Page tree
Skip to end of metadata
Go to start of metadata

For cPanel & WHM version 56

(Home >> Security Center >> Apache mod_userdir Tweak)

Overview

The Apache mod_userdir Tweak interface allows you to prevent mod_userdir access to your users.  

Warning:

Before you use this interface, make certain that you read the Warnings section below. 

The mod_userdir module allows visitors to access a user's website through a URL that uses the http://hostname/~username format. For example:

http://host.example.com/~username
http://example.net/~username   
http://192.168.0.20/~username

Most servers use the mod_userdir Apache module as a temporary URL system that allows users to view their websites. This temporary URL system functions even if the system has not configured DNS or the domain does not point to the server.

Important:

  • We strongly recommend that you restrict this access for most of your users. When a user accesses a site through the mod_userdir module, the system does not add this bandwidth to the usage total for the user who owns the site. Instead, it adds the bandwidth to the total for the user who owns the host through which visitors access the site. In effect, a user could allow visitors to access their site through the mod_userdir module while the traffic counts against another user's bandwidth.
    • For example, if you access http://example.net/~username, the system adds this bandwidth to the total usage for the host example.net, rather than the user username.
  • If you enable Apache's mod_ruid2 module, then the  mod_userdir module will not function correctly. For more information, read our Apache Module: ModRuid2 documentation.

Note:

When you enable the mod_userdir module, any virtual host can access any website that uses the same IP address. It does not function only with the hostname.

Prevent mod_userdir access

To prevent mod_userdir access, perform the following steps:

  1. Select the Enable mod_userdir Protection checkbox.
  2. To allow specific hosts to use the mod_userdir module, select the appropriate Exclude Protection checkboxes.

  3. If you selected any Exclude Protection checkboxes, you can allow additional users to access these hosts through the mod_userdir module. To do this, enter their usernames in the Additional Users text box.
    • Resellers can use this feature to allow their customers to access their own websites before DNS information propagates.
    • If you select the virtual host for the user's primary domain, the mod_userdir module will not function until DNS points the domain to the server.
    • To enter multiple users, separate each account name with a space.
  4. Click Save.

Notes:

  • To allow all of your users to access their own accounts through the mod_userdir module, but not steal any bandwidth, select the Exclude Protection checkbox for DefaultHost (nobody).
  • Do not select the Exclude Protection checkbox if you wish to allow an individual user to access their site with a mod_userdir URL. 

Example

You own the following three cPanel accounts: 

  • Arthur's cPanel account (arthur) owns arthurexample.com
  • Betty's cPanel account (betty) owns bettyexample.com
  • Charles' cPanel account (charles) owns charlesexample.com

Arthur’s domain resolves, but Betty’s and Charles’ domains do not yet resolve.

To enable mod_userdir protection for the server to deny one user the ability to use another user's bandwidth, select the Enable mod_userdir Protection checkbox.

However, if you still want to allow Betty and Charles to use Arthur’s bandwidth to see their sites, perform the following steps:

  1. Do not select the checkbox next to arthurexample.com (Arthur)
  2. Enter betty charles in the Additional Users text box.
  3. Click Save.

Betty and Charles can browse their sites with the following URLs:

  • arthurexample.com/~betty
  • arthurexample.com/~charles

Share SSL Certificates

If a shared SSL certificate is installed for a virtual host on a shared IP address, you can share that SSL certificate with users on the same IP address. This allows them to access their sites securely without a browser warning.

For example, if an SSL certificate is installed on host.example.com and you select the Exclude Protection checkbox for DefaultHost (nobody), the username cPanel user can access host.example.com/~username

Warnings

Enabled mod_userdir protection

Before you enable the mod_userdir module, be aware of the following information:

  • Java servlets do not work with mod_userdir-based URLs. This is because Tomcat requires that you add additional directives to the virtual host.

  • open_basedir protection restricts PHP's access to the home directory of the user who owns the base domain, not the home directory of the user account that a visitor accesses. If you enable open_basedir protection in WHM's PHP open_basedir Tweak interface (Home >> Security Center >> PHP open_basedir Tweak), visitors cannot access some sites via the mod_userdir module.

  • Under certain conditions, a user can attack another user's account if they access a malicious script through a mod_userdir URL.

  • Websites that use the mod_rewrite or other directives in their .htaccess files will not function correctly when visitors view them through mod_userdir URLs.

The Symlink Race Condition Protection option

The following table describes when the Symlink Race Condition Protection option blocks mod_userdir access:

Conditionmod_userdir accessExample URL
The requested URL includes a file and does not belong to the owner of the file.Blocked.
example.com/~username/file
The requested URL includes a file and an IP address that belongs to another account.Blocked.
192.168.0.20/~username/file
The requested URL contains a directory.Not blocked.
example.com/~username/dir
You wish to access the server's hostname.Not blocked.
host.example.com/~username

Disabled mod_userdir protection

Before you disable mod_userdir protection, be aware of the following information:

  • While this WHM feature allows you to restrict mod_userdir functionality, it does not remove the module itself. Some PCI compliance scans may still detect it.
  • This feature does not list IP addresses because the mod_userdir module uses virtual hosts. 
    • You cannot use IP addresses to configure this feature. 
    • If you do not protect the default host, you can access the server's main IP address through the mod_userdir module in most cases.