A **REAL** solution to the 511 "access not allowed from this domain".

I've developed a work around for the now infamous "511 access not allowed from this domain" error. This isn’t going to leave you open for leeching, or deny you the ability to do a shared secure certificate or provide access before propagation occurs.

As we know, the culprit for this problem is the bwprotect module. So let’s get rid of that.

Find these two lines in your httpd.conf (most likely found in /etc/httpd/conf)

LoadModule bwprotect_module libexec/mod_bwprotect.so
And
AddModule mod_bwprotect.c

Comment them out by placing a # in front of them. (I know, it’s rudimentary.)

Okay now that we have bwprotect turned off, we have a problem, people can leech bandwidth again from other accounts.

So now we need to turn off the ability to /~user completely.

Find the following section in the server config part of httpd.conf:

<IfModule mod_userdir.c>
UserDir public_html
</IfModule>

and change it to

<IfModule mod_userdir.c>
UserDir disabled
</IfModule>

Oh dear. Now we are back where we have always been, and now /~user doesn’t work at all. No more shared secure certificate, no more access before propagation. What are we to do?

Read the apache documentation, notice that the UserDir directive can fit within the scope of a VirtualHost!

So lets find a suitable virtualhost section, say the one you use for your shared certificate.

Add the following:

<IfModule mod_userdir.c>
UserDir public_html
</IfModule>

Well that solves the problem, now shared certificates work, and I’m sure you can figure out how to apply this to an IP based VirtualHost (or any VirtualHost for that matter!) to allow users access before propagation, or for a customer to leech between his own accounts.

But I have ANOTHER treat for you all! We can control what usernames are allowed to be accessed!

Instead of the above in a VirtualHost section do the following:

<IfModule mod_userdir.c>
UserDir public_html
UserDir disabled
UserDir enabled username1 username2 username3…
</IfModule>

This expressly allows only certain users. Optionally:

<IfModule mod_userdir.c>
UserDir public_html
UserDir enabled
UserDir disabled username1 username2 username3…
</IfModule>

And this would expressly deny certain users to be accessed.

Obviously restart apache for the changes to take effect!

With all of the above everybody ought to be able to protect their users bandwidth, while maintaining the ability to have a shared certificate or provide access prior to propagation.

Additionally, you now have control over specifically WHICH users may be accessed this way! This means you can prevent that 5GB a day site from leeching bandwidth through the shared secure certificate (and increasing CPU load because of encryption), or prevent people from abusing the courtesy of providing access before propagation.

I hope everybody has found this fun and informative, as well as very useful. I would like to point out I have already submitted a feature request built around this system. I am sure that we will see a nice way of doing this through WHM in the future as this is obviously a cure for something that has caused a lot of headaches for people.

http://httpd.apache.org/docs/mod/mod_userdir.html is the official documentation for apache that covers this specific topic for your refrence.

Sincerely,
Cody Frisch, InterSurge LLC.

 

No, because you're expressly enabling /~user on certain domains only. So only those domains you've enabled it on can be leeched from (say the one you use for your shared secure certificate or allow your customers to access before the DNS propagates).

This way the only domains that can get leeched from are the ones you allow to get leeched from. Not every domain on your system will respond to ~user request.

So if you setup one virtual host, say to allow access before propagation, and you do it with only a UserDir public_html in the virtualhost. On this domain or whatever, any user on the system can be accessed by a ~user. If you add the UserDir disabled, UserDir enabled usernames stuff then you can specify WHICH usernames may be accessed (so this way, you can limit which domains can be accessed before propagation with a ~user request, and remove those that you know are fully working and there is no need for them to be able to use ~user anymore).

If you fully read what I said, we disable bwprotect, which lets ~user work for any domain. Then you disable ~user on a serverwide basis. Now ~user doesn't work.

Then you find a VirtualHost, any one you've setup for this purpose we'll say. You put a "UserDir public_html" in this, and ~user works if its on this VirtualHost (some particular domain or IP).

//////

I'm guessing you are confused about the purpose of bwprotect. Its not to limit wasteful bandwidth usage or such. The problem is, normally one can do www.johndoe.com/~sallysmith

This way sallysmith can link to a large file through www.johndoe.com. This means johndoe gets hit with the bandwidth usage, not sallysmith. This is what bwprotect stops from happening (and my solution as well.) Obviously this is a big problem.

bwprotect limits it so that only ~johndoe can be accessed from www.johndoe.com.

My solution would allow you to continue to allow ~johndoe on his domain (if you add the right UserDir to his virtualhost), but also if you setup your own VirtualHost you can allow all users to be accessed with a ~user through that one domain only (that you're responsible for.)

And because you can use UserDir disabled, UserDir enabled usernames (or the reverse), you can control how much bandwidth gets used this way. You can set new accounts to be able to be accessed by ~user only until thier domain is accessible directly, then you can turn it off.

You could also limit which accounts can use a Shared Secure Certificate as well. This way one could possibly offer it as a $2 a month add on or something, and control who can use it.

////

Obviously the only way to log the bandwidth used through ~user is to look at the requests for the particular domain you are allowing ~user on. At least with what I have shown this could be a possible thing to do, as you'd only have to look at the logs of ONE domain, not ALL of your domains.
Until this happens all bandwidth used through /~user will be charged to whatever domain is was done through. You'll have to eat this cost for now, but at least you can limit it to the particular users you want to be able to access it.
////

This is the solution I think, its just up to cpanel to program all of these things in.

 

If one wishes to write the script to do all of this, I'm sure they surely can!

Sure you can specify the /~user, on an user by user basis, on ANY individual VirtualHost you want to, as many times as you want to.

I'd write the script, but admittedly, PERL isn't a second language to me yet. I'm sure I could get there in due time, but I think if we want to get our own script done up, we're gonna need to find someone other than myself to do it

Cody

 

Re: Re: Re: A **REAL** solution to the 511 "access not allowed from this domain".

Yes this is actually correct, I believe it was my error!

UserDir is enabled by default, so if you just list disabled with names you disable it for those names only.

If you do a disable without names first, then enable for those you want to allow access to, its better anyway.


There is really very little legitimate use for UserDir on a serverwide scale.

I recommend doing it on a virtualhost by virtualhost basis as I described above. This allows you to control access at a more granular level.

I really hope we see something with this in whm soon, it would be very helpful to make it easily managed.

cPanel.net Support Ticket Number:

 

mod_bwprotect is kind of obscure.

I don't even have it enabled (have to edit httpd.conf and comment it out of course).


I just set my global "UserDir disabled".

Then in a virtualhost i do:

UserDir public_html
UserDir disabled
UserDir enabled username

Basically that means when accessing that virtual host, that username is able to be accessed with ~user. Typically I only add this for those people who can present a legitimate need to have it turned on - usually this is for people who have more than one domain on the server.

I also do the above with the shared secure site, and the main server address - for access before DNS propigation occurs.

cody@intersurge.com if you want some assistance from me with anything and discuss what you want to do.

cPanel.net Support Ticket Number: