AlkantarClanX12
Current Path : /usr/local/lsws/docs/ |
Current File : //usr/local/lsws/docs/VHSecurity_Help.html |
<!DOCTYPE html> <head> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" /> <title>LiteSpeed Web Server Users' Manual - Virtual Host Security</title> <meta name="description" content="LiteSpeed Web Server Users' Manual - Virtual Host Security." /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta name="robots" content="noindex"> <link rel="shortcut icon" href="img/favicon.ico" /> <link rel="stylesheet" type="text/css" href="css/hdoc.css"> </head> <body> <div class="pagewrapper clearfix"><aside class="sidetree ls-col-1-5"> <figure> <img src="img/lsws_logo.svg" alt="lightspeed web server logo" width="100px"/> </figure> <h2 class="ls-text-thin"> LiteSpeed Web Server <br /> <span class="current"><a href="index.html">Users' Manual</a></span> </h2> <h3 class="ls-text-muted">Version 6.3 — Rev. 0</h3> <hr/> <div> <ul> <li><a href="license.html">License Enterprise</a></li> <li><a href="intro.html">Introduction</a></li> <li><a href="install.html">Installation</a></li> <li> <a href="admin.html">Administration</a> <ul class="menu level2"> <li><a href="ServerStat_Help.html">Service Manager</a></li> <li><a href="Real_Time_Stats_Help.html">Real-Time Stats</a></li> </ul> </li> <li><a href="security.html">Security</a></li> <li> <a href="config.html">Configuration</a> <ul class="level2"> <li><a href="ServGeneral_Help.html">Server General</a></li> <li><a href="ServLog_Help.html">Server Log</a></li> <li><a href="ServTuning_Help.html">Server Tuning</a></li> <li><a href="ServSecurity_Help.html">Server Security</a></li> <li><a href="Cache_Help.html">Page Cache</a></li> <li><a href="PageSpeed_Config.html">PageSpeed Config</a></li> <li><a href="ExtApp_Help.html">External Apps</a></li> <ul class="level3"> <li><a href="External_FCGI.html">Fast CGI App</a></li> <li><a href="External_FCGI_Auth.html">Fast CGI Authorizer</a></li> <li><a href="External_LSAPI.html">LSAPI App</a></li> <li><a href="External_Servlet.html">Servlet Engine</a></li> <li><a href="External_WS.html">Web Server</a></li> <li><a href="External_PL.html">Piped logger</a></li> <li><a href="External_LB.html">Load Balancer</a></li> </ul> <li><a href="ScriptHandler_Help.html">Script Handler</a></li> <li><a href="PHP_Help.html">PHP</a></li> <li><a href="App_Server_Help.html">App Server Settings</a></li> <li><a href="Listeners_General_Help.html">Listener General</a></li> <li><a href="Listeners_SSL_Help.html">Listener SSL</a></li> <li><a href="Templates_Help.html">Virtual Host Templates</a></li> <li><a href="VirtualHosts_Help.html">Virtual Host Basic</a></li> <li><a href="VHGeneral_Help.html">Virtual Host General</a></li> <li><span class="current"><a href="VHSecurity_Help.html">Virtual Host Security</a></span></li> <li><a href="VHSSL_Help.html">Virtual Host SSL</a></li> <li> <a href="VHPageSpeed_Config.html">Virtual Host PageSpeed Config</a> </li> <li><a href="Rewrite_Help.html">Rewrite</a></li> <li><a href="Context_Help.html">Context</a></li> <ul class="level3"> <li><a href="Static_Context.html">Static Context</a></li> <li> <a href="Java_Web_App_Context.html">Java Web App Context</a> </li> <li><a href="Servlet_Context.html">Servlet Context</a></li> <li><a href="FCGI_Context.html">Fast CGI Context</a></li> <li><a href="LSAPI_Context.html">LSAPI Context</a></li> <li><a href="Proxy_Context.html">Proxy Context</a></li> <li><a href="CGI_Context.html">CGI Context</a></li> <li><a href="LB_Context.html">Load Balancer Context</a></li> <li><a href="Redirect_Context.html">Redirect Context</a></li> <li><a href="App_Server_Context.html">App Server Context</a></li> <li><a href="Rails_Context.html">Rack/Rails Context</a></li> </ul> <li><a href="VHAddOns_Help.html">Add-ons</a></li> </ul> </li> <li> <a href="webconsole.html">Web Console</a> <ul class="level2"> <li><a href="AdminGeneral_Help.html">Admin Console General</a></li> <li><a href="AdminSecurity_Help.html">Admin Console Security</a></li> <li> <a href="AdminListeners_General_Help.html"> Admin Listener General </a> </li> <li> <a href="AdminListeners_SSL_Help.html">Admin Listener SSL</a> </li> </ul> </li> </ul> </div> </aside> <article class="contentwrapper ls-col-3-5 clearfix"><div class="nav-bar ls-spacer-micro-top"><div class="prev">« <a href="VHGeneral_Help.html">Virtual Host General</a></div><div class="center"><a href="config.html">Configuration</a></div><div class="next"><a href="VHSSL_Help.html">Virtual Host SSL</a> »</div></div> <h1>Virtual Host Security</h1><h2 id="top">Table of Contents</h2><section class="toc"><section class="toc-row"><header>WordPress Brute Force Attack Protection</header><p> <a href="#wpProtectAction">Protection Mode</a> | <a href="#wpProtectLimit">Allowed Login Attempts</a></p></section> <section class="toc-row"><header>Web Application Firewall (WAF)</header><p> <a href="#enableCensorship">Enable WAF</a> | <a href="#censorLogLevel">Log Level</a> | <a href="#defaultAction">Default Action</a> | <a href="#scanPOST">Scan Request Body</a></p></section> <section class="toc-row"><header><a href="#reqCensorshipRule">Web Application Firewall (WAF) Rule Set</a></header><p> <a href="#censorRuleSetName">Name</a> | <a href="#ruleSetAction">Rule Set Action</a> | <a href="#censorRuleSetEnabled">Enabled</a> | <a href="#censorRuleSet">Rules Definition</a></p></section> <section class="toc-row"><header><a href="#VHlsrecaptcha">reCAPTCHA Protection</a></header><p> <a href="#recaptchaSensitivity">Trigger Sensitivity</a></p></section> <section class="toc-row"><header>Containers</header><p> <a href="#bubbleWrap">Bubblewrap Container</a> | <a href="#namespace">Namespace Container</a> | <a href="#namespaceConfVhAdd">Additional Namespace Template File</a></p></section> <section class="toc-row"><header><a href="#vhHotlink">Hotlink Protection</a></header><p> <a href="#enableHotlinkCtrl">Enable Hotlink Protection</a> | <a href="#suffixes">Suffix</a> | <a href="#redirectUri">Redirect URL</a> | <a href="#allowDirectAccess">Allow Direct Access</a> | <a href="#onlySelf">Only Self Reference</a> | <a href="#allowedHosts">Allowed Domains</a> | <a href="#matchedHosts">REGEX Matched Domains</a></p></section> <section class="toc-row"><header><a href="#accessControl">Access Control</a></header><p> <a href="#accessControl_allow">Allowed List</a> | <a href="#accessControl_deny">Denied List</a></p></section> <section class="toc-row"><header><a href="#realms">Authorization Realms</a></header><p> <a href="#realmName">Realm Name</a> | <a href="#realmType">DB Type</a> | <a href="#userDBLocation">User DB Location</a> | <a href="#userDB_attrPasswd">Password Attribute</a> | <a href="#userDB_attrMemberOf">Member-of Attribute</a> | <a href="#userDBMaxCacheSize">User DB Max Cache Size</a> | <a href="#userDBCacheTimeout">User DB Cache Timeout (secs)</a> | <a href="#GroupDBLocation">Group DB Location</a> | <a href="#groupDB_attrGroupMember">Group Member Attribute</a> | <a href="#groupDBMaxCacheSize">Group DB Max Cache Size</a> | <a href="#groupDBCacheTimeout">Group DB Cache Timeout (secs)</a> | <a href="#LDAPBindDN">LDAP Bind DN</a> | <a href="#LDAPBindPasswd">LDAP Bind Password</a></p></section> </section> <section><div class="helpitem"><article class="ls-helpitem"><div><header id="wpProtectAction"><h3>Protection Mode<span class="ls-permlink"><a href="#wpProtectAction"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the action to be taken when the specified Allowed Login Attempts limit is reached within 5 minutes.<br/><br/> <span class="val">Throttle</span> gradually slows down the speed of the server response, <span class="val">Drop</span> severs the connection without any reply, <span class="val">Deny</span> returns a 403 response, and <span class="val">CAPTCHA or Drop</span> redirects to a CAPTCHA if reCAPTCHA Protection is enabled and drops otherwise.<br/><br/> <span class="val">WP Login CAPTCHA Full Protection</span> can also be selected. This setting will redirect to a CAPTCHA if ReCAPTCHA Protection is enabled regardless of Allowed Login Attempts limit and falls back to use <span class="val">Throttle</span> otherwise.<br/><br/> Default values:<br/> <b>Server level:</b> <span class="val">Throttle</span><br/> <b>VH level:</b> Inherit Server level setting. If Server level is set to <span class="val">Disable</span>, <span class="val">Throttle</span> will be used.</p> <h4>Syntax</h4><p>Select from drop down list</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Trusted IPs or sub-networks are not affected.<br/> <span title="Information" class="ls-icon-info"></span> This feature is enabled by default (Throttle) and does not need any further configuration in the WebAdmin GUI or in Apache configurations.<br/> <span title="Information" class="ls-icon-info"></span> This setting will override Apache conf <span class="val">WordPressProtect</span> setting for LSWS only. Apache will be unaffected.<br/><br/> <span title="Information" class="ls-icon-info"></span> This can be set at the Server level and overwritten at the Virtual Host level. If not overridden at the Virtual Host level, this setting can also be overridden in a user's docroot .htaccess file using Apache configuration directive <span class="val">WordPressProtect</span> with value <span class="val">0</span> (disabled), <span class="val">1</span> (use server level setting), <span class="val">throttle</span>, <span class="val">deny</span>, or <span class="val">drop</span>.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="wpProtectLimit"><h3>Allowed Login Attempts<span class="ls-permlink"><a href="#wpProtectLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the maximum number of wp-login.php and xmlrpc.php POST attempts allowed by an IP within 5 minutes before the action specified in <span class="tagl"><a href="#wpProtectAction">Protection Mode</a></span> is taken.<br/><br/> This limit is handled using a quota system where remaining attempts = limit. Each POST attempt will decrease the number of remaining attempts by 1, with the number of remaining attempts increasing back to the set limit over time. An IP will be throttled once the number of remaining attempts for that IP falls to 1/2 the set limit, throttling more as the remaining attempts drops further below the 1/2 mark. When remaining attempts reaches 0, the specified action is taken toward the IP.<br/><br/> In addition to this, if <span class="tagl"><a href="#enableRecaptcha">Enable reCAPTCHA</a></span> is also enabled, an additional per worker protection will be added. If wp-login.php and xmlrpc.php are visited by the same worker at a rate of 4x the set limit in a 30 second time frame, those URLs will be put into reCAPTCHA mode until the number of visits to these files decreases.<br/><br/> Resetting the server will clear blocked IPs.<br/><br/> Default values:<br/> <b>Server-level:</b> <span class="val">10</span><br/> <b>VH-Level:</b> Inherit Server level setting</p> <h4>Syntax</h4><p>Valid Range: 3 - 1000.</p> <h4>Example</h4><div class="ls-example">With an Attempt limit of 10, and a Mode of drop:<br/><br/> After the first POST attempt, the quota is decreased to 9.<br/><br/> Quota decreases by 1 for each POST attempt.<br/><br/> After Quota reaches half of the limit (5), the IP will be throttled.<br/><br/> Throttling will get worse with each POST attempt.<br/><br/> Once the quota reaches 0, the connection will be dropped.</div><h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Trusted IPs or sub-networks are not affected.<br/><br/> <span title="Information" class="ls-icon-info"></span> This setting will override Apache conf <span class="val">WordPressProtect</span> setting for LSWS only. Apache will be unaffected.<br/><br/> <span title="Information" class="ls-icon-info"></span> This can be set at the Server level and overwritten at the Virtual Host level. If not overridden at the Virtual Host level, this setting can also be overridden in a user's docroot .htaccess file using Apache configuration directive <span class="val">WordPressProtect</span> with integer value between 3 and 1000.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="enableCensorship"><h3>Enable WAF<span class="ls-permlink"><a href="#enableCensorship"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies whether to enable request content deep inspection. This feature is equivalent to Apache's mod_security, which can be used to detect and block requests with ill intention by matching them to known signatures.</p> <h4>Syntax</h4><p>Select from radio box</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="censorLogLevel"><h3>Log Level<span class="ls-permlink"><a href="#censorLogLevel"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the level of detail of the Web Application Firewall engine's debug output. This value ranges from <span class="val">0</span> - <span class="val">9</span>. <span class="val">0</span> disables logging. <span class="val">9</span> produces the most detailed log. The the server and virtual host's error log <span class="tagl"><a href="ServGeneral_Help.html#log_logLevel">Log Level</a></span> must be set to at least <span class="val">INFO</span> for this option to take effect. This is useful when testing request filtering rules.</p> <h4>Syntax</h4><p>Integer number</p> <h4>See Also</h4><p class="ls-text-small">Server <span class="tagl"><a href="ServGeneral_Help.html#log_logLevel">Log Level</a></span>, Virtual Host <span class="tagl"><a href="VHGeneral_Help.html#vhlog_logLevel">Log Level</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="defaultAction"><h3>Default Action<span class="ls-permlink"><a href="#defaultAction"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the default actions that should be taken when a censoring rule is met. Default value is <span class="val">deny,log,status:403</span>, which means to deny access with status code 403 and log the incident in the error log.</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#ruleSetAction">Rule Set Action</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="scanPOST"><h3>Scan Request Body<span class="ls-permlink"><a href="#scanPOST"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies whether to check the body of an HTTP POST request. Default is "No".</p> <h4>Syntax</h4><p>Select from radio box</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="reqCensorshipRule"><h3>Web Application Firewall (WAF) Rule Set<span class="ls-permlink"><a href="#reqCensorshipRule"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Rules configured here only work for virtual hosts configured with a native LSWS configuration, not for virtual hosts using Apache httpd.conf.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="censorRuleSetName"><h3>Name<span class="ls-permlink"><a href="#censorRuleSetName"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Give a group of censorship rules a name. For display only.</p> <h4>Syntax</h4><p>String</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="ruleSetAction"><h3>Rule Set Action<span class="ls-permlink"><a href="#ruleSetAction"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the actions that should be taken when a censoring rule in current ruleset is met. If not set, <span class="tagl"><a href="#defaultAction">Default Action</a></span> will be used.</p> <h4>Syntax</h4><p>String. This action string uses the same syntax as Apache's <a href=" https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecDefaultAction " target="_blank" rel="noopener noreferrer"> mod_security SecDefaultAction directive </a> .</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="censorRuleSetEnabled"><h3>Enabled<span class="ls-permlink"><a href="#censorRuleSetEnabled"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies whether to enable this rule set. With this option, a rule set can be quickly turned on and off without adding or removing the rule set. Default is "Yes".</p> <h4>Syntax</h4><p>Select from radio box</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="censorRuleSet"><h3>Rules Definition<span class="ls-permlink"><a href="#censorRuleSet"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies a list of censorship rules.<br/><br/> If you are using an Apache config file, you have to set up rules in httpd.conf. Rules defined here will have no effect.</p> <h4>Syntax</h4><p>String. Syntax of censoring rules follows that of Apache's mod_security directives. "SecFilter", "SecFilterSelective", and "SecRule" can be used here. You can copy and paste security rules from an Apache configuration file.<br/><br/> For more details about rule syntax, please refer to the <a href="http://www.modsecurity.org/documentation/index.html" target="_blank" rel="noopener noreferrer">Mod Security documentation</a>.</p> <h4>Tips</h4><p><span title="Information" class="ls-icon-info"></span> Rules configured here only work for vhosts configured in native LSWS configuration, not for vhosts from Apache httpd.conf.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="VHlsrecaptcha"><h3>reCAPTCHA Protection<span class="ls-permlink"><a href="#VHlsrecaptcha"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>reCAPTCHA Protection is a service provided as a way to mitigate heavy server load. reCAPTCHA Protection will activate after one of the below situations is hit. Once active, all requests by NON TRUSTED(as configured) clients will be redirected to a reCAPTCHA validation page. After validation, the client will be redirected to their desired page.<br/><br/> The following situations will activate reCAPTCHA Protection:<br/> 1. The server or vhost concurrent requests count passes the configured connection limit.<br/> 2. Anti-DDoS is enabled and a client is hitting a url in a suspicious manner. The client will redirect to reCAPTCHA first instead of getting denied when triggered.<br/> 3. WordPress Brute Force Attack Protection is enabled and action is set to 'CAPTCHA or Drop’. When a brute force attack is detected, the client will redirect to reCAPTCHA first. After max tries is reached, the connection will be dropped, as per the ‘drop’ option.<br/> 4. WordPress Brute Force Attack Protection is enabled and action is set to 'WP Login CAPTCHA Full Protection'. The client will always redirect to reCAPTCHA first.<br/> 5. A new rewrite rule environment is provided to activate reCAPTCHA via RewriteRules. 'verifycaptcha' can be set to redirect clients to reCAPTCHA. A special value ': deny' can be set to deny the client if it failed too many times. For example, [E=verifycaptcha] will always redirect to reCAPTCHA until verified. [E=verifycaptcha: deny] will redirect to reCAPTCHA until Max Tries is hit, after which the client will be denied.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaSensitivity"><h3>Trigger Sensitivity<span class="ls-permlink"><a href="#recaptchaSensitivity"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Automatic reCAPTCHA sensitivity. The higher the value, the more likely reCAPTCHA Protection will be used. A value of <span class="val">0</span> is equivalent to "Off" while a value of <span class="val">100</span> is equivalent to "Always On".<br/><br/> Default values:<br/> <b>Server level:</b> 0<br/> <b>Virtual Host level:</b> Inherit Server level setting</p> <h4>Syntax</h4><p>Integer value between 0 and 100.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="bubbleWrap"><h3>Bubblewrap Container<span class="ls-permlink"><a href="#bubbleWrap"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Set to <span class="val">Enabled</span> if you wish to start CGI processes (including PHP programs) in a bubblewrap sandbox. See <a href=" https://wiki.archlinux.org/title/Bubblewrap " target="_blank" rel="noopener noreferrer"> https://wiki.archlinux.org/title/Bubblewrap </a> for details on using bubblewrap. Bubblewrap must be installed on your system prior to using this setting.<br/><br/> This setting cannot be turned on at the Virtual Host level if set to "Disabled" at the Server level.<br/><br/> Default values:<br/> <b>Server level:</b> Disabled<br/> <b>VH level:</b> Inherit Server level setting</p> <h4>Syntax</h4><p>Select from drop down list</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="namespace"><h3>Namespace Container<span class="ls-permlink"><a href="#namespace"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Set to <span class="val">Enabled</span> if you wish to start CGI processes (including PHP programs) in a namespace container sandbox. Only used when <span class="tagl"><a href="ServSecurity_Help.html#bubbleWrap">Bubblewrap Container</a></span> is set to <span class="val">Disabled</span>.<br/><br/> When not <span class="val">Disabled</span> at the Server level, this settings value can be overridden at the Virtual Host level.<br/><br/> Default values:<br/> <b>Server level:</b> <span class="val">Disabled</span><br/> <b>Virtual Host Level:</b> Inherit Server level setting</p> <h4>Syntax</h4><p>Select from drop down list</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="namespaceConfVhAdd"><h3>Additional Namespace Template File<span class="ls-permlink"><a href="#namespaceConfVhAdd"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Path to an existing configuration file containing a list of directories to be mounted along with the methods used to mount them. If <span class="tagl"><a href="ServSecurity_Help.html#namespaceConf">Namespace Template File</a></span> is also set at the Server level, both files will be used.</p> <h4>Syntax</h4><p>A path which can be absolute, relative to $SERVER_ROOT, or relative to $VH_ROOT.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="vhHotlink"><h3>Hotlink Protection<span class="ls-permlink"><a href="#vhHotlink"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Hotlinks are requests made from an external website to files on your own website often referred to as "leeching". This practice introduces additional bandwidth usage that you should not be responsible for.<br/><br/> LiteSpeed web server can prevent others from hotlinking to content on your web site by checking the Referer header within an HTTP request. If the Referer header does not match your website, the request will be denied.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="enableHotlinkCtrl"><h3>Enable Hotlink Protection<span class="ls-permlink"><a href="#enableHotlinkCtrl"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies whether to activate hotlink protection.</p> <h4>Syntax</h4><p>Select from radio box</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="suffixes"><h3>Suffix<span class="ls-permlink"><a href="#suffixes"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies what kinds of files will be protected from hotlinking by listing file suffixes.</p> <h4>Syntax</h4><p>Comma delimited list. "." is prohibited</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="redirectUri"><h3>Redirect URL<span class="ls-permlink"><a href="#redirectUri"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies a URL that a user will be redirected to when a hotlinking action is detected. You can redirect users to an image or page saying hotlinking is not allowed. If it is not specified, <span class="val">403 Forbidden</span> will be returned.</p> <h4>Syntax</h4><p>Absolute URL</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="allowDirectAccess"><h3>Allow Direct Access<span class="ls-permlink"><a href="#allowDirectAccess"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies whether to allow direct access without a referrer. A referrer header identifies the web page that linked to the current page. There is no "referrer" header in HTTP requests when a user types in an address directly in the address box or uses a feature like "save target link as".</p> <h4>Syntax</h4><p>Select from radio box</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="onlySelf"><h3>Only Self Reference<span class="ls-permlink"><a href="#onlySelf"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies whether to only allow references from the current web site itself. When set to <span class="val">Yes</span>, <span class="tagl"><a href="#allowedHosts">Allowed Domains</a></span> has no effect and no other web site can link to protected files. This can be convenient if you wish to park multiple domain names on the current web site.</p> <h4>Syntax</h4><p>Select from radio box</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="allowedHosts"><h3>Allowed Domains<span class="ls-permlink"><a href="#allowedHosts"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies which web sites can link to protected content.</p> <h4>Syntax</h4><p>Comma delimited list of domain names.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="matchedHosts"><h3>REGEX Matched Domains<span class="ls-permlink"><a href="#matchedHosts"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies web sites that can link to protected content in regular expressions. The regular expression will match the domain name only and not the full URL.</p> <h4>Syntax</h4><p>Regular expressions</p> <h4>Example</h4><div class="ls-example">^.*\.mydomain\.com$</div></article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="accessControl"><h3>Access Control<span class="ls-permlink"><a href="#accessControl"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies what sub networks and/or IP addresses can access the server. At the server level, this setting will affect all virtual hosts. You can also set up access control unique to each virtual host at the virtual host level. Virtual host level settings will NOT override server level settings.<br/><br/> Blocking/Allowing an IP is determined by the combination of the allowed list and the denied list. If you want to block only certain IPs or sub-networks, put <span class="val">*</span> or <span class="val">ALL</span> in the <span class="tagl"><a href="#accessControl_allow">Allowed List</a></span> and list the blocked IPs or sub-networks in the <span class="tagl"><a href="#accessControl_deny">Denied List</a></span>. If you want to allow only certain IPs or sub-networks, put <span class="val">*</span> or <span class="val">ALL</span> in the <span class="tagl"><a href="#accessControl_deny">Denied List</a></span> and list the allowed IPs or sub-networks in the <span class="tagl"><a href="#accessControl_allow">Allowed List</a></span>. The setting of the smallest scope that fits for an IP will be used to determine access.<br/><br/> <b>Server Level:</b> Trusted IPs or sub-networks must be specified in the <span class="tagl"><a href="#accessControl_allow">Allowed List</a></span> by adding a trailing "T". Trusted IPs or sub-networks are not affected by connection/throttling limits. Only server level access control can set up trusted IPs/sub-networks.</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Use this at the server level for general restrictions that apply to all virtual hosts.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="accessControl_allow"><h3>Allowed List<span class="ls-permlink"><a href="#accessControl_allow"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the list of IPs or sub-networks allowed. <span class="val">*</span> or <span class="val">ALL</span> are accepted.</p> <h4>Syntax</h4><p>Comma delimited list of IP addresses or sub-networks. A trailing "T" can be used to indicate a trusted IP or sub-network, such as <span class="val">192.168.1.*T</span>.</p> <h4>Example</h4><div class="ls-example"><b>Sub-networks:</b> 192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1, or 192.168.1.*<br/> <b>IPv6 addresses:</b> ::1 or [::1]<br/> <b>IPv6 subnets:</b> 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64</div><h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Trusted IPs or sub-networks set at the server level access control will be excluded from connection/throttling limits.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="accessControl_deny"><h3>Denied List<span class="ls-permlink"><a href="#accessControl_deny"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the list of IPs or sub-networks disallowed.</p> <h4>Syntax</h4><p>Comma delimited list of IP addresses or sub-networks. <span class="val">*</span> or <span class="val">ALL</span> are accepted.</p> <h4>Example</h4><div class="ls-example"><b>Sub-networks:</b> 192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1, or 192.168.1.*<br/> <b>IPv6 addresses:</b> ::1 or [::1]<br/> <b>IPv6 subnets:</b> 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64</div></article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="realms"><h3>Authorization Realms<span class="ls-permlink"><a href="#realms"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Lists all authorization realms for this virtual host. Authorization realms are used to block unauthorized users from accessing protected web pages. A realm is a user directory containing usernames and passwords with optional group classifications. Authorization is performed at the context level. Because different contexts can share the same realm (user database), realms are defined separately from the contexts that use them. You can refer to a realm by these names in a contexts configuration.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="realmName"><h3>Realm Name<span class="ls-permlink"><a href="#realmName"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies a unique name for the authorization realm.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="realmType"><h3>DB Type<span class="ls-permlink"><a href="#realmType"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies how user/group data is stored for an authorization realm. Currently, user/group data can be stored in flat files or on a LDAP server.</p> <h4>Syntax</h4><p>Select from drop down list</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="userDBLocation"><h3>User DB Location<span class="ls-permlink"><a href="#userDBLocation"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the location of the user database. For DB type <span class="val">Password File</span>, it is the path to the flat file containing user/password definitions. You can edit this file through the WebAdmin console by clicking on the filename.<br/><br/> Each line of the user file contains a username followed by a colon, followed by a crypt() encrypted password, optionally followed by a colon and group names that user belongs to. Group names are delimitated by commas. If group information is specified in the user database, then the group database will not be checked.<br/><br/> Example:<blockquote><code>john:HZ.U8kgjnMOHo:admin,user</code></blockquote><br/><br/> For DB type <span class="val">LDAP</span>, it is the LDAP URL to query for the user information. For each valid user, the authentication data stored in the LDAP server should contain at least the user id and user password. One and only one record should be returned in the LDAP search request based on the URL and username received in the HTTP Authentication header. "$k" must be specified in the filter part of the URL and it will be replaced with the username. The user password attribute must be returned in the query result. The attribute name of the user password is specified by <span class="tagl"><a href="#userDB_attrPasswd">Password Attribute</a></span>. Group information can be optionally specified by the <span class="tagl"><a href="#userDB_attrMemberOf">Member-of Attribute</a></span>.<br/><br/> Example: At minimum, a user can be defined in LDAP with object classes: uidObject, simpleSecurityObject and organizationalRole. The following URL could be used:<br/><br/> <blockquote><code>ldap://localhost/ou=UserDB,dc=example,dc=com???(&(objectClass=*)(uid=$k))</code></blockquote></p> <h4>Syntax</h4><p>Path to user DB file or LDAP URL (RFC 2255).</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> It is recommended to store user password files outside of the document tree. If a user password file has to be placed inside document tree, simply name it with a leading ".ht" like <span class="val">.htuser</span> to prevent it being served as a static file. LiteSpeed Web Server does not serve files prefixed with ".ht".</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#GroupDBLocation">Group DB Location</a></span>, <span class="tagl"><a href="#userDB_attrPasswd">Password Attribute</a></span>, <span class="tagl"><a href="#userDB_attrMemberOf">Member-of Attribute</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="userDB_attrPasswd"><h3>Password Attribute<span class="ls-permlink"><a href="#userDB_attrPasswd"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the name of the password attribute for a user record stored in an LDAP server. The default value is <span class="val">userPassword</span>.</p> <h4>Syntax</h4><p>string</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="userDB_attrMemberOf"><h3>Member-of Attribute<span class="ls-permlink"><a href="#userDB_attrMemberOf"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the name of the "Member-of" attribute for a user record stored in an LDAP server. The default value is <span class="val">memberOf</span>. The "Member-of" attribute can be used to specify the group name that the user belongs to.</p> <h4>Syntax</h4><p>string</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="userDBMaxCacheSize"><h3>User DB Max Cache Size<span class="ls-permlink"><a href="#userDBMaxCacheSize"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the maximum cache size of the user database. Recently accessed user authentication data will be cached in memory to provide maximum performance.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Performance" class="ls-icon-performance"></span> As a larger cache will consume more memory, a higher value may or may not provide better performance. Set it to an appropriate size according to your user database size and site usage.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="userDBCacheTimeout"><h3>User DB Cache Timeout (secs)<span class="ls-permlink"><a href="#userDBCacheTimeout"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies how often the backend user database will be checked for changes. Every entry in the cache has a timestamp. When cached data is older than the specified timeout, the backend database will be checked for changes. If there is no change, the timestamp will be reset to the current time, otherwise the new data will be loaded. Sevrer reload and graceful restart will clear the cache immediately.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Performance" class="ls-icon-performance"></span> If the backend database does not change very often, set a longer timeout for better performance.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="GroupDBLocation"><h3>Group DB Location<span class="ls-permlink"><a href="#GroupDBLocation"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the location of the group database.<br/><br/> Group information can be set either in the user database or in this standalone group DB. For user authentication, the user DB will be checked first. If the user DB also contains group information, then the group DB will not be checked.<br/><br/> For the DB type <span class="val">Password File</span>, the group DB location should be the path to the flat file containing group definitions. You can edit this file through the WebAdmin console by clicking on the filename.<br/><br/> Each line of a group file should contain a groupname followed by a colon, followed by space delimited group of usernames. Example:<br/> <blockquote><code>testgroup: user1 user2 user3</code></blockquote><br/><br/> For the DB type <span class="val">LDAP</span>, the group DB location should be the LDAP URL to query for group information. For each valid group, one and only one record should be returned in the LDAP search request based on this URL and the group name specified in <span class="tagl"><a href="Redirect_Context.html#required">Require (Authorized Users/Groups)</a></span>. "$k" must be specified in the filter part of the URL and it will be replaced with the group name. The name of the attribute that specifies members in this group is specified by the <span class="tagl"><a href="#groupDB_attrGroupMember">Group Member Attribute</a></span>.<br/><br/> Example: If objectClass posixGroup is being used to store group information. The following URL could be used:<br/> <blockquote><code>ldap://localhost/ou=GroupDB,dc=example,dc=com???(&(objectClass=*)(cn=$k))</code></blockquote></p> <h4>Syntax</h4><p>Filename which can be an absolute path or a relative path to $SERVER_ROOT, $VH_ROOT.</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> It is recommended to store a group file outside the document tree. If it has to be placed inside document tree, simply name it with a leading ".ht" like <span class="val">.htgroup</span>, to prevent the file being served as a static file. LiteSpeed Web Server does not serve files prefixed with ".ht".</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#userDBLocation">User DB Location</a></span>, Context <span class="tagl"><a href="Context_Help.html#required">Require (Authorized Users/Groups)</a></span>, <span class="tagl"><a href="#groupDB_attrGroupMember">Group Member Attribute</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="groupDB_attrGroupMember"><h3>Group Member Attribute<span class="ls-permlink"><a href="#groupDB_attrGroupMember"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the name of the "Member" attribute for a group record stored in an LDAP server. The default value is <span class="val">memberUid</span>.</p> <h4>Syntax</h4><p>string</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="groupDBMaxCacheSize"><h3>Group DB Max Cache Size<span class="ls-permlink"><a href="#groupDBMaxCacheSize"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the maximum cache size of the group database.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Performance" class="ls-icon-performance"></span> As a larger cache will consume more memory, a higher value may or may not provide better performance. Set it to an appropriate size according to your user database size and site usage.</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#userDBMaxCacheSize">User DB Max Cache Size</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="groupDBCacheTimeout"><h3>Group DB Cache Timeout (secs)<span class="ls-permlink"><a href="#groupDBCacheTimeout"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies how often the backend group database will be checked for changes. For more detail please refer to <span class="tagl"><a href="#userDBCacheTimeout">User DB Cache Timeout (secs)</a></span>.</p> <h4>Syntax</h4><p>Integer number</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#userDBCacheTimeout">User DB Cache Timeout (secs)</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="LDAPBindDN"><h3>LDAP Bind DN<span class="ls-permlink"><a href="#LDAPBindDN"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies a DN used to bind to the server. If the LDAP server requires authentication, a bind DN and password must be specified. If not specified, anonymous bind will be used.</p> <h4>Syntax</h4><p>string</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#LDAPBindPasswd">LDAP Bind Password</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="LDAPBindPasswd"><h3>LDAP Bind Password<span class="ls-permlink"><a href="#LDAPBindPasswd"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies a password used to bind to the server. If the LDAP Server requires authentication, a bind DN and password must be specified.</p> <h4>Syntax</h4><p>string</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#LDAPBindDN">LDAP Bind DN</a></span></p> </article> </div> </section> </article><div class="ls-col-1-1"><footer class="copyright">Copyright © 2003-2020. <a href="https://www.litespeedtech.com">LiteSpeed Technologies Inc.</a> All rights reserved.</footer> </div></div> </body> </html>