mod_userdir

[HH-Mike]

Maybe I am just not totally understanding this, but I am having some issues with mod_userdir.
I am trying to enable just 1 domain to be accessible thru http://xxx.xxx.xxx.xxx/~username/

If the mod_userdir protection tweak is disabled then http://xxx.xxx.xxx.xxx/~username/ works.
And if I enable mod_userdir protection, then that doesn't work. I get a 404 message.

The problem I am running into is if mod_userdir protection is enabled (checked) and I enable an Exclude Protection for a domain, then http://xxx.xxx.xxx.xxx/~username/ doesn't work for that domain.

If I enable the Exclude Protection for DefaultHost, then all the domains are accessible thru http://xxx.xxx.xxx.xxx/~username/ .
Am I missing a step somewhere?


WHM 11.11.0 cPanel 11.16.0-R18546
CENTOS Enterprise 4.6 i686 on standard - WHM X v3.1.0
Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635

Mike

[Stefaans]

I am getting exactly the same -- the setting for DefaultHost governs the behaviour. That means that either all sites are protected or all are unprotected. This may be an old problem for all I know; I have not tried to restrict the mod_userdir settings before.

Mike, it has been 2 weeks since your post. Did you find a solution to this? We are still running Apache 1.3 and will be upgrading to 2.x soon.

[HH-Mike]

Nope still the same, even on a different server running Stable.

[rvskin]

I found the bug information on my ticket should fix your issue. http://bugzilla.cpanel.net/show_bug.cgi?id=6408

[MonsterWeb]

Wow, it is amazing that there have been posts on this issue since 2006 and still no solutions. The posts I found are listed below, but still no solutions. I hate to leave mod_userdir disabled on 189 accounts, but it is the only way one client can access the shared ssl. I hope there is a solution for this soon.

[nyjimbo]

Wow, it is amazing that there have been posts on this issue since 2006 and still no solutions. The posts I found are listed below, but still no solutions. I hate to leave mod_userdir disabled on 189 accounts, but it is the only way one client can access the shared ssl. I hope there is a solution for this soon.

The OP seems to be showing a dotted-quad, not a domain name, could just be a typo but is he trying to do it via the ip or the domain?. Makes a big difference.

[MonsterWeb]

The OP seems to be showing a dotted-quad, not a domain name, could just be a typo but is he trying to do it via the ip or the domain?. Makes a big difference.

mod_userdir is by domain. When enabled it prevents users from accessing their account by http://servername.com/~account. Unfortunately, in WHM, it is an all or nothing thing. If enabled, you should be able to exclude specific accounts, but it doesn't work.

In a nut shell, you can either access all accounts by http://servername.com/~account, or none of them. It seems the exclude option does not work.

[cPanelDavidG]

mod_userdir is by domain. When enabled it prevents users from accessing their account by http://servername.com/~account. Unfortunately, in WHM, it is an all or nothing thing. If enabled, you should be able to exclude specific accounts, but it doesn't work.

In a nut shell, you can either access all accounts by http://servername.com/~account, or none of them. It seems the exclude option does not work.

If the exclusions are not working for you, I recommend submitting a support ticket: http://tickets.cpanel.net/submit

[jdlightsey]

In a nut shell, you can either access all accounts by http://servername.com/~account, or none of them. It seems the exclude option does not work.

Lets say the hostname is server1.myhost.com and the IP is 1.2.3.4

Now I have a new account at www.newdomain.com and the account name is "newguy"

Now if you want to prevent all userdir requests except for the new account, you would:

1) Turn on mod_userdir protection
2) Uncheck "exclude protection" on the DefaultHost
3) Add newguy to the "Additional Users" list for DefaultHost

With those settings these should work:
http://1.2.3.4/~newguy/
http://server1.myhost.com/~newguy/

This should be prevented:
http://1.2.3.4/~diffacct/
http://www.newdomain.com/~diffacct/

To allow a userdir request to go through you're either (a) excluding all protection on the source domain, or (b) adding the destination account name to the Additional Users list on the source domain. You don't change the settings of the destination domain at all, only the domain that the ~userdir request will originate from.

[velda]

Lets say the hostname is server1.myhost.com and the IP is 1.2.3.4

Now I have a new account at www.newdomain.com and the account name is "newguy"

Now if you want to prevent all userdir requests except for the new account, you would:

1) Turn on mod_userdir protection
2) Uncheck "exclude protection" on the DefaultHost
3) Add newguy to the "Additional Users" list for DefaultHost

With those settings these should work:
http://1.2.3.4/~newguy/
http://server1.myhost.com/~newguy/

This should be prevented:
http://1.2.3.4/~diffacct/
http://www.newdomain.com/~diffacct/

Sorry to crash this thread, but is it safe to assume then that with mod_userdir protection enabled, and NOBODY checked, that nobody should be able to access their site with a url like this?

http://1.2.3.4/~anyacount

Because that's what I'd assumed, but I'm still seeing IP/~username access for everyone. I'm not sure if I've misunderstood or what, so any clarification you can give would be wonderful. Thank you!

[aegis]

I had a play with all the settings. It alters the UserDir variable in httpd.conf

The default global setting is 'UserDir public_html' (ie. ~username works).

If you 'Enable mod_userdir protection' but all other checkboxes are disabled it adds 'UserDir disabled' to each virtualhost. That is good.

However, it also adds 'UserDir enabled username' where username is the default user for the virtualhost. This might possibly screw up PCI compliance. I don't think it should be adding in that last line enabling the username at all.

If you check 'Exclude Protection' then it removes the UserDir settings for that virtualhost, as it should. It then would fall back to public_html.

If you 'Exclude Protection' on DefaultHost it removes the UserDir settings from *


The interface is just terrible. I would like to see it changed so that no users are enabled at all if you've enabled protection globally. Then against each domain you can add users you want to exclude protection for and these are added as 'userdir enabled username' lines OR a 'UserDir public_html' line is added if you want anybody.