Apache mod_userdir Tweak

(Main >> Security Center >> Apache mod_userdir Tweak)

The mod_userdir Apache module allows visitors to access websites on your server by entering a hostname or domain, followed by a tilde (~) and the website owner’s username as the directory path part of the URL. Examples:

• http://host.example.com/~username
• http://example.net/~username

mod_userdir is most commonly used as a temporary URL system, allowing users to view their websites even when the DNS has not yet been configured or is not pointing to the server.

We strongly recommend restricting this access for most of your users. This is because accessing the site via mod_userdir circumvents the proper bandwidth accounting systems. In effect, a user could have visitors access his site via mod_userdir, while counting the traffic against another user's bandwidth.

Note: mod_userdir does not only work with the hostname. If mod_userdir is enabled, any website can be accessed via any virtual host on the system.

Preventing mod_userdir access

1. Click the Enable mod_userdir Protection checkbox.
2. Use the checkboxes below to specify any exceptions. Simply click the checkbox that corresponds to the domain you wish to permit mod_userdir access.
3. Click the Save button at the bottom of the page.

Allowing specific users

You can allow specified users to access their websites via mod_userdir. For example, resellers can use this feature to allow their customers to access their own websites before DNS information has propagated. To enable mod_userdir access for a specific user:

1. Click the Enable mod_userdir Protection checkbox at the top of the page.
2. Determine the virtual host(s) through which the user can access his or her site via mod_userdir. Most likely, this will be the default virtual host, or their reseller's virtual host.
   • If you select the virtual host for the user's primary domain, mod_userdir will not function until the DNS is pointing the domain towards the server.
3. Enter the user who should have access via mod_userdir in the appropriate Additional Users field.
4. Click the Save button at the bottom of the page.

Note: Do not click the Exclude Protection checkbox if you wish to allow an individual user to access his or her site via a mod_userdir URL.

Warnings

When using mod_userdir, you should know:

• When using suPHP as your PHP handler, users will not be able to run PHP scripts via mod_userdir
• If you want to enable mod_userdir so that shared SSL certificates can be used, you will need to either add users to, or exclude protection from, the virtual host for the domain to which the certificate was issued.
• When using FCGI as your PHP handler, you will need to make unsupported configuration modifications to run PHP scripts via mod_userdir.
• As mod_userdir allows you to access a website through an alternative virtual host, features like Java servelets and the open_basedir tweak are affected:
  • Java servelets do not work with mod_userdir based URLs. This is because Tomcat requires additional directives to be added to the virtual host.
  • open_basedir protection restricts PHP's access to the home directory belonging to the user who owns the base domain, not the home directory of the user account being accessed. This means that some sites cannot be accessed via mod_userdir.
  • Under certain conditions, a user may be able to attack another user's account if a malicious script is accessed via a mod_userdir URL.
  • Sites that use mod_rewrite and other directives in their .htaccess files will not work as expected when viewed using mod_userdir URLs.

When restricting the use of mod_userdir, you should know:

• This WHM feature lets you restrict the mod_userdir functionality. It does not remove the module itself. Some PCI scans may detect it.
• This feature does not list IP addresses, because it is based on virtual hosts. In short, you cannot configure this feature based on IP addresses. This is a common misconception. If you do not protect the default host, the server's main IP can be accessed via mod_userdir in most cases.