Author Topic: Apache UserDir Protection  (Read 7974 times)

Offline llegrand

  • Hero Member
  • *****
  • Posts: 1798
  • Karma: +520/-7
    • View Profile
Apache UserDir Protection
« on: September 16, 2016, 01:08:11 PM »
One of my servers cPanel is now "recommending" a new feature  UserDir Protection to be enabled.  This will configure Apache’s mod_userdir functionality to only be active on the default hostname. User site data will no longer be accessible under other usernames.

Here is the link to more information:

https://documentation.cpanel.net/display/ALD/Apache+mod_userdir+Tweak

under warnings it has this:
Websites that use the mod_rewrite or other directives in their .htaccess files will not function correctly when visitors view them through mod_userdir URLs.

So my question to the developers is  -  what is the correct setting for mod-userdir for AbanteCart installations?

Thanks
Lee


Offline abantecart

  • Administrator
  • Hero Member
  • *****
  • Posts: 4358
  • Karma: +298/-10
    • View Profile
    • Ideal Open Source Ecommerce Solution
Re: Apache UserDir Protection
« Reply #1 on: September 17, 2016, 11:54:49 AM »
I do not think this change anything. Just another way to access user's web directory.
Please  rate your experience or leave your review
We need your help to build better free open source ecommerce platform for everyone. See how you can help

Offline llegrand

  • Hero Member
  • *****
  • Posts: 1798
  • Karma: +520/-7
    • View Profile
Re: Apache UserDir Protection
« Reply #2 on: September 17, 2016, 12:12:47 PM »
The "mod_userdir" fuctionality has some security risks associated with it. As you can see by the documentation, it is only used when a visitor accesses their website via a username.
 
 For example: http://example.net/~username
 
 Where username would be the username of the website user. This is a very niche option, so I don't believe that you need it unless that is how customers get to your sites.

AbanteCart Admins   access their admin panel with the user name in the url .  In discussing this with my server manager he "highly suggest discussing this with your developers as they are likely more familiar with the way Apache is set to handle logins to the site. You will likely find the directives to do this within your .htaccess file."

so my question remains unanswered -  to enable userDir   or not?


Offline John-PH

  • Newbie
  • *
  • Posts: 1
  • Karma: +2/-0
    • View Profile
    • AbanteCart Web Hosting
Re: Apache UserDir Protection
« Reply #3 on: January 28, 2017, 07:53:06 AM »
Long story short ... I suggest to not enable mod_userdir.

Also, for a more secure environment you can use mod_ruid2. /https://documentation.cpanel.net/display/EA/Apache+Module%3A+ModRuid2
AbanteCart Web Hosting - newbielink:https://www.plothost.com [nonactive]

 

Powered by SMFPacks Social Login Mod