(Home >> Security Center >> Apache mod_userdir Tweak)

Overview

This interface allows you to disable the Apache mod_userdir module's functionality for your users.  

  • We strongly recommend that you restrict this access for most of your users. Before you use this interface, make certain that you read the Security Implications and Warnings sections below. 
  • If you enable Apache's ruby24-mod_passenger module in WHM's Apache mod_userdir Tweak ( Home >> Software >> EasyApache 4 ), the system disables Apache's mod_userdir module by default.

The Apache mod_userdir module

The Apache mod_userdir module allows for visitors to access a user's website via a URL that contains that user's username. For example:

https://host.example.com/~username
https://example.net/~username   
https://192.168.0.20/~username

Most servers use the Apache mod_userdir module as a temporary URL system that allows users to view their websites. This temporary URL system functions even if the system does not possess configured DNS or the domain does not yet point to the server.

When you enable the Apache mod_userdir module, any virtual host can access any website that uses the same IP address. It does not function only with the hostname.

Enable mod_userdir access

To enable mod_userdir access, perform the following steps:

  1. Select the Enable mod_userdir Protection checkbox.
  2. To enable mod_userdir functionality for specific hosts, select the appropriate Exclude Protection checkboxes.

    This action allows all users to access content on the host via the Apache mod_userdir module. We recommend that you only enable mod_userdir functionality on the DefaultHost.


  3. To only allow mod_userdir functionality for specific additional users to access these hosts, enter their usernames in the Additional Users text box.
  4. Click Save.

To allow your users to access their own accounts through the mod_userdir module, but not circumvent any bandwidth limits, select the Exclude Protection checkbox for the DefaultHost (nobody) host.


Do not select the Exclude Protection checkbox on a user's domain if you only wish to allow an individual user to access their site with a mod_userdir URL.

Example

You own the following three cPanel accounts: 

Arthur’s domain resolves, but Betty’s and Charles’ domains do not yet resolve.

To enable mod_userdir protection for the server to deny one user the ability to use another user's bandwidth, select the Enable mod_userdir Protection checkbox.

However, if you still want to allow Betty and Charles to use Arthur’s domain to see their sites, perform the following steps:

  1. Do not select the checkbox next to arthurexample.com (Arthur)
  2. Enter betty charles in the Additional Users text box.
  3. Click Save.

Betty and Charles can browse their sites with the following URLs:

Shared SSL Certificates

If a shared SSL certificate exists for a virtual host on a shared IP address, you can share that SSL certificate with users on the same IP address. This allows users to access their sites securely without a browser warning.

For example, if an SSL certificate exists on host.example.com, select the Exclude Protection checkbox for the DefaultHost (nobody) host. This allows the username cPanel user to access the  https://host.example.com/~username  url.

Security Implications

We strongly recommend that you restrict mod_userdir functionality for most of your users. mod_userdir can expose potential security issues.

When you disable mod_userdir protection for a host, we recommend that you do not exclude the entire host, but rather exclude only specific users via the "Additional Users" field.

Warnings

Enabled mod_userdir protection

Before you enable the Apache mod_userdir module, be aware of the following information:

The Symlink Race Condition Protection option

The following table describes when the Symlink Race Condition Protection option blocks mod_userdir access:

Conditionmod_userdiraccessExample URL
The requested URL includes a file and does not belong to the owner of the file.Blocked.
example.com/~username/file
The requested URL includes a file and an IP address that belongs to another account.Blocked.
192.168.0.20/~username/file
The requested URL contains a directory.Not blocked.
example.com/~username/dir
You wish to access the server's hostname.Not blocked.
host.example.com/~username

Disabled mod_userdir protection

Before you disable mod_userdir protection, be aware of the following information:

Additional documentation