SOLVED Should Server Side Includes be disabled?

[ItsMattSon]

Hi,

Should Server Side Includes (SSI) be disabled? (from a security point of view)

And *could* SSI be disabled? Does anything rely on it from a cPanel/WHM point of view?

 

[cPanelMichael]

Hello,

Server-side includes are enabled or disabled via the following Apache options:

Includes - Server-side includes provided by mod_include are permitted.
IncludesNOEXEC - Server-side includes are permitted, but the #exec cmd and #exec cgi are disabled. It is still possible to #include virtual CGI scripts from ScriptAliased directories

"Includes" is disabled by default, but you enable or disable both options via:

"WHM Home » Service Configuration » Apache Configuration » Global Configuration"

Thank you.

 

[ItsMattSon]

Hi @cPanelMichael

That's cool, good to know. I've noticed something 'off' though, whereby even though unticking Includes 'removes' Includes from the Directory / Options in /usr/local/apache/conf/httpd.conf, I can still use SSI on my domain.

Would you know why that might be?

 

[cPanelMichael]

That's cool, good to know. I've noticed something 'off' though, whereby even though unticking Includes 'removes' Includes from the Directory / Options in /usr/local/apache/conf/httpd.conf, I can still use SSI on my domain.

Could you provide step-by-step instructions on how you are using SSI for the account? Also, do any entries exist within the .htaccess file under the document root?

Thank you.

 

[ItsMattSon]

Hi,

I checked but I've got no .htaccess files in my public_html folder unfortunately.

I read that to test if SSI is enabled, I'd simply need to upload an index.shtml file to web root and add

<!--#echo var="DATE_LOCAL"-->

into the source, and if it displays the date in the browser then SSI is enabled (and it does show the date on the page, with or without Includes checked in "WHM Home » Service Configuration » Apache Configuration » Global Configuration")

 

[cPanelMichael]

Hello,

Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here and we will update this thread with the outcome.

Thank you.

 

[ItsMattSon]

Hi @cPanelMichael,

I can save you the trouble, I was really dumb this whole time...

In [Home »Service Configuration »Apache Configuration »Global Configuration], I was unchecking the Includes box but leaving the IncludesNOEXEC box ticked (which I guess kept Includes fully functional).

Unchecking both, Includes is no longer working (unless I override from web root with .htaccess Options).

To prevent that, I suspect I'll just have to rebuild EasyApache 4 without mod_include? I'm afraid I don't quite see mod_include in the list though?

 

[cPanelMichael]

Hello,

The "AllowOverride" Apache configuration value controls what users can override through their .htaccess file. You can find more information on AllowOverride at:

core - Apache HTTP Server Version 2.4

Thank you.

 

[ItsMattSon]

Hi @cPanelMichael,

Thanks - What if I just wanted to remove mod_include altogether? I can't seem to find it in EasyApache to un-include it?

 

[cPanelMichael]

It's compiled by default:

[[email protected] modules]# httpd -M|grep include
include_module (shared)

The following URL provides information about customizing EasyApache 4:

ea4.ninja

However, I don't recommend removing modules installed by default, as it's possible their inclusion is required for future or existing functionality.

Thank you.

 

[ItsMattSon]

Hi @cPanelMichael,

I noticed that some documents actually use SSI, such as /usr/local/cpanel/htdocs/404.shtml

I'll leave mod_include enabled as I'm not sure what I'll be breaking. I'll need to look at your AllowOverrides solution. Thanks!