mod_userdir protection issues
Hello,
I've read, re-read, googled, and read some more but I'm still butting up against this issue.
Under WHM -> Apache mod_userdir Tweak
I have Enable mod_userdir Protection check marked.
No hosts are excluded from protection.
The following occurs:
accessing -> 404 Not Found
Desired functionality:
any attempt to access a user account returns a 404.
PCI Compliance is fine with setting ErrorDocuments for both error codes (403 and 404) to the same content/response code but I'm not sure how to accomplish that with the standard cPanel error pages that are served by the server IP address or hostname pages.
Thanks!
-
Hi @webworker You'll want to exclude hosts from protection that you want to access this way. Any host protected will get a 404 error. 0 -
Hello @cPanelLauren ! I don't want any hosts to be accessed by mod_userdir, all hosts are protected. The issue is that on the base IP or hostname for the server will return a 403 for some system accounts with 404s for all other accounts. I've attached example screenshots of the responses. I'm not sure where to configure the responses for the cpanel software itself. Thanks! 0 -
I apologize, I missed this initially: [QUOTE]Desired functionality: any attempt to access a user account returns a 404.
Interestingly I'm not able to replicate that behavior: Can you show me a screenshot of the Apache mod_userdir Tweak UI that resembles the following: 595030 -
Here's a screenshot of the mod_userdir Tweak UI. It's a little strange since it all works normally otherwise but root/nobody/admin all seem to return 403. 0 -
I don't know offhand/without being able to see the server configuration what the difference between our servers would be - you may want to open a ticket if you need it to respond with a 404 instead of a 403. What specifically is the end goal/reasoning behind needing it to be a 404 - maybe there's another method to get your desired result. 0 -
PCI compliance. Our scanning vendor flags it as an issue but despite it seemingly being a non-issue. Client sites are a simple fix with htaccess but the base cpanel software I wouldn't know where to begin looking :) I'll see about putting in a ticket! Thanks for the help 0 -
Ah ok, I read this and assumed that PCI compliance was passing it but you had wanted to make a different change. PCI Compliance is fine with setting ErrorDocuments for both error codes (403 and 404) to the same content/response code
0 -
Hi, I currently have same issues. Already following all the step, enable the Apache mod_userdir Tweak & exclude the host that we want to see the temporary url but just showing 403 when I check it. 0 -
What is the output in the apache error log? 0
Please sign in to leave a comment.
Comments
9 comments