Limiting access to the shared SSL certificate and UserDir

L

lapo

Verified User
Joined
Aug 25, 2005
Messages
14
I'm trying to setup a DA server so that we can enable use of the server's SSL certificate for customers on a specific plan only. The server is running Freebsd 5.4. I have full access to it.

I've noticed that by default, the following work for all users:

http://server.example.com/~username
https://server.example.com/~username

This is a problem in two ways:
1. If a customer is smart, they can reference images and files in their web in this way and thus use our bandwidth rather than his.
2. Every customer is able to access our SSL certificate, irrespective of whether they have SSL enabled for their account.

Ideally, I would like to disable this feature (with the "UserDir disabled" directive in Apache), but at the same time have the system create an Alias for each SSL enabled user so that they may use:

"https://server.example.com/userdomain.com/"

which would point to the user's public_html directory.

I'm pretty new to DirectAdmin so I have 2 questions:

1. I looked in "/etc/httpd/conf/httpd.conf" to disable the UserDir directive but the only entry for it is:

<IfModule mod_userdir.c>
#UserDir public_html
UserDir disabled
</IfModule>

This indicates that it is already disabled in the server configuration.
Looking at the apache processes on the server, I see that DA starts apache with "-DHAVE_USERDIR" on the command line, overriding any "UserDir disable" directive in httpd.conf.

What is the correct way to prevent Apache starting with this parameter enabled?

2. Ideally, I'd like all SSL enabled customers to have an "Alias" entry in the reseller's domain, so as to be able to use the SSL certificate for that host.
Is there a mechanism with which I can achieve this automatically for a specific package?

Thanks for any help.
 
lapo said:
This is a problem in two ways:
1. If a customer is smart, they can reference images and files in their web in this way and thus use our bandwidth rather than his.
Click to expand...
This is has been discussed several times in the forums; it appears that DA cannot please everyone.
2. Every customer is able to access our SSL certificate, irrespective of whether they have SSL enabled for their account.
Click to expand...
and
Looking at the apache processes on the server, I see that DA starts apache with "-DHAVE_USERDIR" on the command line, overriding any "UserDir disable" directive in httpd.conf.

What is the correct way to prevent Apache starting with this parameter enabled?
Click to expand...
I'm not sure if DA starts apache itself or if it uses the server's startup script (though I believe the latter is true). If the latter, then you can simply change the startup script on the server.

Study the startup script and experiment. Or ask DA support.
2. Ideally, I'd like all SSL enabled customers to have an "Alias" entry in the reseller's domain, so as to be able to use the SSL certificate for that host.
Is there a mechanism with which I can achieve this automatically for a specific package?
Click to expand...
I believe you can create your own "post create" script (if it's not already there) and perhaps you might be able to write code that would figure out which package has been ordered and do some editing accordingly.

Search these forums for something like "post create" (without the quotes) and see what you find.

Jeff
 
Jeff,
Thanks for the feedback.

I found out that to prevent the httpd startup script from adding an extension to apache on the command line, all that one needs to do is to chmod the library file to 000 in /usr/lib/apache/

In this case, I just:

chmod 000 /usr/lib/apache/mod_userdir.so

After doing this, I realized that although UserDirs are disabled, the behavior does not change as the standard DA configuration adds the following directive to httpd.conf:

AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2

This has the practically the same effect as the UserDir directive.
I'm not sure why this was done by the DA developers, so maybe there is a reason to keep it which I have missed?

So, all the steps taken to disable UserDir are unnecessary (and ineffective). All that one needs to do is to comment out the above line in httpd.conf and restart Apache.

If one needs to disable userdirs on a shared reseller IP, this change needs to be made in the ips.conf file as well, however, as this file is generated dynamically, does anyone know where the changes need to be made? i.e. Is there a custom template for ips.conf?
 
Selective SSL access for users can be enabled or disabled by placing custom scripts into /usr/local/directadmin/scripts/custom.

The script can match on reseller name, user name, and package name. Then it can selectively disable SSL by inserting or removing the following Apache server config code:

<directorymatch /home/USER/>
SSLRequire false
</directorymatch>

Of course, this will enable or disable SSL access completely for the user. I am almost sure that you could use <Location> to selectively disable SSL access for ~user only, but I haven't tried it.

Rahul
 
You must log in or register to reply here.
Back
Top