Page tree
Skip to end of metadata
Go to start of metadata

This document is for a previous release of cPanel & WHM. To view our latest documentation, visit our Home page.

For cPanel & WHM 11.44

(Home >> Security Center >> Apache mod_userdir Tweak)

Overview

The mod_userdir  module allows visitors to access a user's website through a URL that uses the http://hostname/~username format. For example:

http://host.example.com/~username
http://example.net/~username   
http://192.168.0.20/~username

The most common use of the mod_userdir Apache module is as a temporary URL system that allows users to view their websites. This temporary URL system will work even when the system has not configured DNS or the domain does not yet point to the server

Important:

We strongly recommend that you restrict this access for most of your users. When a user accesses a site through the mod_userdir module, the bandwidth does not count against the user who owns the site. Instead, it counts against the user who owns the host through which visitors access the site. In effect, a user could allow visitors to access their site through the mod_userdir module while the traffic counts against another user's bandwidth.

For example, if you access http://example.net/~username, the bandwidth counts against the host example.net, rather than the user username.

Note:

The mod_userdir module does not only work with the hostname. If you enable the mod_userdir module, any virtual host can access any website that uses the same IP address.

How to prevent mod_userdir access

The Apache mod_userdir Tweak interface allows you to prevent mod_userdir access to your users. 

To prevent mod_userdir access, perform the following steps:

  1. Select the Enable mod_userdir Protection checkbox.
  2. Select the Exclude Protection checkboxes that correspond to the domains for which you wish to permit mod_userdir access.

  3. Click Save.

How to allow access to specific users

You can allow specified users to access their websites through mod_userdir. For example, resellers can use this feature to allow their customers to access their own websites before DNS information has propagated.

To enable mod_userdir access for a specific user, perform the following steps: 

  1. Select Enable mod_userdir Protection.
  2. Determine the virtual host(s) through which the user can access the site through the mod_userdir module, Most likely, this will be the default virtual host or their reseller's virtual host.
    • If you select the virtual host for the user's primary domain, mod_userdir will not function until the DNS points the domain to the server.
  3. Enter the user who should have access through mod_userdir in the appropriate Additional Users text box.
    • If you need to enter multiple users, separate each account name with a space.
  4. Click Save.

Notes:

  • If you wish to allow all of your users to access their own accounts through mod_userdir, but not steal any bandwidth, select the Exclude Protection option for DefaultHost (nobody).
  • Do not select the Exclude Protection box if you wish to allow an individual user to access their site with a mod_userdir URL. 

Example of the Enable mod_userdir Protection feature

You have the following three users: 

  • Arthur owns arthurexample.com/
  • Betty owns bettyexample.com/
  • Charles owns charlesexample.com/

Arthur’s domain resolves, but Betty’s and Charles’ domains do not yet resolve.

If you wish to enable mod_userdir protection for the server to deny one user the ability to use another user's bandwidth, select the Enable mod_userdir Protection box.

However, if you still want to allow Betty and Charles to use Arthur’s bandwidth to see their sites, perform the following steps:

  1. Do not select the box next to arthurexample.com (Arthur)
  2. Enter betty charles in the Additional Users text box.
  3. Click Save.

Betty and Charles can browse their sites with the following URLs:

  • arthurexample.com/~betty/
  • arthurexample.com/~charles/

How to share SSL Certificates

If you have a shared SSL certificate installed for a virtual host on a shared IP address, you can share that SSL certificate with users on the same IP address to allow them to access their sites securely without a browser warning.

For example, if you have an SSL certificate installed on host.example.com and DefaultHost (nobody) is excluded from mod_userdir protection, the user username can access host.example.com/~username

Warnings

Enabled mod_userdir protection

When you enable the use of mod_userdir, you should know the following information:

  • When you use FCGI as your PHP handler, you will need to disable suEXEC in order to run PHP scripts via mod_userdir

    Warning:

    We strongly recommend that you do not disable suEXEC. It is extremely insecure to disable suEXEC.

  • Java servlets do not work with mod_userdir based URLs. This is because Tomcat requires that you add additional directives to the virtual host.

  • PHP site with open_basedir protection restricts PHP's access to the home directory that belongs to the user who owns the base domain, not the home directory of the user account that a visitor accesses. This means that a visitor cannot access some sites via mod_userdir

  • Under certain conditions, a user may be able to attack another user's account if they access a malicious script through a mod_userdir URL.

  • Sites that use mod_rewrite and other directives in their .htaccess files will not work as expected when viewed through mod_userdir URLs.

The Symlink Race Condition Protection option

The following table describes whether the Symlink Race Condition Protection option blocks mod_userdir access.

Conditionmod_userdir accessExample URL
The requested URL includes a file and does not belong to the owner of the file.Blocked
example.com/~username/file
The requested URL includes a file and an IP address that belongs to another account.Blocked
192.168.0.20/~username/file
The requested URL contains a directory.
Not blocked
example.com/~username/dir
You wish to access the server's hostname.Not blocked
host.example.com/~username

Disabled mod_userdir protection

When you disable mod_userdir protection, you should know the following information:

  • While this WHM feature allows you to restrict the mod_userdir functionality, it does not remove the module itself. Some PCI scans may still detect it.
  • This feature does not list IP addresses because mod_userdir uses virtual hosts. You cannot configure this feature based on IP addresses. This is a common misconception. If you do not protect the default host, you can access the server's main IP address through mod_userdir in most cases.