LiteSpeed Web Server Users' Manual
Version 4.2 Rev. 5
Virtual Host Security
Table of Contents
Static Requests/Second | Dynamic Requests/Second | Outbound Bandwidth | Inbound Bandwidth |
ExtApp Set UID Mode | ExtApp Chroot Mode | ExtApp Chroot Path |
Enable Hotlink Protection | Suffix | Redirect URL | Allow Direct Access | Only Self Reference | Allowed Domains | REGEX Matched Domains |
Realm Name | DB Type | User DB Location | Password Attribute | Member-of Attribute | User DB Max Cache Size | User DB Cache Timeout | Group DB Location | Group Member Attribute | Group DB Max Cache Size | Group DB Cache Timeout | LDAP Bind DN | LDAP Bind Password |
Enable Request Filtering | Log Level | Default Action | Scan Request Body | Disable .htaccess Override | Enable Security Audit Log | Security Audit Log |
Name | Rule Set Action | Enabled | Rules Definition |
Follow Symbolic Link  |
| Description: Specifies whether to follow symbolic links in this virtual host. IF OWNER MATCH option will follow a symbolic link only if it has the same ownership. This setting overrides the default server-level setting. |
| Syntax: Select from drop down list |
| Tips: [Performance & security] For better security, disable this feature. For better performance, enable it. |
Enable Script |
| Description: Specifies whether scripting (non-static pages) is allowed in this virtual host. If disabled, CGI, FastCGI, LSAPI, Servlet engines and other scripting languages will not be allowed in this virtual host. Therefore, if you want to use a script handler, you need to enable it here as well. |
| Syntax: Select from radio box |
Restrained |
| Description: Specifies whether files beyond this virtual host root($VH_ROOT) can be accessed though this web site. If set to Yes, only files under $VH_ROOT can be accessed and access to symbolic links or context pointing to files or directories beyond $VH_ROOT will be denied. This, however, does not limit the accessibility of CGI scripts. This is useful in the shared hosting environment. Follow Symbolic Link can be set to Yes to allow users to use symbolic links under $VH_ROOT, but not anything beyond $VH_ROOT. |
| Syntax: Select from radio box |
| Tips: [Security] Turn it on in the shared hosting environment. |
Static Requests/Second |
| Description: Specifies the maximum number of requests to static content coming from a single IP address that can be processed in a single second regardless of the number of connections established. When this limit is reached, all future requests are tar-pitted until the next second. Request limits for dynamically generated content are independent of this limit. Per-client request limits can be set at server- or virtual host-level. Virtual host-level settings override server-level settings. |
| Syntax: Integer number |
| Tips: [Security] Trusted IPs or sub-networks are not affected. |
| See Also: Dynamic Requests/Second |
Dynamic Requests/Second |
| Description: Specifies the maximum number of requests to dynamically generated content coming from a single IP address that can be processed in each second regardless of the number of connections established. When this limit is reached, all future requests to dynamic content are tar-pitted until the next second. The request limit for static content is independent of this limit. This per client request limit can be set at server or virtual host level. Virtual host-level settings override server-level settings. |
| Syntax: Integer number |
| Tips: [Security] Trusted IPs or sub-networks are not restrained by this limit. |
| See Also: Static Requests/Second |
Outbound Bandwidth |
| Description: Specifies the maximum allowed outgoing throughput to a single IP address regardless of number of connections established. The real bandwidth may end up being slightly higher than this setting for efficiency reasons. Bandwidth is allocated in 4KB units. Set to 0 to disable throttling. Per-client bandwidth limits (bytes/sec) can be set at server- or virtual-host levels. Virtual host-level settings override server-level settings. |
| Syntax: Integer number |
| Tips: [Performance] Set the bandwidth in 8KB units for better performance. [Security] Trusted IPs or sub-networks are not affected. |
| See Also: Inbound Bandwidth |
Inbound Bandwidth |
| Description: Specifies the maximum allowed incoming throughput from a single IP address regardless of number of connections established. The real bandwidth may end up being slightly higher than this setting for efficiency reasons. Bandwidth is allocated in 1KB units. Set to 0 to disable throttling. Per-client bandwidth limits (bytes/sec) can be set at server- or virtual-host levels. Virtual host-level settings override server-level settings. |
| Syntax: Integer number |
| Tips: [Security] Trusted IPs or sub-networks are not affected. |
| See Also: Outbound Bandwidth |
ExtApp Set UID Mode |
Description: Specifies how user ID is set for an external application process. Three choices are available:
|
| Syntax: Select from drop down list |
| Tips: [Security] In the shared hosting environment, it is recommended to use the CGI File UID or Doc Root UID modes to prevent files owned by one virtual host from being accessed by the external application scripts of another virtual host. |
ExtApp Chroot Mode |
| Description: Enterprise Edition Only Specifies how the root directory is set for an external application process. In order to protect confidential system data files from being accessed by a vulnerable external application script, an alternative root path can be set for the external application process so that files beyond the new root directory become inaccessible. This is referred to as a "chroot jail". Three choices are available:
|
| Syntax: Select from drop down list |
| Tips: If used properly, chroot will greatly enhance the security of external application scripts, but you must make sure the external application script is functional in the limited chroot jail environment. |
ExtApp Chroot Path |
| Description: Enterprise Edition Only Specifies a new root directory for the current host's external application scripts when ExtApp Chroot Mode is set to Customized Chroot Path. |
| Syntax: Absolute path. |
Hotlink Control |
| Description: Hotlinks are requests made from an external website to files on your own website often referred to as "leeching". This practice introduces additional bandwidth usage that you should not be responsible for. LiteSpeed web server can prevent others from hotlinking to content on your web site by checking the Referer header within a HTTP request. If the Referer header does not match your website, the request will be denied. |
Enable Hotlink Protection |
| Description: Specifies whether to activate hotlink protection. |
| Syntax: Select from radio box |
Suffix |
| Description: Specifies what kinds of files will be protected from hotlinking by listing file suffixes. |
| Syntax: Comma delimited list. "." is prohibited |
Redirect URL |
| Description: Specifies a URL that a user will be redirected to when a hotlinking action is detected. You can redirect users to an image or page saying hotlinking is not allowed. If it is not specified, 403 Forbidden will be returned. |
| Syntax: Absolute URL |
Allow Direct Access |
| Description: Specifies whether to allow direct access without a referer. A referer header identifies the webpage that linked to the current page. There is no "referer" header in HTTP requests when a user types in an address directly in the address box or uses a feature like "save target link as". |
| Syntax: Select from radio box |
Only Self Reference |
| Description: Specifies whether to only allow references from the current web site itself. When set to Yes, Allowed Domains has no effect and no other web site can link to protected files. This can be convenient if you wish to park multiple domain names on the current web site. |
| Syntax: Select from radio box |
Allowed Domains |
| Description: Specifies which web sites can link to protected content. |
| Syntax: Comma delimited list of domain names. |
REGEX Matched Domains |
| Description: Specifies web sites that can link to protected content in regular expressions. The regular expression will match the domain name only and not the full URL. |
| Syntax: Regular expressions |
| Example: ^.*\.mydomain\.com$ |
Access Control |
| Description: Specifies what sub-networks and/or IP addresses can access this virtual host in addition to server-level access control. This virtual host setting does NOT override the server setting. Whether to block/allow an IP is determined by the combination of the allowed list and denied list. If you want to block only certain IPs or sub-networks, put * or ALL in the allowed list and list the blocked IPs or sub-networks in the denied list. If you want to only allow certain IPs or sub-networks, put * or ALL in the denied list and list the allowed IPs or sub-networks in the allowed list. The setting of the smallest scope that fits for an IP will be used to determine whether to block or allow access. |
Allowed List |
| Description: Specifies the list of IPs or sub-networks allowed. |
| Syntax: Comma-delimited list of IP addresses or sub-networks. * or ALL are allowed. Sub-networks can be written as 192.168.1.0/255.255.255.0, 192.168.1 or 192.168.1.*. |
Denied List |
| Description: Specifies the list of IPs or sub-networks disallowed. |
| Syntax: Comma delimited list of IP addresses or sub-networks. * or ALL are accepted. |
| Example: Sub-networks: 192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1 or 192.168.1.*. IPv6 addresses: ::1 or [::1] IPv6 subnets: 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64. |
Authorization Realms |
| Description: Lists all authorization realms for this virtual host. Authorization realms are used to block unauthorized users from accessing protected web pages. A realm is a user directory containing user names and passwords with optional group classifications. Authorization is performed at context level. Since different contexts can share the same realm (user database), so realms are defined separately from the contexts that use them. You can refer to a realm by these names in context configuration. |
DB Type |
| Description: Specifies how user/group data is stored for an authorization realm. Currently, user/group data can be stored in flat files or on a LDAP server. |
| Syntax: Select from drop down list |
User DB Location |
| Description: Specifies the location of the user database. For DB type Password File, it is the path to the flat file containing user/password definitions. You can edit this file through the WebAdmin console by clicking on the file name. Each line of the user file contains a username followed by a colon, followed by a crypt() encrypted password, optionally followed by a colon and group names that user belongs to. Group names are delimitated by commas. If group information is specified in the user database, then the group database will not be checked. Example: For DB type LDAP, it is the LDAP URL to query for the user information. For each valid user, the authentication data stored in the LDAP server should contain at least the user id and user password. One and only one record should be returned in the LDAP search request based on the this URL and username received in the HTTP Authentication header. "$k" must be specified in the filter part of the URL and it will be replaced with the username. The user password attribute must be returned in the query result. The attribute name of the user password is specified by Password Attribute. Group information can be optionally specified by Member-of Attribute. Example: At minimum, a user can be defined in LDAP with object classes: uidObject, simpleSecurityObject and organizationalRole. The following URL could be used: |
| Syntax: Path to the user DB file or LDAP URL (RFC 2255). |
| Tips: [Security] It is recommended to store user password files outside of the document tree. If a user password file has to be placed inside document tree, simply name it with a leading ".ht" like .htuser to prevent it being served as a static file. LiteSpeed Web Server does not serve files prefixed with ".ht". |
| See Also: Group DB Location, Password Attribute, Member-of Attribute |
Password Attribute |
| Description: Specifies the name of the password attribute for a user record stored in an LDAP server. The default value is userPassword. |
| Syntax: string |
Member-of Attribute |
| Description: Specifies the name of the "Member-of" attribute for a user record stored in an LDAP server. The default value is memberOf. The "Member-of" attribute can be used to specify the group name that the user belongs to. |
| Syntax: string |
User DB Max Cache Size |
| Description: Specifies the maximum cache size of the user database. Recently accessed user authentication data will be cached in memory to provide maximum performance. |
| Syntax: Integer number |
| Tips: [Performance] As a larger cache will consume more memory, a higher value may or may not provide better performance. Set it to an appropriate size according to your user database size and site usage. |
User DB Cache Timeout |
| Description: Specifies how often the backend user database will be checked for changes. Every entry in the cache has a timestamp. When cached data is older than the specified timeout, the backend database will be checked for changes. If there is no change, the timestamp will be reset to the current time, otherwise the new data will be loaded. Sevrer reload and graceful restart will clear the cache immediately. |
| Syntax: Integer number |
| Tips: [Performance] If the backend database does not change very often, set a longer timeout for better performance. |
Group DB Location |
| Description: Specifies the location of the group database. Group information can be set either in the user database or in this standalone group DB. For user authentication, the user DB will be checked first. If the user DB also contains group information, then the group DB will not be checked. For the DB type Password File, the group DB location should be the path to the flat file containing group definitions. You can edit this file through the WebAdmin console by clicking on the file name. Each line of a group file should contain a groupname followed by a colon, followed by space delimited group of user names. Example: For the DB type LDAP, the group DB location should be the LDAP URL to query for group information. For each valid group, one and only one record should be returned in the LDAP search request based on this URL and the group name specified in Require (Authorized Users/Groups). "$k" must be specified in the filter part of the URL and it will be replaced with the group name. The name of the attribute that specifies members in this group is specified by Group Member Attribute. Example: If objectClass posixGroup is being used to store group information. The following URL could be used: |
| Syntax: File name which can be absolute, or relative to $SERVER_ROOT, or relative to $VH_ROOT. |
| Tips: [Security] It is recommended to store a group file outside the document tree. If it has to be placed inside document tree, simply name it with a leading ".ht" like .htgroup, to prevent the file being served as a static file. LiteSpeed Web Server does not serve files prefixed with ".ht". |
| See Also: User DB Location, Context Require (Authorized Users/Groups), Group Member Attribute |
Group Member Attribute |
| Description: Specifies the name of the "Member" attribute for a group record stored in an LDAP server. The default value is memberUid. |
| Syntax: string |
Group DB Max Cache Size |
| Description: Specifies the maximum cache size of the group database. |
| Syntax: Integer number |
| Tips: [Performance] As a larger cache will consume more memory, a higher value may or may not provide better performance. Set it to an appropriate size according to your user database size and site usage. |
| See Also: User DB Max Cache Size |
Group DB Cache Timeout |
| Description: Specifies how often the backend group database will be checked for changes. For more detail please refer to User DB Cache Timeout. |
| Syntax: Integer number |
| See Also: User DB Cache Timeout |
LDAP Bind DN |
| Description: Specifies a DN used to bind to the server. If the LDAP server requires authentication, a bind DN and password must be specified. If not specified, anonymous bind will be used. |
| Syntax: string |
| See Also: LDAP Bind Password |
LDAP Bind Password |
| Description: Specifies a password used to bind to the server. If the LDAP Server requires authentication, a bind DN and password must be specified. |
| Syntax: string |
| See Also: LDAP Bind DN |
Enable Request Filtering |
| Description: Specifies whether to enable request content deep inspection. This feature is equivalent to Apache's mod_security, which can be used to detect and block requests with ill intention by matching them to known signatures. |
| Syntax: Select from radio box |
Log Level |
| Description: Specifies the level of detail of the request filtering engine's debug output. This value ranges from 0 - 9. 0 disables logging. 9 produces the most detailed log. The the server and virtual host's error log Log Level must be set to at least INFO for this option to take effect. This is useful when testing your request filtering rules. |
| Syntax: Integer number |
| See Also: Server Log Level, Virtual Host Log Level |
Default Action |
| Description: Specifies the default actions that should be taken when a censoring rule is met. Default value is deny,log,status:403, which means to deny access with status code 403 and log the incident in the error log. |
| Syntax: String. This action string is compatible with the syntax of Apache mod_security. Please refer to the mod_security manual for more detail. EXAMPLE: END_EXAMPLE TIPS: END_TIPS |
| See Also: Rule Set Action |
Scan Request Body |
| Description: Specifies whether to check the body of a HTTP POST request. Default is "No". |
| Syntax: Select from radio box |
Disable .htaccess Override |
| Description: Specifies whether to disable .htaccess override. This is a global setting, only available at the server level. Default is "No". |
| Syntax: Select from radio box |
Enable Security Audit Log |
| Description: Specifies whether to enable audit logging. This feature is equivalent to Apache's mod_security audit engine. If it is enabled and Security Audit Log is set, detailed request information will be saved. |
| Syntax: Select from radio box |
| See Also: Security Audit Log |
Security Audit Log |
| Description: Specifies the path of the security audit log, which gives more detailed information. This extra information can be useful if, for example, you wish to track the actions of a particular user. Use Enable Security Audit Log to turn on the logging. |
| Syntax: File name which can be an absolute path or relative to $SERVER_ROOT. |
| See Also: Enable Security Audit Log |
Request Filtering Rule Set |
| Description: Rules configured here only work for virtual hosts configured with a native LSWS configuration, not for virtual hosts using Apache httpd.conf. |
Rule Set Action |
| Description: Specifies the actions that should be taken when a censoring rule in current ruleset is met. If not set, Default Action will be used. |
| Syntax: String. This action string uses the same syntax as directive SecDefaultAction in Apache mod_security, please refer to the mod_security manual for more details. |
Enabled |
| Description: Specifies whether to enable this rule set. With this option, a rule set can be quickly turned on and off without adding or removing the rule set. Default is "Yes". |
| Syntax: Select from radio box |
Rules Definition |
| Description: Specifies a list of censorship rules. If you are using an Apache config file, you have to set up rules in httpd.conf. Rules defined here will have no effect. |
| Syntax: String. Syntax of censoring rules follows that of Apache's mod_security directives. "SecFilter", "SecFilterSelective", and "SecRule" can be used here. You can copy and paste security rules from an Apache configuration file. For more details about rule syntax, please refer to the Mod Security documentation. |
| Tips: Rules configured here only work for vhosts configured in native LSWS configuration, not for vhosts from Apache httpd.conf. |