.xsl. You can make copies of it and individualize it for your various needs. Each user can have their own dynamic customized WebInterface. Easily incorporate your company's logos and CSS styles. The CrushFTP logo is provided as a template, but you don't need to keep it there. Simple replace the logo.gif with your own file and brand the WebInterface to your liking.
Security
A little about security. If your using HTTP for logins, you run the risk that someone could be watching your network traffic and gain access to your user and password for the server. So if this is soemthing you're concerned about, CrushFTP can do HTTPS as well. As it "ships", HTTPS is configured on the default port of 443. So if you point your browser to "https://your_ip/" you will be asked about a certificate not ebing valid. Click continue and you can then login. Everything is then encrypted and secure.
Self Signed Certificate
The warning about the certificate is because the certificate hasn't been given from a certificate authority. That cost around a minimum of $70 per year for a SSL certificate. What would it provide for you? If you are worried about someone hijacking your connection and providing their own CrushFTP instance with their own certificate generated that looks like yours...then you could be compromised. If your not the government or some kind of banking site...you probably won't have that concern. I can come up with far fetched scenarios where it could happen, but its pretty unlikely it would.
Anonymous Access
If you create an account named "anonymous" then no user/pass will be asked when a user connects to CrushFTP. Anonymous is just like any other account in CrushFTP, except it accepts any password. There is a link on the WebInterface allowing a user to "login" to see theirfiles. I highly recommend you never give "anonymous" upload rights. An example for an anonymous account is how you downloaded CrushFTP from me. I provide anonymous access to teh CrushFTP applications for anyone to download. Never think that because you didn't give your IP out to anyone that that makes you secure. Just be safe and only give the "anonymous" user access to files you truly wouldn't mind anyone having. If you don't make a user named "anonymous" then you have nothing to worry about.
Wednesday, March 7, 2007
Upcoming Features
Lets get some feedback...
I've been busy working on some upcoming features in CrushFTP. I'm always looking for feedback, and its your feedback that helps shape how I go about implementing new features. My to-do list is never ending as I keep adding to it with users feedback.
Help be get some priorities on what you are most interested in.
CrushPGP - Plugin that makes all files listings end in ".pgp". Requesting one of these files results in the file being encoded / encrypted band streamed to the end user. When SSL isn't enough, maybe this is just the security you need. The private key used to encrypt files can be set on a per user basis. So you can have individual accounts that encrypt files differently in PGP. Its a reverse of the private / public key mentality. Some banks use this to ensure (if you trust the bank) that files being sent from them can only be read with someone who holds your public key. In this case...both keys are "private" as you keep them both secure.
This plugin will be one of my more complex plugins...so it will take a day or two to code.
File Filtering for WebDAV Email Events
Ever notice when you upload with the finder, your email notifications states something like:
test.tst 0 bytes
._test.txt 500k
That's because the finder uploads the file as the hidden file, then renames and swaps the files before deleting the originally named item. It keeps someone from potentially trying to access the file while its in progress. It however makes the email reporting be confusing!
I plan on creating some logic in CrushFTP 4 that will follow renames with uploads so the resulting email notification would contain only the files that were uploaded (with their final name after it was renamed) and none of the "." items that were uploaded, or items that were uploaded and immediately deleted.
Better Update Mechanism
So its no secret the update mechanism isn't really holding up as well anymore. It still works, but is far from ideal. Besides loading my main server more than needed, its slow for you...the real user of it! The next version of the update mechanism will only update files that have changed, and will transfer everything in a .zip. One single file to download.
Running CrushFTP behind Apache
CrushFTP 4.1 now supports running CrushFTP behind apache. This means that your main server will still be your main server. A path on your server, will be "reverse proxied" to CrushFTP. So when users go to: http://www.yourdomain.com/files/ they will get the CrushFTP WebInterface instead. ('/files/' is just an example...you can make it what you want.) It only takes a couple config entries in your apache config, and telling CrushFTP what "path" you have set, and the rest is handled for you. No need to open multiple ports as everything can come across on one port as well (80).
Have you seen my new plugins?
Just wrote a few new plugins. These include:
OSXNetInfo - integrate CrushFTP with OS X accounts (this includes OS X Server accounts)
AutoUnzip - Automatically decompress those .zip files users are uploading. Makes for an end to end solution. The CrushUploader automatically zip's files when they upload them, and the AutoUnzip plugin can automatically unzip them as they arrive.
PreferencesController - Lets you specify times of the day that specific configurations of the CrushFTP server are active. This means you could for example throttle bandwidth during the day, and let it loose in the evenings! Some other uses might be enabling certain plugins at different times, or disabling FTP access at specific times. Use the plugin to make a "snapshot" and that config will be used whent he specified time arrives.
Plugin Updates
The HomeDirectory plugin now has the option to put users in a new folders daily, hourly, whatever. You could use this to have a "rolling" folder where every days users get a new folder to upload into. Once the day changes, their previous days files are no longer accessible.
The CrushLDAP plugin also has been expanded to work with more LDAP servers. LDAP still ain't easy...but at least you have the options to configure it now.
I've got a lot of other features planned, some bigger than others. This is a good start to future posts I'll be making explaining things you can do with CrushFTP 4. Feel free to email me directly as well. I'm just getting started...:)
I've been busy working on some upcoming features in CrushFTP. I'm always looking for feedback, and its your feedback that helps shape how I go about implementing new features. My to-do list is never ending as I keep adding to it with users feedback.
Help be get some priorities on what you are most interested in.
CrushPGP - Plugin that makes all files listings end in ".pgp". Requesting one of these files results in the file being encoded / encrypted band streamed to the end user. When SSL isn't enough, maybe this is just the security you need. The private key used to encrypt files can be set on a per user basis. So you can have individual accounts that encrypt files differently in PGP. Its a reverse of the private / public key mentality. Some banks use this to ensure (if you trust the bank) that files being sent from them can only be read with someone who holds your public key. In this case...both keys are "private" as you keep them both secure.
This plugin will be one of my more complex plugins...so it will take a day or two to code.
File Filtering for WebDAV Email Events
Ever notice when you upload with the finder, your email notifications states something like:
test.tst 0 bytes
._test.txt 500k
That's because the finder uploads the file as the hidden file, then renames and swaps the files before deleting the originally named item. It keeps someone from potentially trying to access the file while its in progress. It however makes the email reporting be confusing!
I plan on creating some logic in CrushFTP 4 that will follow renames with uploads so the resulting email notification would contain only the files that were uploaded (with their final name after it was renamed) and none of the "." items that were uploaded, or items that were uploaded and immediately deleted.
Better Update Mechanism
So its no secret the update mechanism isn't really holding up as well anymore. It still works, but is far from ideal. Besides loading my main server more than needed, its slow for you...the real user of it! The next version of the update mechanism will only update files that have changed, and will transfer everything in a .zip. One single file to download.
Running CrushFTP behind Apache
CrushFTP 4.1 now supports running CrushFTP behind apache. This means that your main server will still be your main server. A path on your server, will be "reverse proxied" to CrushFTP. So when users go to: http://www.yourdomain.com/files/ they will get the CrushFTP WebInterface instead. ('/files/' is just an example...you can make it what you want.) It only takes a couple config entries in your apache config, and telling CrushFTP what "path" you have set, and the rest is handled for you. No need to open multiple ports as everything can come across on one port as well (80).
Have you seen my new plugins?
Just wrote a few new plugins. These include:
OSXNetInfo - integrate CrushFTP with OS X accounts (this includes OS X Server accounts)
AutoUnzip - Automatically decompress those .zip files users are uploading. Makes for an end to end solution. The CrushUploader automatically zip's files when they upload them, and the AutoUnzip plugin can automatically unzip them as they arrive.
PreferencesController - Lets you specify times of the day that specific configurations of the CrushFTP server are active. This means you could for example throttle bandwidth during the day, and let it loose in the evenings! Some other uses might be enabling certain plugins at different times, or disabling FTP access at specific times. Use the plugin to make a "snapshot" and that config will be used whent he specified time arrives.
Plugin Updates
The HomeDirectory plugin now has the option to put users in a new folders daily, hourly, whatever. You could use this to have a "rolling" folder where every days users get a new folder to upload into. Once the day changes, their previous days files are no longer accessible.
The CrushLDAP plugin also has been expanded to work with more LDAP servers. LDAP still ain't easy...but at least you have the options to configure it now.
I've got a lot of other features planned, some bigger than others. This is a good start to future posts I'll be making explaining things you can do with CrushFTP 4. Feel free to email me directly as well. I'm just getting started...:)
Subscribe to:
Posts (Atom)