Why must AutoSSL modify htaccess?

gwc_wd

Member
Oct 24, 2010
16
1
53
AutoSSL is a great service, to the whole internet. But I do not understand why it must be implemented to find every single htaccess rule and prepend exceptions. Why can it not simply check the path(s) it needs rather than creating such a bleeding mess?

It rewrites htaccess to give itself unrestricted access to *everything* including the vast majority of cases it has no business ever touching.

Back when it was being introduced there were commitments this would be looked at, but the solution delivered is an all-or-nothing one: either enable autossl and live with the absurdity of weakened security to accommodate a security service, or disable it and forego the benefits.

I restrict access to plugins and custom code directories, admin directories, penalize access to file types that do not exist and therefore would never be accessed by a legitimate visit, block a variety of fake referrers and bad bots, and many other custom ht rules that have prevented a lot of attacks -- attacks that have compromised many thousands of sites. Every single ht rule has three lines prepended by cPanel just in case the rewrite somehow prevents it from getting to its needed directory.

It not only is unneeded and makes working with the file far more complicated due to all the goo, but it also opens new vectors of potential attack. Why? Why the universal, everything, everywhere, all the time, exceptions? It is just counterintuitive that people trying to improve security would make such a sweeping choice.

I've had to disable it on more than twenty sites, leaving it active on one because I don't really care what happens to that one. I do know my sites are all more secure without it than they are with it.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,268
463
Hello @gwc_wd,

The following option is available under the "Domains" tab in "WHM >> Tweak Settings":

Use a Global DCV Passthrough instead of .htaccess modification (requires EA4)

Per it's description:

When you enable this option, Apache adds global rewrite rules to the webserver configuration so that the system does not process additional rewrite rules for DCV filenames. These global rules make it unnecessary for cPanel & WHM to modify each virtual host’s .htaccess file. Note: When you enable this option, the system receives a trivial performance penalty because all of the HTTP requests must be matched against the DCV filename regular expressions.

I believe this option addresses your concerns, as using it ensures individual .htaccess files are no longer written to. Let me know if this information helps.

Thank you.
 

liebn0r

Well-Known Member
Dec 7, 2017
48
7
8
USA
cPanel Access Level
Website Owner
Is there more information on this somewhere? I have AutoSSL enabled but I don't see any .htaccess files getting modified, and I hope to keep it that way. When does that happen?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,268
463
Hi @liebn0r,

The Use a Global DCV Passthrough instead of .htaccess modification (requires EA4) option referenced in my last response is enabled by default, so you should not see direct modifications to individual .htaccess files unless you've disabled that option.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,268
463

liebn0r

Well-Known Member
Dec 7, 2017
48
7
8
USA
cPanel Access Level
Website Owner
Is there anything in-particular that's keeping you from migrating to EasyApache 4?
No, just general fear of change and breaking things. But that's beside the point. My question is, since the setting is disabled, why am I not seeing modifications to my htaccess files like the original poster was? I wouldn't want that to start happening, either.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,268
463
My question is, since the setting is disabled, why am I not seeing modifications to my htaccess files like the original poster was? I wouldn't want that to start happening, either.
The rules are only implemented temporarily during the AutoSSL validation process, and then removed.

Thank you.