Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Why must AutoSSL modify htaccess?

Discussion in 'Security' started by gwc_wd, Dec 5, 2017.

Tags:
  1. gwc_wd

    gwc_wd Member

    Joined:
    Oct 24, 2010
    Messages:
    16
    Likes Received:
    1
    Trophy Points:
    53
    AutoSSL is a great service, to the whole internet. But I do not understand why it must be implemented to find every single htaccess rule and prepend exceptions. Why can it not simply check the path(s) it needs rather than creating such a bleeding mess?

    It rewrites htaccess to give itself unrestricted access to *everything* including the vast majority of cases it has no business ever touching.

    Back when it was being introduced there were commitments this would be looked at, but the solution delivered is an all-or-nothing one: either enable autossl and live with the absurdity of weakened security to accommodate a security service, or disable it and forego the benefits.

    I restrict access to plugins and custom code directories, admin directories, penalize access to file types that do not exist and therefore would never be accessed by a legitimate visit, block a variety of fake referrers and bad bots, and many other custom ht rules that have prevented a lot of attacks -- attacks that have compromised many thousands of sites. Every single ht rule has three lines prepended by cPanel just in case the rewrite somehow prevents it from getting to its needed directory.

    It not only is unneeded and makes working with the file far more complicated due to all the goo, but it also opens new vectors of potential attack. Why? Why the universal, everything, everywhere, all the time, exceptions? It is just counterintuitive that people trying to improve security would make such a sweeping choice.

    I've had to disable it on more than twenty sites, leaving it active on one because I don't really care what happens to that one. I do know my sites are all more secure without it than they are with it.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @gwc_wd,

    The following option is available under the "Domains" tab in "WHM >> Tweak Settings":

    Use a Global DCV Passthrough instead of .htaccess modification (requires EA4)

    Per it's description:

    When you enable this option, Apache adds global rewrite rules to the webserver configuration so that the system does not process additional rewrite rules for DCV filenames. These global rules make it unnecessary for cPanel & WHM to modify each virtual host’s .htaccess file. Note: When you enable this option, the system receives a trivial performance penalty because all of the HTTP requests must be matched against the DCV filename regular expressions.

    I believe this option addresses your concerns, as using it ensures individual .htaccess files are no longer written to. Let me know if this information helps.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. liebn0r

    liebn0r Member

    Joined:
    Dec 7, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Website Owner
    Is there more information on this somewhere? I have AutoSSL enabled but I don't see any .htaccess files getting modified, and I hope to keep it that way. When does that happen?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hi @liebn0r,

    The Use a Global DCV Passthrough instead of .htaccess modification (requires EA4) option referenced in my last response is enabled by default, so you should not see direct modifications to individual .htaccess files unless you've disabled that option.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. liebn0r

    liebn0r Member

    Joined:
    Dec 7, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Website Owner
    That setting is disabled for me because I'm using EA3.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. liebn0r

    liebn0r Member

    Joined:
    Dec 7, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Website Owner
    Is there anything in-particular that's keeping you from migrating to EasyApache 4?
    No, just general fear of change and breaking things. But that's beside the point. My question is, since the setting is disabled, why am I not seeing modifications to my htaccess files like the original poster was? I wouldn't want that to start happening, either.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    The rules are only implemented temporarily during the AutoSSL validation process, and then removed.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice