AlkantarClanX12
Current Path : /usr/local/lsws/docs/ |
Current File : //usr/local/lsws/docs/ServSecurity_Help.html |
<!DOCTYPE html> <head> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" /> <title>LiteSpeed Web Server Users' Manual - Server Security</title> <meta name="description" content="LiteSpeed Web Server Users' Manual - Server Security." /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta name="robots" content="noindex"> <link rel="shortcut icon" href="img/favicon.ico" /> <link rel="stylesheet" type="text/css" href="css/hdoc.css"> </head> <body> <div class="pagewrapper clearfix"><aside class="sidetree ls-col-1-5"> <figure> <img src="img/lsws_logo.svg" alt="lightspeed web server logo" width="100px"/> </figure> <h2 class="ls-text-thin"> LiteSpeed Web Server <br /> <span class="current"><a href="index.html">Users' Manual</a></span> </h2> <h3 class="ls-text-muted">Version 6.3 — Rev. 0</h3> <hr/> <div> <ul> <li><a href="license.html">License Enterprise</a></li> <li><a href="intro.html">Introduction</a></li> <li><a href="install.html">Installation</a></li> <li> <a href="admin.html">Administration</a> <ul class="menu level2"> <li><a href="ServerStat_Help.html">Service Manager</a></li> <li><a href="Real_Time_Stats_Help.html">Real-Time Stats</a></li> </ul> </li> <li><a href="security.html">Security</a></li> <li> <a href="config.html">Configuration</a> <ul class="level2"> <li><a href="ServGeneral_Help.html">Server General</a></li> <li><a href="ServLog_Help.html">Server Log</a></li> <li><a href="ServTuning_Help.html">Server Tuning</a></li> <li><span class="current"><a href="ServSecurity_Help.html">Server Security</a></span></li> <li><a href="Cache_Help.html">Page Cache</a></li> <li><a href="PageSpeed_Config.html">PageSpeed Config</a></li> <li><a href="ExtApp_Help.html">External Apps</a></li> <ul class="level3"> <li><a href="External_FCGI.html">Fast CGI App</a></li> <li><a href="External_FCGI_Auth.html">Fast CGI Authorizer</a></li> <li><a href="External_LSAPI.html">LSAPI App</a></li> <li><a href="External_Servlet.html">Servlet Engine</a></li> <li><a href="External_WS.html">Web Server</a></li> <li><a href="External_PL.html">Piped logger</a></li> <li><a href="External_LB.html">Load Balancer</a></li> </ul> <li><a href="ScriptHandler_Help.html">Script Handler</a></li> <li><a href="PHP_Help.html">PHP</a></li> <li><a href="App_Server_Help.html">App Server Settings</a></li> <li><a href="Listeners_General_Help.html">Listener General</a></li> <li><a href="Listeners_SSL_Help.html">Listener SSL</a></li> <li><a href="Templates_Help.html">Virtual Host Templates</a></li> <li><a href="VirtualHosts_Help.html">Virtual Host Basic</a></li> <li><a href="VHGeneral_Help.html">Virtual Host General</a></li> <li><a href="VHSecurity_Help.html">Virtual Host Security</a></li> <li><a href="VHSSL_Help.html">Virtual Host SSL</a></li> <li> <a href="VHPageSpeed_Config.html">Virtual Host PageSpeed Config</a> </li> <li><a href="Rewrite_Help.html">Rewrite</a></li> <li><a href="Context_Help.html">Context</a></li> <ul class="level3"> <li><a href="Static_Context.html">Static Context</a></li> <li> <a href="Java_Web_App_Context.html">Java Web App Context</a> </li> <li><a href="Servlet_Context.html">Servlet Context</a></li> <li><a href="FCGI_Context.html">Fast CGI Context</a></li> <li><a href="LSAPI_Context.html">LSAPI Context</a></li> <li><a href="Proxy_Context.html">Proxy Context</a></li> <li><a href="CGI_Context.html">CGI Context</a></li> <li><a href="LB_Context.html">Load Balancer Context</a></li> <li><a href="Redirect_Context.html">Redirect Context</a></li> <li><a href="App_Server_Context.html">App Server Context</a></li> <li><a href="Rails_Context.html">Rack/Rails Context</a></li> </ul> <li><a href="VHAddOns_Help.html">Add-ons</a></li> </ul> </li> <li> <a href="webconsole.html">Web Console</a> <ul class="level2"> <li><a href="AdminGeneral_Help.html">Admin Console General</a></li> <li><a href="AdminSecurity_Help.html">Admin Console Security</a></li> <li> <a href="AdminListeners_General_Help.html"> Admin Listener General </a> </li> <li> <a href="AdminListeners_SSL_Help.html">Admin Listener SSL</a> </li> </ul> </li> </ul> </div> </aside> <article class="contentwrapper ls-col-3-5 clearfix"><div class="nav-bar ls-spacer-micro-top"><div class="prev">« <a href="ServTuning_Help.html">Server Tuning</a></div><div class="center"><a href="config.html">Configuration</a></div><div class="next"><a href="Cache_Help.html">Page Cache Settings</a> »</div></div> <h1>Server Security</h1><h2 id="top">Table of Contents</h2><section class="toc"><section class="toc-row"><header>Anti-DDoS Protection</header><p> <a href="#enableAntiddos">Enable Anti-DDoS Protection</a> | <a href="#firewallEnable">Enable Firewall Modifications</a></p></section> <section class="toc-row"><header>WordPress Brute Force Attack Protection</header><p> <a href="#wpProtectAction">Protection Mode</a> | <a href="#wpProtectLimit">Allowed Login Attempts</a></p></section> <section class="toc-row"><header>Web Application Firewall (WAF)</header><p> <a href="#enableCensorship">Enable WAF</a> | <a href="#censorLogLevel">Log Level</a> | <a href="#defaultAction">Default Action</a> | <a href="#scanPOST">Scan Request Body</a> | <a href="#uploadTmpDir">Temporary File Path</a> | <a href="#uploadTmpFilePermission">Temporary File Permissions</a> | <a href="#disableSecHtaccess">Disable .htaccess Override</a> | <a href="#secAuditLogEngine">Enable Security Audit Log</a> | <a href="#secAuditLog">Security Audit Log</a> | <a href="#useRe2">Use RE2 regex engine</a></p></section> <section class="toc-row"><header><a href="#reqCensorshipRule">Web Application Firewall (WAF) Rule Set</a></header><p> <a href="#censorRuleSetName">Name</a> | <a href="#ruleSetAction">Rule Set Action</a> | <a href="#censorRuleSetEnabled">Enabled</a> | <a href="#censorRuleSet">Rules Definition</a></p></section> <section class="toc-row"><header><a href="#perClientConnLimit">Per Client Throttling</a></header><p> <a href="#staticReqPerSec">Static Requests/Second</a> | <a href="#dynReqPerSec">Dynamic Requests/Second</a> | <a href="#outBandwidth">Outbound Bandwidth (bytes/sec)</a> | <a href="#inBandwidth">Inbound Bandwidth (bytes/sec)</a> | <a href="#softLimit">Connection Soft Limit</a> | <a href="#hardLimit">Connection Hard Limit</a> | <a href="#blockBadReq">Block Bad Request</a> | <a href="#gracePeriod">Grace Period (sec)</a> | <a href="#banPeriod">Banned Period (sec)</a></p></section> <section class="toc-row"><header>File Access</header><p> <a href="#followSymbolLink">Follow Symbolic Link</a> | <a href="#checkSymbolLink">Check Symbolic Link</a> | <a href="#forceStrictOwnership">Force Strict Ownership Checking</a> | <a href="#requiredPermissionMask">Required Permission Mask</a> | <a href="#restrictedPermissionMask">Restricted Permission Mask</a> | <a href="#restrictedScriptPermissionMask">Script Restricted Permission Mask</a> | <a href="#restrictedDirPermissionMask">Script Directory Restricted Permission Mask</a></p></section> <section class="toc-row"><header><a href="#cgiResource">CGI Settings</a></header><p> <a href="#cgidSock">CGI Daemon Socket</a> | <a href="#maxCGIInstances">Max CGI Instances</a> | <a href="#minUID">Minimum UID</a> | <a href="#minGID">Minimum GID</a> | <a href="#forceGID">Force GID</a> | <a href="#umask">umask</a> | <a href="#CGIPriority">CGI Priority</a> | <a href="#CPUSoftLimit">CPU Soft Limit (sec)</a> | <a href="#CPUHardLimit">CPU Hard Limit</a> | <a href="#memSoftLimit">Memory Soft Limit (bytes)</a> | <a href="#memHardLimit">Memory Hard Limit (bytes)</a> | <a href="#procSoftLimit">Process Soft Limit</a> | <a href="#procHardLimit">Process Hard Limit</a> | <a href="#cgroups">cgroups</a></p></section> <section class="toc-row"><header><a href="#lsrecaptcha">reCAPTCHA Protection</a></header><p> <a href="#enableRecaptcha">Enable reCAPTCHA</a> | <a href="#recaptchaSiteKey">Site Key</a> | <a href="#recaptchaSecretKey">Secret Key</a> | <a href="#recaptchaType">reCAPTCHA Type</a> | <a href="#recaptchaSensitivity">Trigger Sensitivity</a> | <a href="#recaptchaMaxTries">Max Tries</a> | <a href="#verifyExpires">Verification Expires (secs)</a> | <a href="#recaptchaAllowedRobotHits">Allowed Robot Hits</a> | <a href="#recaptchaBotWhiteList">Bot White List</a></p></section> <section class="toc-row"><header>Containers</header><p> <a href="#bubbleWrap">Bubblewrap Container</a> | <a href="#bubbleWrapCmd">Bubblewrap Command</a> | <a href="#namespace">Namespace Container</a> | <a href="#namespaceConf">Namespace Template File</a></p></section> <section class="toc-row"><header>Access Denied Directories</header><p> <a href="#accessDenyDir">Access Denied Directories</a></p></section> <section class="toc-row"><header><a href="#accessControl">Access Control</a></header><p> <a href="#accessControl_allow">Allowed List</a> | <a href="#accessControl_deny">Denied List</a></p></section> </section> <section><div class="helpitem"><article class="ls-helpitem"><div><header id="enableAntiddos"><h3>Enable Anti-DDoS Protection<span class="ls-permlink"><a href="#enableAntiddos"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>This will enable bot detection and address them by denying or redirecting the client to reCAPTCHA. If firewall is enabled, the client IP will be denied at the firewall level.<br/><br/> Default value is <span class="val">Yes</span>.</p> <h4>Syntax</h4><p>Select from radio box</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="firewallEnable"><h3>Enable Firewall Modifications<span class="ls-permlink"><a href="#firewallEnable"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Enable firewall modifications via iptables. iptables must be enabled on this system for this setting to take effect.<br/><br/> If ipset is also installed and enabled on this system, it will be used to more efficiently manage firewall rulesets for iptables.<br/><br/> Default value is <span class="val">Yes</span>.</p> <h4>Syntax</h4><p>Select from radio box</p> <h4>Tips</h4><p><span title="Performance" class="ls-icon-performance"></span> ipset should be installed and enabled on the system to more efficiently manage firewall rulesets for iptables.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="wpProtectAction"><h3>Protection Mode<span class="ls-permlink"><a href="#wpProtectAction"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the action to be taken when the specified Allowed Login Attempts limit is reached within 5 minutes.<br/><br/> <span class="val">Throttle</span> gradually slows down the speed of the server response, <span class="val">Drop</span> severs the connection without any reply, <span class="val">Deny</span> returns a 403 response, and <span class="val">CAPTCHA or Drop</span> redirects to a CAPTCHA if reCAPTCHA Protection is enabled and drops otherwise.<br/><br/> <span class="val">WP Login CAPTCHA Full Protection</span> can also be selected. This setting will redirect to a CAPTCHA if ReCAPTCHA Protection is enabled regardless of Allowed Login Attempts limit and falls back to use <span class="val">Throttle</span> otherwise.<br/><br/> Default values:<br/> <b>Server level:</b> <span class="val">Throttle</span><br/> <b>VH level:</b> Inherit Server level setting. If Server level is set to <span class="val">Disable</span>, <span class="val">Throttle</span> will be used.</p> <h4>Syntax</h4><p>Select from drop down list</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Trusted IPs or sub-networks are not affected.<br/> <span title="Information" class="ls-icon-info"></span> This feature is enabled by default (Throttle) and does not need any further configuration in the WebAdmin GUI or in Apache configurations.<br/> <span title="Information" class="ls-icon-info"></span> This setting will override Apache conf <span class="val">WordPressProtect</span> setting for LSWS only. Apache will be unaffected.<br/><br/> <span title="Information" class="ls-icon-info"></span> This can be set at the Server level and overwritten at the Virtual Host level. If not overridden at the Virtual Host level, this setting can also be overridden in a user's docroot .htaccess file using Apache configuration directive <span class="val">WordPressProtect</span> with value <span class="val">0</span> (disabled), <span class="val">1</span> (use server level setting), <span class="val">throttle</span>, <span class="val">deny</span>, or <span class="val">drop</span>.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="wpProtectLimit"><h3>Allowed Login Attempts<span class="ls-permlink"><a href="#wpProtectLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the maximum number of wp-login.php and xmlrpc.php POST attempts allowed by an IP within 5 minutes before the action specified in <span class="tagl"><a href="#wpProtectAction">Protection Mode</a></span> is taken.<br/><br/> This limit is handled using a quota system where remaining attempts = limit. Each POST attempt will decrease the number of remaining attempts by 1, with the number of remaining attempts increasing back to the set limit over time. An IP will be throttled once the number of remaining attempts for that IP falls to 1/2 the set limit, throttling more as the remaining attempts drops further below the 1/2 mark. When remaining attempts reaches 0, the specified action is taken toward the IP.<br/><br/> In addition to this, if <span class="tagl"><a href="#enableRecaptcha">Enable reCAPTCHA</a></span> is also enabled, an additional per worker protection will be added. If wp-login.php and xmlrpc.php are visited by the same worker at a rate of 4x the set limit in a 30 second time frame, those URLs will be put into reCAPTCHA mode until the number of visits to these files decreases.<br/><br/> Resetting the server will clear blocked IPs.<br/><br/> Default values:<br/> <b>Server-level:</b> <span class="val">10</span><br/> <b>VH-Level:</b> Inherit Server level setting</p> <h4>Syntax</h4><p>Valid Range: 3 - 1000.</p> <h4>Example</h4><div class="ls-example">With an Attempt limit of 10, and a Mode of drop:<br/><br/> After the first POST attempt, the quota is decreased to 9.<br/><br/> Quota decreases by 1 for each POST attempt.<br/><br/> After Quota reaches half of the limit (5), the IP will be throttled.<br/><br/> Throttling will get worse with each POST attempt.<br/><br/> Once the quota reaches 0, the connection will be dropped.</div><h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Trusted IPs or sub-networks are not affected.<br/><br/> <span title="Information" class="ls-icon-info"></span> This setting will override Apache conf <span class="val">WordPressProtect</span> setting for LSWS only. Apache will be unaffected.<br/><br/> <span title="Information" class="ls-icon-info"></span> This can be set at the Server level and overwritten at the Virtual Host level. If not overridden at the Virtual Host level, this setting can also be overridden in a user's docroot .htaccess file using Apache configuration directive <span class="val">WordPressProtect</span> with integer value between 3 and 1000.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="enableCensorship"><h3>Enable WAF<span class="ls-permlink"><a href="#enableCensorship"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies whether to enable request content deep inspection. This feature is equivalent to Apache's mod_security, which can be used to detect and block requests with ill intention by matching them to known signatures.</p> <h4>Syntax</h4><p>Select from radio box</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="censorLogLevel"><h3>Log Level<span class="ls-permlink"><a href="#censorLogLevel"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the level of detail of the Web Application Firewall engine's debug output. This value ranges from <span class="val">0</span> - <span class="val">9</span>. <span class="val">0</span> disables logging. <span class="val">9</span> produces the most detailed log. The the server and virtual host's error log <span class="tagl"><a href="ServGeneral_Help.html#log_logLevel">Log Level</a></span> must be set to at least <span class="val">INFO</span> for this option to take effect. This is useful when testing request filtering rules.</p> <h4>Syntax</h4><p>Integer number</p> <h4>See Also</h4><p class="ls-text-small">Server <span class="tagl"><a href="ServGeneral_Help.html#log_logLevel">Log Level</a></span>, Virtual Host <span class="tagl"><a href="VHGeneral_Help.html#vhlog_logLevel">Log Level</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="defaultAction"><h3>Default Action<span class="ls-permlink"><a href="#defaultAction"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the default actions that should be taken when a censoring rule is met. Default value is <span class="val">deny,log,status:403</span>, which means to deny access with status code 403 and log the incident in the error log.</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#ruleSetAction">Rule Set Action</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="scanPOST"><h3>Scan Request Body<span class="ls-permlink"><a href="#scanPOST"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies whether to check the body of an HTTP POST request. Default is "No".</p> <h4>Syntax</h4><p>Select from radio box</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="uploadTmpDir"><h3>Temporary File Path<span class="ls-permlink"><a href="#uploadTmpDir"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Temporary directory where files being uploaded to server will be stored while request body parser is working. Default value is <span class="val">/tmp</span>.</p> <h4>Syntax</h4><p>Absolute path or path starting with $SERVER_ROOT (for Server and VHost levels).</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="uploadTmpFilePermission"><h3>Temporary File Permissions<span class="ls-permlink"><a href="#uploadTmpFilePermission"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Global setting determining file permissions used for files stored in the <b>Temporary File Path</b> directory.</p> <h4>Syntax</h4><p>3 digits octet number. Default value is 666.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="disableSecHtaccess"><h3>Disable .htaccess Override<span class="ls-permlink"><a href="#disableSecHtaccess"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Disable turning off mod_security engine in .htaccess. This is a global setting only available at the server level. Default is "No".</p> <h4>Syntax</h4><p>Select from radio box</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="secAuditLogEngine"><h3>Enable Security Audit Log<span class="ls-permlink"><a href="#secAuditLogEngine"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies whether to enable audit logging and in what format (Native, JSON, or Pretty JSON). This feature is equivalent to Apache's mod_security audit engine.<br/><br/> If this setting is enabled and the <span class="tagl"><a href="#secAuditLog">Security Audit Log</a></span> setting is set, detailed request information will be saved.</p> <h4>Syntax</h4><p>Select from drop down list</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#secAuditLog">Security Audit Log</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="secAuditLog"><h3>Security Audit Log<span class="ls-permlink"><a href="#secAuditLog"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the path of the security audit log, which gives more detailed information. This extra information can be useful if, for example, you wish to track the actions of a particular user. Use <span class="tagl"><a href="#secAuditLogEngine">Enable Security Audit Log</a></span> to turn on the logging.</p> <h4>Syntax</h4><p>Filename which can be an absolute path or a relative path to $SERVER_ROOT.</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#secAuditLogEngine">Enable Security Audit Log</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="useRe2"><h3>Use RE2 regex engine<span class="ls-permlink"><a href="#useRe2"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Use RE2 when evaluating regular expressions instead of PCRE.<br/><br/> Default value: <span class="val">No</span></p> <h4>Syntax</h4><p>Select from radio box</p> <h4>Tips</h4><p><span title="Information" class="ls-icon-info"></span> While PCRE provides more features than RE2, RE2 allows for a defined maximum memory usage and has a more predictable runtime than PCRE making it more suited for use in server applications.<br/> <span title="Performance" class="ls-icon-performance"></span> Unlike PCRE, RE2 uses a fixed stack and guarantees that run-time increases linearly (not exponentially) with the size of the input.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="reqCensorshipRule"><h3>Web Application Firewall (WAF) Rule Set<span class="ls-permlink"><a href="#reqCensorshipRule"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Rules configured here only work for virtual hosts configured with a native LSWS configuration, not for virtual hosts using Apache httpd.conf.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="censorRuleSetName"><h3>Name<span class="ls-permlink"><a href="#censorRuleSetName"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Give a group of censorship rules a name. For display only.</p> <h4>Syntax</h4><p>String</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="ruleSetAction"><h3>Rule Set Action<span class="ls-permlink"><a href="#ruleSetAction"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the actions that should be taken when a censoring rule in current ruleset is met. If not set, <span class="tagl"><a href="#defaultAction">Default Action</a></span> will be used.</p> <h4>Syntax</h4><p>String. This action string uses the same syntax as Apache's <a href=" https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecDefaultAction " target="_blank" rel="noopener noreferrer"> mod_security SecDefaultAction directive </a> .</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="censorRuleSetEnabled"><h3>Enabled<span class="ls-permlink"><a href="#censorRuleSetEnabled"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies whether to enable this rule set. With this option, a rule set can be quickly turned on and off without adding or removing the rule set. Default is "Yes".</p> <h4>Syntax</h4><p>Select from radio box</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="censorRuleSet"><h3>Rules Definition<span class="ls-permlink"><a href="#censorRuleSet"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies a list of censorship rules.<br/><br/> If you are using an Apache config file, you have to set up rules in httpd.conf. Rules defined here will have no effect.</p> <h4>Syntax</h4><p>String. Syntax of censoring rules follows that of Apache's mod_security directives. "SecFilter", "SecFilterSelective", and "SecRule" can be used here. You can copy and paste security rules from an Apache configuration file.<br/><br/> For more details about rule syntax, please refer to the <a href="http://www.modsecurity.org/documentation/index.html" target="_blank" rel="noopener noreferrer">Mod Security documentation</a>.</p> <h4>Tips</h4><p><span title="Information" class="ls-icon-info"></span> Rules configured here only work for vhosts configured in native LSWS configuration, not for vhosts from Apache httpd.conf.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="perClientConnLimit"><h3>Per Client Throttling<span class="ls-permlink"><a href="#perClientConnLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>These are connection control settings are based on client IP. These settings help to mitigate DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="staticReqPerSec"><h3>Static Requests/Second<span class="ls-permlink"><a href="#staticReqPerSec"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the maximum number of requests to static content coming from a single IP address that can be processed in a single second regardless of the number of connections established.<br/><br/> When this limit is reached, all future requests are tar-pitted until the next second. Request limits for dynamically generated content are independent of this limit. Per-client request limits can be set at server- or virtual host-level. Virtual host-level settings override server-level settings.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Trusted IPs or sub-networks are not affected.</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#dynReqPerSec">Dynamic Requests/Second</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="dynReqPerSec"><h3>Dynamic Requests/Second<span class="ls-permlink"><a href="#dynReqPerSec"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the maximum number of requests to dynamically generated content coming from a single IP address that can be processed in each second regardless of the number of connections established. When this limit is reached, all future requests to dynamic content are tar-pitted until the next second.<br/><br/> The request limit for static content is independent of this limit. This per client request limit can be set at server or virtual host level. Virtual host-level settings override server-level settings.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Trusted IPs or sub-networks are not restrained by this limit.</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#staticReqPerSec">Static Requests/Second</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="outBandwidth"><h3>Outbound Bandwidth (bytes/sec)<span class="ls-permlink"><a href="#outBandwidth"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The maximum allowed outgoing throughput to a single IP address, regardless of the number of connections established. The real bandwidth may end up being slightly higher than this setting for efficiency reasons. Bandwidth is allocated in 4KB units. Set to <span class="val">0</span> to disable throttling. Per-client bandwidth limits (bytes/sec) can be set at the server or virtual host level where virtual host level settings override server level settings.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Performance" class="ls-icon-performance"></span> Set the bandwidth in 8KB units for better performance.<br/><br/> <span title="Security" class="ls-icon-security"></span> Trusted IPs or sub-networks are not affected.</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#inBandwidth">Inbound Bandwidth (bytes/sec)</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="inBandwidth"><h3>Inbound Bandwidth (bytes/sec)<span class="ls-permlink"><a href="#inBandwidth"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The maximum allowed incoming throughput from a single IP address, regardless of the number of connections established. The real bandwidth may end up being slightly higher than this setting for efficiency reasons. Bandwidth is allocated in 1KB units. Set to <span class="val">0</span> to disable throttling. Per-client bandwidth limits (bytes/sec) can be set at the server or virtual host level where virtual host level settings override server level settings.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Trusted IPs or sub-networks are not affected.</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#outBandwidth">Outbound Bandwidth (bytes/sec)</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="softLimit"><h3>Connection Soft Limit<span class="ls-permlink"><a href="#softLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the soft limit of concurrent connections allowed from one IP. This soft limit can be exceeded temporarily during <span class="tagl"><a href="#gracePeriod">Grace Period (sec)</a></span> as long as the number is below the <span class="tagl"><a href="#hardLimit">Connection Hard Limit</a></span>, but Keep-Alive connections will be closed as soon as possible until the number of connections is lower than the limit. If number of connections is still over the limit after the <span class="tagl"><a href="#gracePeriod">Grace Period (sec)</a></span>, that IP will be blocked for the <span class="tagl"><a href="#banPeriod">Banned Period (sec)</a></span>.<br/><br/> For example, if a page contains many small graphs, the browser may try to set up many connections at same time, especially for HTTP/1.0 clients. You would want to allow those connections for a short period.<br/><br/> HTTP/1.1 clients may also set up multiple connections to speed up downloading and SSL requires separate connections from non-SSL connections. Make sure the limit is set properly, as not to adversely affect normal service. The recommended limit is between <span class="val">5</span> and <span class="val">10</span>.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> A lower number will enable serving more distinct clients.<br/> <span title="Security" class="ls-icon-security"></span> Trusted IPs or sub-networks are not affected.<br/> <span title="Performance" class="ls-icon-performance"></span> Set to a high value when you are performing benchmark tests with a large number of concurrent client machines.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="hardLimit"><h3>Connection Hard Limit<span class="ls-permlink"><a href="#hardLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the maximum number of allowed concurrent connections from a single IP address. This limit is always enforced and a client will never be able to exceed this limit. HTTP/1.0 clients usually try to set up as many connections as they need to download embedded content at the same time. This limit should be set high enough so that HTTP/1.0 clients can still access the site. Use <span class="tagl"><a href="#softLimit">Connection Soft Limit</a></span> to set the desired connection limit.<br/><br/> The recommended limit is between <span class="val">20</span> and <span class="val">50</span> depending on the content of your web page and your traffic load.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> A lower number will enable serving more distinct clients.<br/> <span title="Security" class="ls-icon-security"></span> Trusted IPs or sub-networks are not affected.<br/> <span title="Performance" class="ls-icon-performance"></span> Set to a high value when you are performing benchmark tests with a large number of concurrent client machines.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="blockBadReq"><h3>Block Bad Request<span class="ls-permlink"><a href="#blockBadReq"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Block IPs that keep sending badly-formatted HTTP requests for the <span class="tagl"><a href="#banPeriod">Banned Period (sec)</a></span>. Default is <span class="val">Yes</span>. This helps to block botnet attacks that repeatedly sending junk requests.</p> <h4>Syntax</h4><p>Select from radio box</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="gracePeriod"><h3>Grace Period (sec)<span class="ls-permlink"><a href="#gracePeriod"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies how long new connections can be accepted after the number of connections established from one IP is over the <span class="tagl"><a href="#softLimit">Connection Soft Limit</a></span>. Within this period, new connections will be accepted if the total connections is still below the <span class="tagl"><a href="#hardLimit">Connection Hard Limit</a></span>. After this period has elapsed, if the number of connections still higher than the <span class="tagl"><a href="#softLimit">Connection Soft Limit</a></span>, then the offending IP will be blocked for the <span class="tagl"><a href="#banPeriod">Banned Period (sec)</a></span>.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Performance" class="ls-icon-performance"></span><span title="Security" class="ls-icon-security"></span> Set to a proper number big enough for downloading a complete page but low enough to prevent deliberate attacks.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="banPeriod"><h3>Banned Period (sec)<span class="ls-permlink"><a href="#banPeriod"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies how long new connections will be rejected from an IP if, after the <span class="tagl"><a href="#gracePeriod">Grace Period (sec)</a></span> has elapsed, the number of connections is still more than the <span class="tagl"><a href="#softLimit">Connection Soft Limit</a></span>. If IPs are getting banned repeatedly, we suggest that you increase your banned period to stiffen the penalty for abuse.</p> <h4>Syntax</h4><p>Integer number</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="followSymbolLink"><h3>Follow Symbolic Link<span class="ls-permlink"><a href="#followSymbolLink"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the server-level default setting of following symbolic links when serving static files.<br/><br/> Choices are <span class="val">Yes</span>, <span class="val">If Owner Match</span> and <span class="val">No</span>.<br/><br/> <span class="val">Yes</span> sets the server to always follow symbolic links. <span class="val">If Owner Match</span> sets the server to follow a symbolic link only if the owner of the link and of the target are same. <span class="val">No</span> means the server will never follow a symbolic link. This setting can be overridden in the virtual host configurations but cannot be overridden from an .htaccess file.</p> <h4>Syntax</h4><p>Select from drop down list</p> <h4>Tips</h4><p><span title="Performance" class="ls-icon-performance"></span><span title="Security" class="ls-icon-security"></span> For best security select <span class="val">No</span> or <span class="val">If Owner Match</span>. For best performance, select <span class="val">Yes</span>.</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#checkSymbolLink">Check Symbolic Link</a></span>.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="checkSymbolLink"><h3>Check Symbolic Link<span class="ls-permlink"><a href="#checkSymbolLink"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies whether to check symbolic links against <span class="tagl"><a href="#accessDenyDir">Access Denied Directories</a></span> when <span class="tagl"><a href="#followSymbolLink">Follow Symbolic Link</a></span> is turned on. If enabled, the canonical real path of the resource referred by a URL will be checked against the configurable access denied directories. Access will be denied if it falls inside an access denied directory.</p> <h4>Syntax</h4><p>Select from radio box</p> <h4>Tips</h4><p><span title="Performance" class="ls-icon-performance"></span><span title="Security" class="ls-icon-security"></span> For best security, enable this option. For best performance, disable it.</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#followSymbolLink">Follow Symbolic Link</a></span>, <span class="tagl"><a href="#accessDenyDir">Access Denied Directories</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="forceStrictOwnership"><h3>Force Strict Ownership Checking<span class="ls-permlink"><a href="#forceStrictOwnership"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies whether to enforce strict file ownership checking. If it is enabled, the web server will check if the owner of the file being served is the same as the owner of the virtual host. If it is different, a 403 Access Denied Error will be returned. This is turned off by default.</p> <h4>Syntax</h4><p>Select from radio box</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> For shared hosting, enable this check for better security.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="requiredPermissionMask"><h3>Required Permission Mask<span class="ls-permlink"><a href="#requiredPermissionMask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the required permission mask for static files that the server will serve. For example, if only files that are readable by everyone can be served, set the value to <span class="val">0004</span>. See <span class="cmd">man 2 stat</span> for all values.</p> <h4>Syntax</h4><p>octal numbers</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#restrictedPermissionMask">Restricted Permission Mask</a></span>.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="restrictedPermissionMask"><h3>Restricted Permission Mask<span class="ls-permlink"><a href="#restrictedPermissionMask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the restricted permission mask for static files that the server will not serve. For example, to prohibit serving files that are executable, set the mask to <span class="val">0111</span>.<br/><br/> See <span class="cmd">man 2 stat</span> for all values.</p> <h4>Syntax</h4><p>octal numbers</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#requiredPermissionMask">Required Permission Mask</a></span>.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="restrictedScriptPermissionMask"><h3>Script Restricted Permission Mask<span class="ls-permlink"><a href="#restrictedScriptPermissionMask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the restricted permission mask for script files that the server will not serve. For example, to prohibit serving PHP scripts that are group and world writable, set the mask to <span class="val">022</span>. Default value is <span class="val">000</span>.<br/><br/> See <span class="cmd">man 2 stat</span> for all values.</p> <h4>Syntax</h4><p>octal numbers</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#restrictedDirPermissionMask">Script Directory Restricted Permission Mask</a></span>.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="restrictedDirPermissionMask"><h3>Script Directory Restricted Permission Mask<span class="ls-permlink"><a href="#restrictedDirPermissionMask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the restricted permission mask of parent directories of script files that the server will not serve. For example, to prohibit serving PHP scripts in a directory that is group and world writable, set the mask to <span class="val">022</span>. Default value is <span class="val">000</span>. This option can be used to prevent serving scripts under a directory of uploaded files.<br/><br/> See <span class="cmd">man 2 stat</span> for all values.</p> <h4>Syntax</h4><p>octal numbers</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#restrictedScriptPermissionMask">Script Restricted Permission Mask</a></span>.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="cgiResource"><h3>CGI Settings<span class="ls-permlink"><a href="#cgiResource"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The following settings control CGI processes. Memory and process limits also serve as the default for other external applications if limits have not been set explicitly for those applications.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="cgidSock"><h3>CGI Daemon Socket<span class="ls-permlink"><a href="#cgidSock"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>A unique socket address used to communicate with the CGI daemon. LiteSpeed server uses a standalone CGI daemon to spawn CGI scripts for best performance and security. If you need to change this location, specify a Unix domain socket here.<br/><br/> Default value: <span class="val">uds://$SERVER_ROOT/admin/lscgid/.cgid.sock</span></p> <h4>Syntax</h4><p>UDS://path</p> <h4>Example</h4><div class="ls-example">UDS://tmp/lshttpd/cgid.sock</div></article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="maxCGIInstances"><h3>Max CGI Instances<span class="ls-permlink"><a href="#maxCGIInstances"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the maximum number of concurrent CGI processes the server can start. For each request to a CGI script, the server needs to start a standalone CGI process. On a Unix system, the number of concurrent processes is limited. Excessive concurrent processes will degrade the performance of the whole system and are one way to perform a DoS attack. LiteSpeed server pipelines requests to CGI scripts and limits concurrent CGI processes to ensure the optimal performance and reliability. The hard limit is <span class="val">2000</span>.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span><span title="Performance" class="ls-icon-performance"></span> A higher limit does not necessarily translate to faster performance. In most cases, a lower limit gives better performance and security. A higher limit will only help when I/O latency is excessive during CGI processing.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="minUID"><h3>Minimum UID<span class="ls-permlink"><a href="#minUID"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the minimum user ID allowed to run external applications when running as a specified user. Execution of an external script with a user ID lower than the value specified here will be denied.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Set it high enough to exclude all system/privileged users.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="minGID"><h3>Minimum GID<span class="ls-permlink"><a href="#minGID"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the minimum group ID allowed to run external applications when running as a specified group. Execution of an external script with a group ID lower than the value specified here will be denied.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Set it high enough to exclude all groups used by system users.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="forceGID"><h3>Force GID<span class="ls-permlink"><a href="#forceGID"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies a group ID to be used for all external applications started in suEXEC mode. When set to non-zero value, all suEXEC external applications (CGI/FastCGI/LSAPI) will use this group ID. This can be used to prevent an external application from accessing files owned by other users.<br/><br/> For example, in a shared hosting environment, LiteSpeed runs as user "www-data", group "www-data". Each docroot is owned by a user account, with a group of "www-data" and permission mode 0750. If Force GID is set to "nogroup" (or any group other than 'www-data'), all suEXEC external applications will run as a particular user but in the group "nogroup". These external application processes will still be able to access files owned by that particular user (because of their user ID), but will not have group permission to access anyone else's files. The server, on the other hand, still can serve files under any user's docroot directory (because of its group ID).</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Set it high enough to exclude all groups used by system users.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="umask"><h3>umask<span class="ls-permlink"><a href="#umask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Sets default umask for CGI processes. See <span class="cmd"> man 2 umask </span> for details. This also serves as the default value for external applications <span class="tagl"><a href="ExtApp_Help.html#extUmask">umask</a></span>.</p> <h4>Syntax</h4><p>value valid range [000]-[777].</p> <h4>See Also</h4><p class="ls-text-small">ExtApp <span class="tagl"><a href="ExtApp_Help.html#extUmask">umask</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="CGIPriority"><h3>CGI Priority<span class="ls-permlink"><a href="#CGIPriority"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies priority of the external application process. Value ranges from <span class="val">-20</span> to <span class="val">20</span>. A lower number means a higher priority.<br/><br/> A CGI process cannot have a higher priority than the web server. If this priority is set to a lower number than the server's, the server's priority will be used for this value.</p> <h4>Syntax</h4><p>int</p> <h4>See Also</h4><p class="ls-text-small">Server <span class="tagl"><a href="ServGeneral_Help.html#serverPriority">Priority</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="CPUSoftLimit"><h3>CPU Soft Limit (sec)<span class="ls-permlink"><a href="#CPUSoftLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies CPU consumption time limit in seconds for a CGI process. When the process reaches the soft limit, it will be notified by a signal. The operating system's default setting will be used if the value is absent or set to <span class="val">0</span>.</p> <h4>Syntax</h4><p>Integer number</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="CPUHardLimit"><h3>CPU Hard Limit<span class="ls-permlink"><a href="#CPUHardLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies maximum CPU consumption time limit in seconds for a CGI process. If the process continues to consume CPU time and reach the hard limit, the process will be force killed. The operating system's default setting will be used if the value is absent or set to <span class="val">0</span>.</p> <h4>Syntax</h4><p>Integer number</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="memSoftLimit"><h3>Memory Soft Limit (bytes)<span class="ls-permlink"><a href="#memSoftLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the memory consumption limit in bytes for an external application process or an external application started by the server.<br/><br/> The main purpose of this limit is to prevent excessive memory usage because of software bugs or intentional attacks, not to impose a limit on normal usage. Make sure to leave enough head room, otherwise your application may fail and 503 error may be returned. It can be set at the server- level or at an individual external application level. The server-level limit will be used if it is not set at the individual application level.<br/><br/> The operating system's default setting will be used if the value is absent at both levels or set to <span class="val">0</span>.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Attention" class="ls-icon-attention"></span> Do not over adjust this limit. This may result in 503 errors if your application needs more memory.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="memHardLimit"><h3>Memory Hard Limit (bytes)<span class="ls-permlink"><a href="#memHardLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Much the same as <span class="tagl"><a href="#memSoftLimit">Memory Soft Limit (bytes)</a></span>, except the soft limit can be raised up to the hard limit from within a user process. The hard limit can be set at server level or at an individual external application level. The server-level limit will be used if it is not set at an individual application level.<br/><br/> The operating system's default will be used if the value is absent at both levels or set to <span class="val">0</span>.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Attention" class="ls-icon-attention"></span> Do not over adjust this limit. This may result in 503 errors if your application need more memory.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="procSoftLimit"><h3>Process Soft Limit<span class="ls-permlink"><a href="#procSoftLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Limits the total number of processes that can be created on behalf of a user. All existing processes will be counted against this limit, not just new processes to be started.<br/><br/> The limit can be set at the server level or at an individual external application level. The server-level limit will be used if it is not set at an individual application level. The operating system's default setting will be used if this value is 0 or absent at both levels.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Information" class="ls-icon-info"></span> To control how many processes LSWS will make for users in mod_suEXEC mode, use the suEXEC Max Conn setting. PHP scripts can call for forking processes and the number of processes needed for normal functioning can be above the suEXEC Max Conn setting. The main purpose of this limit is as a last line of defense to prevent fork bombs and other attacks caused by PHP processes creating other processes.<br/><br/> Setting this setting too low can severely hurt functionality. The setting will thus be ignored below certain levels.<br/><br/> When <b>Run On Start Up</b> is set to "Yes (Daemon mode)", the actual process limit will be higher than this setting to make sure parent processes are not limited.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="procHardLimit"><h3>Process Hard Limit<span class="ls-permlink"><a href="#procHardLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Much the same as <span class="tagl"><a href="#procSoftLimit">Process Soft Limit</a></span>, except the soft limit can be raised up to the hard limit from within a user process. The hard limit can be set at the server level or at an individual external application level. The server-level limit will be used if it is not set at an individual application level. The operating system's default value will be used if the value is absent at both levels or set to <span class="val">0</span>.</p> <h4>Syntax</h4><p>Integer number</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="cgroups"><h3>cgroups<span class="ls-permlink"><a href="#cgroups"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>A Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes. You must be running cgroups v2 which is determined by the existence of the file <span class="val">/sys/fs/cgroup/cgroup.controllers</span>.<br/><br/> Setting this to <span class="val">Disabled</span> at the Server level will disable this setting server-wide. In all other cases, the Server level setting can be overridden at the Virtual Host level.<br/><br/> Default values:<br/> <b>Server level:</b> Off<br/> <b>VH level:</b> Inherit Server level setting</p> <h4>Syntax</h4><p>Select from drop down list</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="lsrecaptcha"><h3>reCAPTCHA Protection<span class="ls-permlink"><a href="#lsrecaptcha"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>reCAPTCHA Protection is a service provided as a way to mitigate heavy server load. reCAPTCHA Protection will activate after one of the below situations is hit. Once active, all requests by NON TRUSTED(as configured) clients will be redirected to a reCAPTCHA validation page. After validation, the client will be redirected to their desired page.<br/><br/> The following situations will activate reCAPTCHA Protection:<br/> 1. The server or vhost concurrent requests count passes the configured connection limit.<br/> 2. Anti-DDoS is enabled and a client is hitting a url in a suspicious manner. The client will redirect to reCAPTCHA first instead of getting denied when triggered.<br/> 3. WordPress Brute Force Attack Protection is enabled and action is set to 'CAPTCHA or Drop’. When a brute force attack is detected, the client will redirect to reCAPTCHA first. After max tries is reached, the connection will be dropped, as per the ‘drop’ option.<br/> 4. WordPress Brute Force Attack Protection is enabled and action is set to 'WP Login CAPTCHA Full Protection'. The client will always redirect to reCAPTCHA first.<br/> 5. A new rewrite rule environment is provided to activate reCAPTCHA via RewriteRules. 'verifycaptcha' can be set to redirect clients to reCAPTCHA. A special value ': deny' can be set to deny the client if it failed too many times. For example, [E=verifycaptcha] will always redirect to reCAPTCHA until verified. [E=verifycaptcha: deny] will redirect to reCAPTCHA until Max Tries is hit, after which the client will be denied.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="enableRecaptcha"><h3>Enable reCAPTCHA<span class="ls-permlink"><a href="#enableRecaptcha"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Enable the reCAPTCHA Protection feature at the current level. This setting must be set to <span class="val">Yes</span> at the Server level before the reCAPTCHA Protection feature can be used.<br/><br/> Default values:<br/> <b>Server-level:</b> <span class="val">No</span><br/> <b>VH-Level:</b> Inherit Server level setting</p> <h4>Syntax</h4><p>Select from radio box</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaSiteKey"><h3>Site Key<span class="ls-permlink"><a href="#recaptchaSiteKey"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The site key is the public key provided by Google via its reCAPTCHA service. A default Site Key will be used if not set.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaSecretKey"><h3>Secret Key<span class="ls-permlink"><a href="#recaptchaSecretKey"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The secret key is the private key provided by Google via its reCAPTCHA service. A default Secret Key will be used if not set.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaType"><h3>reCAPTCHA Type<span class="ls-permlink"><a href="#recaptchaType"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specify the reCAPTCHA type to use with the key pairs.<br/> If a key pair has not been provided and this setting is set to <span class="val">Not Set</span>, a default key pair of type <span class="val">Invisible</span> will be used.<br/><br/> <span class="val">Checkbox</span> will display a checkbox reCAPTCHA for the visitor to validate.<br/><br/> <span class="val">Invisible</span> will attempt to validate the reCAPTCHA automatically and if successful, will redirect to the desired page.<br/><br/> <span class="val">hCaptcha</span> can be used to support reCAPTCHA provider <a href="https://www.hcaptcha.com" target="_blank" rel="noopener noreferrer">hCaptcha</a>.<br/><br/> Default value is <span class="val">Invisible</span>.</p> <h4>Syntax</h4><p>Select from drop down list</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaSensitivity"><h3>Trigger Sensitivity<span class="ls-permlink"><a href="#recaptchaSensitivity"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Automatic reCAPTCHA sensitivity. The higher the value, the more likely reCAPTCHA Protection will be used. A value of <span class="val">0</span> is equivalent to "Off" while a value of <span class="val">100</span> is equivalent to "Always On".<br/><br/> Default values:<br/> <b>Server level:</b> 0<br/> <b>Virtual Host level:</b> Inherit Server level setting</p> <h4>Syntax</h4><p>Integer value between 0 and 100.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaMaxTries"><h3>Max Tries<span class="ls-permlink"><a href="#recaptchaMaxTries"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Max Tries specifies the maximum number of reCAPTCHA attempts permitted before denying the visitor.<br/><br/> Default value is <span class="val">3</span>.</p> <h4>Syntax</h4><p>Integer number</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="verifyExpires"><h3>Verification Expires (secs)<span class="ls-permlink"><a href="#verifyExpires"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Sets the expire time of a successful reCAPTCHA submission, after which reCAPTCHA protection will re-trigger for that visitor.<br/><br/> Default value: <span class="val">86,400</span> (1 day).</p> <h4>Syntax</h4><p>Integer value between 30 and 31,536,000 (1 year).</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaAllowedRobotHits"><h3>Allowed Robot Hits<span class="ls-permlink"><a href="#recaptchaAllowedRobotHits"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Number of hits per 10 seconds to allow ‘good bots’ to pass. Bots will still be throttled when the server is under load.<br/><br/> Default value is <span class="val">3</span>.</p> <h4>Syntax</h4><p>Integer number</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaBotWhiteList"><h3>Bot White List<span class="ls-permlink"><a href="#recaptchaBotWhiteList"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>List of custom user agents to allow access. Will be subject to the ‘good bots’ limitations, including allowedRobotHits.</p> <h4>Syntax</h4><p>List of user agents, one per line. Regex is supported.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="bubbleWrap"><h3>Bubblewrap Container<span class="ls-permlink"><a href="#bubbleWrap"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Set to <span class="val">Enabled</span> if you wish to start CGI processes (including PHP programs) in a bubblewrap sandbox. See <a href=" https://wiki.archlinux.org/title/Bubblewrap " target="_blank" rel="noopener noreferrer"> https://wiki.archlinux.org/title/Bubblewrap </a> for details on using bubblewrap. Bubblewrap must be installed on your system prior to using this setting.<br/><br/> This setting cannot be turned on at the Virtual Host level if set to "Disabled" at the Server level.<br/><br/> Default values:<br/> <b>Server level:</b> Disabled<br/> <b>VH level:</b> Inherit Server level setting</p> <h4>Syntax</h4><p>Select from drop down list</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="bubbleWrapCmd"><h3>Bubblewrap Command<span class="ls-permlink"><a href="#bubbleWrapCmd"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The full bubblewrap use command, including the bubblewrap program itself. More on configuring this command can be found here: <a href=" https://docs.litespeedtech.com/products/lsws/bubblewrap " target="_blank" rel="noopener noreferrer"> https://docs.litespeedtech.com/products/lsws/bubblewrap </a>. If not specified, the default command listed below will be used.<br/><br/> Default value: <span class="cmd">/bin/bwrap --ro-bind /usr /usr --ro-bind /lib /lib --ro-bind-try /lib64 /lib64 --ro-bind /bin /bin --ro-bind /sbin /sbin --dir /var --dir /tmp --proc /proc --symlink ../tmp var/tmp --dev /dev --ro-bind-try /etc/localtime /etc/localtime --ro-bind-try /etc/ld.so.cache /etc/ld.so.cache --ro-bind-try /etc/resolv.conf /etc/resolv.conf --ro-bind-try /etc/ssl /etc/ssl --ro-bind-try /etc/pki /etc/pki --ro-bind-try /etc/man_db.conf /etc/man_db.conf --ro-bind-try /home/$USER /home/$USER --bind-try /var/lib/mysql/mysql.sock /var/lib/mysql/mysql.sock --bind-try /home/mysql/mysql.sock /home/mysql/mysql.sock --bind-try /tmp/mysql.sock /tmp/mysql.sock --unshare-all --share-net --die-with-parent --dir /run/user/$UID ‘$PASSWD 65534’ ‘$GROUP 65534’</span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="namespace"><h3>Namespace Container<span class="ls-permlink"><a href="#namespace"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Set to <span class="val">Enabled</span> if you wish to start CGI processes (including PHP programs) in a namespace container sandbox. Only used when <span class="tagl"><a href="ServSecurity_Help.html#bubbleWrap">Bubblewrap Container</a></span> is set to <span class="val">Disabled</span>.<br/><br/> When not <span class="val">Disabled</span> at the Server level, this settings value can be overridden at the Virtual Host level.<br/><br/> Default values:<br/> <b>Server level:</b> <span class="val">Disabled</span><br/> <b>Virtual Host Level:</b> Inherit Server level setting</p> <h4>Syntax</h4><p>Select from drop down list</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="namespaceConf"><h3>Namespace Template File<span class="ls-permlink"><a href="#namespaceConf"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Path to an existing configuration file containing a list of directories to be mounted along with the methods used to mount them. When <span class="tagl"><a href="ServSecurity_Help.html#namespace">Namespace Container</a></span> is set to <span class="val">Enabled</span> and this value is not set, the following secure default configuration settings will be used:<br/><br/> <span class="val"> /tmp,tmp<br/> /usr,ro-bind<br/> /lib,ro-bind<br/> /lib64,ro-bind-try<br/> /bin,ro-bind<br/> /sbin,ro-bind<br/> /var,dir<br/> /var/www,ro-bind-try<br/> /proc,proc<br/> ../tmp var/tmp,symlink<br/> /dev,dev<br/> /etc/localtime,ro-bind-try<br/> /etc/ld.so.cache,ro-bind-try<br/> /etc/resolv.conf,ro-bind-try<br/> /etc/ssl,ro-bind-try<br/> /etc/pki,ro-bind-try<br/> /etc/man_db.conf,ro-bind-try<br/> /usr/local/bin/msmtp /etc/alternatives/mta,ro-bind-try<br/> /usr/local/bin/msmtp /usr/sbin/exim,ro-bind-try<br/> $HOMEDIR,bind-try<br/> /var/lib/mysql/mysql.sock,bind-try<br/> /home/mysql/mysql.sock,bind-try<br/> /tmp/mysql.sock,bind-try<br/> /run/mysqld/mysqld.sock,bind-try<br/> /var/run/mysqld.sock,bind-try<br/> /run/user/$UID,dir<br/> $PASSWD<br/> $GROUP<br/> /etc/exim.jail/$USER.conf $HOMEDIR/.msmtprc,copy-try<br/> /etc/php.ini,ro-bind-try<br/> /etc/php-fpm.conf,ro-bind-try<br/> /etc/php-fpm.d,ro-bind-try<br/> /var/run,ro-bind-try<br/> /var/lib,ro-bind-try </span></p> <h4>Syntax</h4><p>An absolute path or a relative path to $SERVER_ROOT.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="accessDenyDir"><h3>Access Denied Directories<span class="ls-permlink"><a href="#accessDenyDir"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies directories that should be blocked from access. Add directories that contain sensitive data to this list to prevent accidentally exposing sensitive files to clients. Append a "*" to the path to include all sub-directories. If both <span class="tagl"><a href="#followSymbolLink">Follow Symbolic Link</a></span> and <span class="tagl"><a href="#checkSymbolLink">Check Symbolic Link</a></span> are enabled, symbolic links will be checked against the denied directories.</p> <h4>Syntax</h4><p>Comma-delimited list of directories</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Of critical importance: This setting only prevents serving static files from these directories. This does not prevent exposure by external scripts such as PHP/Ruby/CGI.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="accessControl"><h3>Access Control<span class="ls-permlink"><a href="#accessControl"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies what sub networks and/or IP addresses can access the server. At the server level, this setting will affect all virtual hosts. You can also set up access control unique to each virtual host at the virtual host level. Virtual host level settings will NOT override server level settings.<br/><br/> Blocking/Allowing an IP is determined by the combination of the allowed list and the denied list. If you want to block only certain IPs or sub-networks, put <span class="val">*</span> or <span class="val">ALL</span> in the <span class="tagl"><a href="#accessControl_allow">Allowed List</a></span> and list the blocked IPs or sub-networks in the <span class="tagl"><a href="#accessControl_deny">Denied List</a></span>. If you want to allow only certain IPs or sub-networks, put <span class="val">*</span> or <span class="val">ALL</span> in the <span class="tagl"><a href="#accessControl_deny">Denied List</a></span> and list the allowed IPs or sub-networks in the <span class="tagl"><a href="#accessControl_allow">Allowed List</a></span>. The setting of the smallest scope that fits for an IP will be used to determine access.<br/><br/> <b>Server Level:</b> Trusted IPs or sub-networks must be specified in the <span class="tagl"><a href="#accessControl_allow">Allowed List</a></span> by adding a trailing "T". Trusted IPs or sub-networks are not affected by connection/throttling limits. Only server level access control can set up trusted IPs/sub-networks.</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Use this at the server level for general restrictions that apply to all virtual hosts.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="accessControl_allow"><h3>Allowed List<span class="ls-permlink"><a href="#accessControl_allow"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the list of IPs or sub-networks allowed. <span class="val">*</span> or <span class="val">ALL</span> are accepted.</p> <h4>Syntax</h4><p>Comma delimited list of IP addresses or sub-networks. A trailing "T" can be used to indicate a trusted IP or sub-network, such as <span class="val">192.168.1.*T</span>.</p> <h4>Example</h4><div class="ls-example"><b>Sub-networks:</b> 192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1, or 192.168.1.*<br/> <b>IPv6 addresses:</b> ::1 or [::1]<br/> <b>IPv6 subnets:</b> 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64</div><h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Trusted IPs or sub-networks set at the server level access control will be excluded from connection/throttling limits.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="accessControl_deny"><h3>Denied List<span class="ls-permlink"><a href="#accessControl_deny"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the list of IPs or sub-networks disallowed.</p> <h4>Syntax</h4><p>Comma delimited list of IP addresses or sub-networks. <span class="val">*</span> or <span class="val">ALL</span> are accepted.</p> <h4>Example</h4><div class="ls-example"><b>Sub-networks:</b> 192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1, or 192.168.1.*<br/> <b>IPv6 addresses:</b> ::1 or [::1]<br/> <b>IPv6 subnets:</b> 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64</div></article> </div> </section> </article><div class="ls-col-1-1"><footer class="copyright">Copyright © 2003-2020. <a href="https://www.litespeedtech.com">LiteSpeed Technologies Inc.</a> All rights reserved.</footer> </div></div> </body> </html>