Shopping Cart Operations > Security

Apache UserDir Protection

(1/1)

llegrand:
One of my servers cPanel is now "recommending" a new feature  UserDir Protection to be enabled.  This will configure Apache’s mod_userdir functionality to only be active on the default hostname. User site data will no longer be accessible under other usernames.

Here is the link to more information:

https://documentation.cpanel.net/display/ALD/Apache+mod_userdir+Tweak

under warnings it has this:
Websites that use the mod_rewrite or other directives in their .htaccess files will not function correctly when visitors view them through mod_userdir URLs.

So my question to the developers is  -  what is the correct setting for mod-userdir for AbanteCart installations?

Thanks
Lee

abantecart:
I do not think this change anything. Just another way to access user's web directory.

llegrand:
The "mod_userdir" fuctionality has some security risks associated with it. As you can see by the documentation, it is only used when a visitor accesses their website via a username.
 
 For example: http://example.net/~username
 
 Where username would be the username of the website user. This is a very niche option, so I don't believe that you need it unless that is how customers get to your sites.

AbanteCart Admins   access their admin panel with the user name in the url .  In discussing this with my server manager he "highly suggest discussing this with your developers as they are likely more familiar with the way Apache is set to handle logins to the site. You will likely find the directives to do this within your .htaccess file."

so my question remains unanswered -  to enable userDir   or not?

John-PH:
Long story short ... I suggest to not enable mod_userdir.

Also, for a more secure environment you can use mod_ruid2. /https://documentation.cpanel.net/display/EA/Apache+Module%3A+ModRuid2

Navigation

[0] Message Index