I've developed a work around for the now infamous "511 access not allowed from this domain" error. This isn’t going to leave you open for leeching, or deny you the ability to do a shared secure certificate or provide access before propagation occurs.
As we know, the culprit for this problem is the bwprotect module. So let’s get rid of that.
Find these two lines in your httpd.conf (most likely found in /etc/httpd/conf)
LoadModule bwprotect_module libexec/mod_bwprotect.so
And
AddModule mod_bwprotect.c
Comment them out by placing a # in front of them. (I know, it’s rudimentary.)
Okay now that we have bwprotect turned off, we have a problem, people can leech bandwidth again from other accounts.
So now we need to turn off the ability to /~user completely.
Find the following section in the server config part of httpd.conf:
<IfModule mod_userdir.c>
UserDir public_html
</IfModule>
and change it to
<IfModule mod_userdir.c>
UserDir disabled
</IfModule>
Oh dear. Now we are back where we have always been, and now /~user doesn’t work at all. No more shared secure certificate, no more access before propagation. What are we to do?
Read the apache documentation, notice that the UserDir directive can fit within the scope of a VirtualHost!
So lets find a suitable virtualhost section, say the one you use for your shared certificate.
Add the following:
<IfModule mod_userdir.c>
UserDir public_html
</IfModule>
Well that solves the problem, now shared certificates work, and I’m sure you can figure out how to apply this to an IP based VirtualHost (or any VirtualHost for that matter!) to allow users access before propagation, or for a customer to leech between his own accounts.
But I have ANOTHER treat for you all! We can control what usernames are allowed to be accessed!
Instead of the above in a VirtualHost section do the following:
<IfModule mod_userdir.c>
UserDir public_html
UserDir disabled
UserDir enabled username1 username2 username3…
</IfModule>
This expressly allows only certain users. Optionally:
<IfModule mod_userdir.c>
UserDir public_html
UserDir enabled
UserDir disabled username1 username2 username3…
</IfModule>
And this would expressly deny certain users to be accessed.
Obviously restart apache for the changes to take effect!
With all of the above everybody ought to be able to protect their users bandwidth, while maintaining the ability to have a shared certificate or provide access prior to propagation.
Additionally, you now have control over specifically WHICH users may be accessed this way! This means you can prevent that 5GB a day site from leeching bandwidth through the shared secure certificate (and increasing CPU load because of encryption), or prevent people from abusing the courtesy of providing access before propagation.
I hope everybody has found this fun and informative, as well as very useful. I would like to point out I have already submitted a feature request built around this system. I am sure that we will see a nice way of doing this through WHM in the future as this is obviously a cure for something that has caused a lot of headaches for people.
http://httpd.apache.org/docs/mod/mod_userdir.html is the official documentation for apache that covers this specific topic for your refrence.
Sincerely,
Cody Frisch, InterSurge LLC.
As we know, the culprit for this problem is the bwprotect module. So let’s get rid of that.
Find these two lines in your httpd.conf (most likely found in /etc/httpd/conf)
LoadModule bwprotect_module libexec/mod_bwprotect.so
And
AddModule mod_bwprotect.c
Comment them out by placing a # in front of them. (I know, it’s rudimentary.)
Okay now that we have bwprotect turned off, we have a problem, people can leech bandwidth again from other accounts.
So now we need to turn off the ability to /~user completely.
Find the following section in the server config part of httpd.conf:
<IfModule mod_userdir.c>
UserDir public_html
</IfModule>
and change it to
<IfModule mod_userdir.c>
UserDir disabled
</IfModule>
Oh dear. Now we are back where we have always been, and now /~user doesn’t work at all. No more shared secure certificate, no more access before propagation. What are we to do?
Read the apache documentation, notice that the UserDir directive can fit within the scope of a VirtualHost!
So lets find a suitable virtualhost section, say the one you use for your shared certificate.
Add the following:
<IfModule mod_userdir.c>
UserDir public_html
</IfModule>
Well that solves the problem, now shared certificates work, and I’m sure you can figure out how to apply this to an IP based VirtualHost (or any VirtualHost for that matter!) to allow users access before propagation, or for a customer to leech between his own accounts.
But I have ANOTHER treat for you all! We can control what usernames are allowed to be accessed!
Instead of the above in a VirtualHost section do the following:
<IfModule mod_userdir.c>
UserDir public_html
UserDir disabled
UserDir enabled username1 username2 username3…
</IfModule>
This expressly allows only certain users. Optionally:
<IfModule mod_userdir.c>
UserDir public_html
UserDir enabled
UserDir disabled username1 username2 username3…
</IfModule>
And this would expressly deny certain users to be accessed.
Obviously restart apache for the changes to take effect!
With all of the above everybody ought to be able to protect their users bandwidth, while maintaining the ability to have a shared certificate or provide access prior to propagation.
Additionally, you now have control over specifically WHICH users may be accessed this way! This means you can prevent that 5GB a day site from leeching bandwidth through the shared secure certificate (and increasing CPU load because of encryption), or prevent people from abusing the courtesy of providing access before propagation.
I hope everybody has found this fun and informative, as well as very useful. I would like to point out I have already submitted a feature request built around this system. I am sure that we will see a nice way of doing this through WHM in the future as this is obviously a cure for something that has caused a lot of headaches for people.
http://httpd.apache.org/docs/mod/mod_userdir.html is the official documentation for apache that covers this specific topic for your refrence.
Sincerely,
Cody Frisch, InterSurge LLC.
Last edited: