Is it possible for multiple Opencart users to share the same download folder using Hestia?

Is it possible for user domains to run a script which can access the folder directly before [User]/home/web using Hestia?

I want to put some files in a download folder just before the users’ home directories which can be used by Opencart but which the users themselves do not have direct access to. In other words, I want several User accounts with Opencart installed to share the same download folder.

If I put the Opencart download folder in the server’s /Home/ folder will Opencart running in a user’s domain be able to access it something like the following

[download]…/…/…/Opencart running in domain.com

Sure this is possible!

That isn’t a good idea to screw the fundamental core area and make it badly vulnerable because that area (which you want to open) has different permission for protection against malicious activities.

However, you can achieve the same idea differently because HestiaCP has already addressed this long time ago.

First, keep the root domain home directory exactly the same whereever it is created. have your scripts installed in there.

Second, move the domain home directory to resolve a public URL (https://domain.com requests) pointing to a public URI by changing it from “Edit Web Domain” and using “Advanced options” (below) to point to a public directory.

For example, install Opencart. This installation will have a directory called “public”. Then insert the word “public” in the document root to point to this “public” on the disk.

After you save it, the webserver configuration files will be re-generated everywhere and all future files will be made available only from this “public” directory. All other php files of the Opencart will be made available only locally.

After you have a public access, you can link the download folder locally by creating softlinks to different user accounts, provided all the user domains are under the same HestiaCP user accounts. This will have following dir structure:

/…/domain.com/phpFramnework
/…/domain.com/download
/…/domain.com/public

In above, the download directory remains below the domain root and everything outside of the domain.com dir is protected. Then, you will have to create softlinks to the download folder from locally different Hestia user accounts and have an access in apache2 opened for the download dir locally.

But what you want to achieve ([User]/home/web) is not directly possible and would definately require extraordinary changes everywhere. Plus it becomes vulnerable and is a bad idea.

Thanks for your reply, however, I do not really understand what you are meaning to be quite honest, so if we could go through your suggestions one by one it may help me to better understand at some point. I’m an old guy so please bear with me if you don’t mind :slight_smile:

You said firstly “First, keep the root domain home directory exactly the same whereever it is created. have your scripts installed in there”. I don’t know what that means because how could they be different from each other when installing Opencart using quick install?

So, let’s say I have created 10 subdomains and installed Opencart on all of them, so they are all the same, then what? As you may know, I have to specifiy in the two config.php files of Opencart the path of the download folder, so what should I put?

Please bear in mind that I am just a simple website programmer experienced in html/php/java and have very limited experience using Linux. 8 years ago I set up my music website on a vps using Vesta, and that’s the totality of my experience with a vps. I only started with Hestia on a new vps earlier this week. Cheers, and I do appreciate your assistance in helping me achieve my objective.

You do not need to have 10 installations. Keep one and remove nine.

In my case, I have almost a thirty years (since 1996) of experience on Linux administration and programming of several languages. I have had such installations on vareity of Frameworks too. I see that it’s really not difficult to achieve all that and - after achieving it - one has huge advantages.

But in your case, I advise you - not to go for the complex environment I suggested above due to your basic level of competence. However, there is a much better solution that you are trying to follow by installing 10 domains seperately.

I suggest that you use the multisite feature, which will achieve what you want in a much easy manner and in a style that will not make you crazy in difficult times. This solution will come at a price and restriction. So go through those restrictions and determine, if they arte acceptable for you.

The first restriction is that each installation will have a seperate database. But by having 10 domains installed seperately, you have created seperate databases anyways. So this restriction should be acceptable, I suppose.

The second restriction is that you will have to depend on php scripts developed by others. So this depedency will create either a free to use scripts or paid scripts. If paid, then you will have to buy 10 licenses on one particular module by negotiating with the developer.

The third restriction will be the updating. Find out a module on Opencart that suits you and on which version of Opencart it is based on.

Having said the above restrictions, you will have to use the concept of “Multisite” and “Multistore” based on “the same installation”. Thus, you will install only one Opencart on any of your 10 domains or on master.domain.com and parking all 10 domains on this master domain.

Then create 10 different databases, which you may have done now.

Enter these details of databases on the multistore module for each domain/subdomain in the administration.

Thereafter you will have 10 seperate stores with 10 different themes (or some or all identical). All these websites will have different user databases and products, etc. and will function from those seperate databases.

All of these 10 domains will use different configuration files under the same installation. For example /config/domainOne_config.php, /config/domainTwo_config.php, etc. This is just to explain the concept.

I have never used Opencart. So I cannot give you very precise instructions. But if you try to follow above steps, you will have a decent environment in a simple manner that will allow you to handle within your competence.

As an example, I will give you a link to one multisite module on Opencart v3 here:

https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=24666

Here is some more explaination on how to create multisite based multistore project from one installation:

Mind you, the above is only one set of approach. There are a few but all of them are complex and are difficult to achieve. For example, if one wants a shared php installation and also share users amongst 10 different domains, then it becomes a bit complex to achieve. But if you have 100% seperation of databases (including configuration and users), then that is very easy.

Got it? Ask me if you are stuck.

mkdir /home/shared
chown root: /home/shared
chmod 751 /home/shared

cd /home/user/web/domain/public_html
ln -s /home/shared .

that should create a directory /home/user/web/domain/public_html/shared
that links to /home/shared

repeat this for every user you want to access the files in /home/shared

the user can not view the files in the dir but if the exact filename is given it can be accessed. the url would be http://example.com/shared/filename

The web server may be setup to disallow symbolic links. the web app may disallow symbolic links. the permissions of /home/shared may not be what you want . this wasnt tested on a web server but it was tested on a directory structure.

maybe someone will chime in here and say it is a bad idea or it will not work and they may be right. When I saw your question my mind said, symbolic links. HTH

— this is a completely different approach –
another approach would be to create a custom web template that exposes the location of the common files. then change every domain to use that custom template
https://httpd.apache.org/docs/2.4/urlmapping.html

And exactly this is the problem. The same file can be accessed by anyone any numner of times at anytime and one cannot prevent further downloads. For example the first person buys and obtains link. He knows the link. Then he spreads this link to several thousands and all of them will be able to download it directly.

This is the reason why a control on downloading is required through a permission system of a settled shopping cart software imposing upon users, when selling through a cart is used. I have seen that some shopping cart systems create a temporary download link that remains valid for a few minutes, hours or even days. Thereafter that link is no longer available for that particular user and thus the original link remains secret.

So yes, yolur solution works, like I said earlier in my comments. This solution also opens a bit of vulnerability, however any discussion becomes irrelevant here. Regardless of that, one looses control on downloading links entirely and that is why it is better to use the permission system of the php scripts.

I didnt follow the use case closely. you may be right. If the shared file is a downloadable asset, you probably are.

Yes, the use of shopping cart means that one requires control on further downloading, paid or unpaid. Well, that is what I have assumed as this was not mentioned in the original post.

But if this is not necessary, then your detailed solution of links would work perfect without headaches of multistore and multisite concept.

1 Like

In my particular case the only way I can possibly achieve what I intend is to provide each user (buyer) with their own Hestia CP with Opencart (version 2.1.0.1) pre-installed. I have chosen this version as it works faultlessly, which is a lot more than can be said for the latest version, plus all the extensions I need are free now for version 2.1.0.1., whereas they would probably cost the users an extra $20 each a pop if I was to use a later version of Opencart.

Anyway, each user must have their own database because they will have their own customers. They will all be sharing the same product though, which are 400+ self-help ebooks which I myself am the publisher of. I do not want to give them direct access to the download folder containing the 400+ ebooks as I am not granting them resale rights other than through the Opencart which I provide. Once it is all set up I will ioncube the 2 config files so they will not know the location of the ebook download folder. Hackers would be able to figure it out I’m sure, but that type of person is very unlikely to be interested in selling self help ebooks anyway.

I could of course not give them a Hestia CP at all and just give them FTP to the public-html of their domain, and in some instances I will do that and their cost will be less. Ultimately they will have the choice of FTP only, Hestia CP or Cpanel, and it will be upto them to choose which best suits their budget and knowledge, as FTP is obviously not for everyone and neither was Vesta.

It’s really great that Hestia has come along now though, as it provides a fairly simple to use and viable alternative to Cpanel for those with a limited budget and limited knowledge.

So back to issue at hand, in which folder of the server should the download folder be located so that all the Opencarts can share it?

By the way Deepak, as a reward for helping me achieve what I want to I will let you have one of the Opencarts at no cost at all as a reward. If you want a sneak preview of what it actually is goto keybooks.site. I have been publishing and selling these books online since 1999.

In that case, based on what you described the project and intensions above, you need to go for a solution I suggested to you initially. Then you need to create links based on the hints given by @jperkins.

This means you creatte one master account, let us say the user name is “master”. Install a subdomain (or even a domain) master.domain.com.

Install Opencart under master.domain.com.

Create user accounts and install 10 domain domains in that. Create 10 databases.

Create links in each of these 10 user accounts mapping to the same directory of Opencart under master.domain.com. On each, you will install the multistore / multivendor module for Opencart 2x.

Thereafter, every user (from 10) will have a different admin, their user, their downloads, etc.

This will be the most simple and ideal for you to have 10 vendors and 10 individual stores with seperated databases.

I do not know what how to handle your idea with IonCube.

But after installing the master Opencart and linking all these to one download folder inside the master installation will solve all of your problems.

This will be safe too as the entire installation is below the domain_root_dir and not outside of the HestiaCP environment.

There are other possibilities of achieving your idea. The above is a simple and workioing solution I am suggesting. Multistore module for Opencart 2x is also available. So you are fine.

The above is a very tricky part. I have never used Opencart and, thus, do not know how this is going to work for you.

In this case, if you want to achieve a download possibility based on a temporary download link (and keep the original location of the eBook secret, then you will have to investigate, how and which CMS/php scripts offers this. As opencart is quite a professional software and mature, I think this should be possible, if they have implemented it that way.

And this would be the first and foremost criteria you need to access, how the download module, and which one, implements downloading through a temporary and secret URL.

Otherwise, if the download module gives the final URL, then all users will know the location, which is not wanted.

To clarify further, it does not matter whether the users (buyers) of the system know how to download ebooks they have sold as this is unavoidable. What I want to prevent as far as possible is thieves buying the system, downloading all the ebooks and then filing a chargeback with their bank or dispute with PayPal or whatever. With Opencart a seller can easily log into a buyers’ account and download any of the items they have purchased, and I’m fine with that as long as they do not try to sell them on their own websites outside of the Opencart I provide, which would be copyright infringement.

I will need to reread Mr Perkins’ suggestions (which I am grateful for BTW - thanks) and see if I can implement them myself as a working model.

What I need to know first of all though is what the path to the download folder should be in Opencart using Hestia. I created a test system in a single user Cpanel account and the path is defined as follows in the 2 Opencart config files:
define(‘DIR_DOWNLOAD’, ‘/home/keybooks/keybooks-sites/download/’);
keybooks-sites being the folder where all the domains reside and where the folder containing the ebooks is. I set this up on a normal Cpanel hosting account BTW and not on a VPS.

Thanks for the link. I’ve been thinking of looking into the multi-store approach for a while now, not for this particular project but for another I have in mind for some time in the future.

For this one I need to place a download folder which eventually 100 or more completely separate Opencart installations will share. Other than sharing one download folder between them they will all be normal Opencart installations and identical clones to begin with, with all the same ebooks, etc. , but fully customizable by the user/buyer.

Once I know in what folder on the server the download folder needs to reside in order for it to work with Hestia I will be good to go I think.

The main problem you have is that you have learnt the multisite concept for the first time. Hence, you are trying to gulp the solution I gave.

But if you follow my advice given above and go through it step by step you will achieve the goal. Once you blindly follow these steps, you will endup in a surprise how the download directory works for each individual domain and user.

So let me explain once again:

Install the master website.

Create all the links to those directories having names (of links) pointing to those directories in the master installation. For example, if you have a directory called “framework”, then create a link having name "framework linking to the master installation directory “framework”. If you have the directory name in master installation called “app”, create a link name “app” in the 10 domains and then link it to the “app” dir in the master.

Thereafter login in each domain and configure.

Again, the only problem I have is how the business logic of your download module is designed, which I have also expressed above.

I still, to begin with, need to know in which folder on the server the shared download folder should be located as it is a fundamental requirement in versions of Opencart from 3 onwards for the download folder to not be a public one. Up until version 3 the download folder was located as a subdirectory of the storage folder in public_html.

Without knowing in which directory of the server the download folder is to be located so that it cannot be accessed in Hestia by users I cannot even begin, because the location of the download folder is the only line of code I need to edit in the 2 config.php files of Opencart to install a properly working implementation of it, whether it be a master version or any other.

This does seem to do what I am looking to do as it is creating a folder called “shared” in the same /home/ folder that all the users are in is it not?

If so, presumably the path to it from one of the domains with Opencart installed would look something like shared/…/…/…/public_html [of each opencart installation].
Have I got that correct?

I don’t know anything about opencart but all those dots hurt my head . The solution I gave does away with that type of linking to the parent

lol…i just tested it and it worked. So the download folder is now in the same directorfy as the users - perfect. Thanks so much. If you happen to be from the UK I’d be very happy to buy you a drink or 3 one day.

Your name reminded me of when I was a teenager and had a job as a partsman in a Dodge truck dealership near London. I still remember the part numbers of injectors for Perkins V8s and contact sets for Hillman’s. and oil and fuel filters and all kind of other parts. All useless to me now of course but it’s very nice to think back to those times when life was so simple and carefree. Thanks again my friend and if you ever feel like owning an ebook website of your own let me know at keybooks.site and it’s yours at no cost at all.

1 Like

Glad it is working. Just keep in mind what Deepak is saying if you are going to put saleable assets in that directory. I was thinking Tos, FAQs, price lists, that sort of thing.

Appreciate your offers. It’s funny we all have those useless numbers embedded in. Well I know I do.

In my own personal experience having been selling these same downloadable books for nearly 20 years now, with them located in a public_html folder called by a PHP script, and having experienced no issues at all, I cannot for the life of me see how they could be any less safe in the users directory of the server which does no have public access even.

In Opencart the downloadable file names are masked anyway, so it would be very difficult for anyone to use PHP: file_get_contents, for example, to download any of them as they would need to know the file name and the location of the download folder to do that, and it will be very difficult or practically impossible for them to know the name of the download folder or file names as after I have set the Opencart sites up I will be encrypting the 2 config.php files that the users do have access to using Ioncube, so they will not be able to see where the download folder is located by viewing those config.files.

Also if a downloadable ebook file name is ebook.pdf for instance, the filename will be something like ebooknamepdf.hjfksfkhhdakgaglawgrhjjhjd in the download folder and ebookname.pdf in the download link.

You have provided the solution already by showing me how to create a download folder which could be shared by many users without them knowing the location of it, and that was my original question :slight_smile:

Deepak’s solution is probably excellent for certain types of multi-site installations, but just unnecessary for this particular one.