Im attempting to secure the mod_userdir module in apache..
Currently the directory structure for my users sites is
/home/{user}/domains/{domain}/public_html/site
The issue is, a number of my users store files that shouldnt be stored in the /domains/ directory (private files), but they do, and id rather work round it than make them move them.
Basically I have denied access to all directories in /{domain}/, except public_html, HOWEVER, files can still be viewed.
Here is my usermod.conf config.
<IfModule mod_userdir.c>
UserDir /home/*/domains
UserDir disabled root
<Directory /home/*/domains/*/*>
Order allow,deny
Deny from all
</Directory>
<FilesMatch /home/*/domains/*/*>
Order deny,allow
Deny from all
</FilesMatch>
<Directory /home/*/domains/*/public_html>
Order allow,deny
Allow from all
</Directory>
<Directory /home/*/domains>
AllowOverride FileInfo AuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>
You can see how I have tried to remove access to the files in /{domain}/ with , however this just isnt working.
Any help would be appreciated.