Why must AutoSSL modify htaccess?
AutoSSL is a great service, to the whole internet. But I do not understand why it must be implemented to find every single htaccess rule and prepend exceptions. Why can it not simply check the path(s) it needs rather than creating such a bleeding mess?
It rewrites htaccess to give itself unrestricted access to *everything* including the vast majority of cases it has no business ever touching.
Back when it was being introduced there were commitments this would be looked at, but the solution delivered is an all-or-nothing one: either enable autossl and live with the absurdity of weakened security to accommodate a security service, or disable it and forego the benefits.
I restrict access to plugins and custom code directories, admin directories, penalize access to file types that do not exist and therefore would never be accessed by a legitimate visit, block a variety of fake referrers and bad bots, and many other custom ht rules that have prevented a lot of attacks -- attacks that have compromised many thousands of sites. Every single ht rule has three lines prepended by cPanel just in case the rewrite somehow prevents it from getting to its needed directory.
It not only is unneeded and makes working with the file far more complicated due to all the goo, but it also opens new vectors of potential attack. Why? Why the universal, everything, everywhere, all the time, exceptions? It is just counterintuitive that people trying to improve security would make such a sweeping choice.
I've had to disable it on more than twenty sites, leaving it active on one because I don't really care what happens to that one. I do know my sites are all more secure without it than they are with it.
-
Hello @gwc_wd, The following option is available under the "Domains" tab in "WHM >> Tweak Settings": Use a Global DCV Passthrough instead of .htaccess modification (requires EA4) Per it's description: When you enable this option, Apache adds global rewrite rules to the webserver configuration so that the system does not process additional rewrite rules for DCV filenames. These global rules make it unnecessary for cPanel & WHM to modify each virtual host"s .htaccess file. Note: When you enable this option, the system receives a trivial performance penalty because all of the HTTP requests must be matched against the DCV filename regular expressions. I believe this option addresses your concerns, as using it ensures individual .htaccess files are no longer written to. Let me know if this information helps. Thank you. 0 -
Is there more information on this somewhere? I have AutoSSL enabled but I don't see any .htaccess files getting modified, and I hope to keep it that way. When does that happen? 0 -
Hi @liebn0r, The Use a Global DCV Passthrough instead of .htaccess modification (requires EA4) option referenced in my last response is enabled by default, so you should not see direct modifications to individual .htaccess files unless you've disabled that option. Thank you. 0 -
That setting is disabled for me because I'm using EA3. 0 -
That setting is disabled for me because I'm using EA3.
There are no alternatives for systems using EasyApache 3. Is there anything in-particular that's keeping you from migrating to EasyApache 4? EasyApache 3 is near the end of it's lifespan: EasyApache 3: It's been a long road, but it will be time to say goodbye soon. Thank you.0 -
Is there anything in-particular that's keeping you from migrating to EasyApache 4? No, just general fear of change and breaking things. But that's beside the point. My question is, since the setting is disabled, why am I not seeing modifications to my htaccess files like the original poster was? I wouldn't want that to start happening, either. 0 -
My question is, since the setting is disabled, why am I not seeing modifications to my htaccess files like the original poster was? I wouldn't want that to start happening, either.
The rules are only implemented temporarily during the AutoSSL validation process, and then removed. Thank you.0
Please sign in to leave a comment.
Comments
7 comments