|
|
| Server Security |
|
|
| |
| Table of Contents |
|
| |
| Follow Symbolic Link |  |
|
| Description: Specifies the server level default setting of following symbolic links
when serving static files.
Choices are Yes, If Owner Match and No.
Yes will always follow a symbolic link;
If Owner Match will follow a symbolic link only if the owner of the link and of the target are same.
No will never follow a symbolic link.
This setting can be overridden by each individual virtual host.
|
| Syntax: Select from drop down list |
| Tips: [Performance & security] For best security select No or If Owner Match.
For best performance, select Yes. |
| See Also: Check Symbolic Link. |
|
| Check Symbolic Link | |
|
| Description: Specifies whether to check symbolic links against Access Denied Directories
when Follow Symbolic Link is turned on. If enabled, the canonical real path of the resource
referred by a URL will be checked against the configurable access denied directories.
Access will be denied if it falls inside an access denied directory.
|
| Syntax: Select from radio box |
| Tips: [Performance & security] For best security, enable this option. For best performance, disable it. |
|
| Required Permission Mask | |
|
| Description: Specifies the required permission mask for static files that the
web server will serve. For example, to only serve files that are readable
by everyone, set the value to 0004.
See man 2 stat for all values.
|
| Syntax: octal numbers |
| See Also: Restricted Permission Mask. |
|
| Restricted Permission Mask | |
|
| Description: Specifies the restricted permission mask for static files that the
web server will not serve. For example, to prohibit files that are
executable, set the mask to 0111.
See man 2 stat for all values.
|
| Syntax: octal numbers |
| See Also: Required Permission Mask. |
|
| Per Client Throttling Control | |
|
| Description: These are connection control setting on a per client/IP basis.
These settings help to mitigate DoS (Denied of Service) and DDoS (Distributed Denied of Service) attacks. |
|
| Static Requests/Second | |
|
| Description: Specifies the maximum number of requests to static content coming from a single
IP address can be processed in each second regardless of number of
connections established.
When the limit is reached, all future requests are tar-pitted until the next
second.
Request limit for dynamically generated content is independent of this limit.
Per client request limit can be set at server or virtual host level where
virtual host level setting overrides server level setting.
|
| Syntax: Integer number |
| Tips: [Security] Trusted IP or sub-network is not effected. |
| See Also: Dynamic Requests/Second |
|
| Dynamic Requests/Second | |
|
| Description: Specifies the maximum number of requests to dynamically generated content
coming from a single IP address can be processed in each second
regardless of number of connections established.
When the limit is reached, all future requests to dynamic content
are tar-pitted until next second.
Request limit for static content is independent of this limit.
Per client request limit can be set at server or virtual host level where
virtual host level setting overrides server level setting.
|
| Syntax: Integer number |
| Tips: [Security] Trusted IP or sub-network is not effected |
| See Also: Static Requests/Second |
|
| Outbound Bandwidth | |
|
| Description: Specifies the maximum allowed outgoing throughput to a single
IP address regardless of number of connections established.
The real bandwidth could be slightly higher than this setting for efficiency.
Bandwidth is allocated in 4KB units. Set to 0 to disable throttling.
Per client bandwidth limit (bytes/sec) can be set at server or virtual host level where
virtual host level setting overrides server level setting.
|
| Syntax: Integer number |
Tips: [Performance] Set the bandwidth in 8KB units for better performance.
[Security] Trusted IP or sub-network is not effected. |
| See Also: Inbound Bandwidth |
|
| Inbound Bandwidth | |
|
| Description: Specifies the maximum allowed incoming throughput from a single
IP address regardless of number of connections established.
The real bandwidth could be slightly higher than this setting for efficiency.
Bandwidth is allocated in 1KB units. Set to 0 to disable throttling.
Per client bandwidth limit (bytes/sec) can be set at server or virtual host level where
virtual host level setting overrides server level setting.
|
| Syntax: Integer number |
| Tips: [Security] Trusted IP or sub-network is not effected. |
| See Also: Outbound Bandwidth |
|
| Connection Soft Limit | |
|
Description: Specifies the soft limit of concurrent connections allowed from one IP.
Soft Limit can be exceeded temporarily during Grace Period (sec) as long as
the number is below the Connection Hard Limit but Keep-Alive connections
will be closed as soon as possible until the number of connections is lower
than the limit. If number of connections is still over the limit after the
Grace Period (sec), that IP will be blocked for Banned Period (sec).
For example, if a page contains many small graphs, the browser may try to set up
many connections at same time, especially for HTTP/1.0 clients. You would want to allow
those connections for a short period.
Even HTTP/1.1 clients may setup multiple connections to speed up downloading and SSL
requires separate connections from non-SSL connections. Make sure the limit is set properly,
as not to adversely affect normal service. The recommended limit is between 5 and 10.
|
| Syntax: Integer number |
Tips: [Security] A lower number will enable serving more distinct clients.
[Security] Trusted IP or sub-network is not effected.
[Performance] Set to a high value when you are performing benchmark tests with large number of concurrent client machines. |
|
| Connection Hard Limit | |
|
Description: Specifies the maximum allowed concurrent connections from a single IP address.
This limit is always enforced and a client will never be able to exceed this limit.
HTTP/1.0 clients usually try to setup as many connections as it needs to download embedded
content at the same time. This limit should be set higher enough for HTTP/1.0 client and
use Connection Soft Limit to set the desired connection limit.
The recommended limit is between 20 and 50 depending on the content of your web page and traffic load.
|
| Syntax: Integer number |
Tips: [Security] A lower number will enable serving more distinct clients.
[Security] Trusted IP or sub-network is not effected.
[Performance] Set to a high value when you are performing benchmark tests with large number of concurrent client machines. |
|
| Grace Period (sec) | |
|
| Description: Specifies for how long new connections can be accepted after number of connections
established from one IP is over . Within this period, new connections
will be accepted if the total connections still below Connection Hard Limit. After this
period, if the number of connections still higher than , then that
IP will be blocked for Banned Period (sec).
|
| Syntax: Integer number |
| Tips: [Performance & Security] Set to a proper number big enough for downloading
a complete page but low enough to prevent deliberate attacks. |
|
| Banned Period (sec) | |
|
| Description: Specifies for how long new connections will be rejected from an IP at the end of
Grace Period (sec) if the number of connections is still more than .
If the IP continues to go over limit after a grace period, you should configured it that the IP be banned a even longer time value.
|
| Syntax: Integer number |
|
| CGI Daemon Socket | |
|
| Description: A unique socket address used to communicate with CGI
daemon. LiteSpeed server uses a standalone CGI daemon to
spawn CGI scripts for best performance and security.
Default socket is
"uds://$SERVER_ROOT/admin/conf/.cgid.sock". If you need to put in
other location, specifies a Unix Domain Socket here.
|
Syntax: UDS://path
Example: UDS://tmp/lshttpd/cgid.sock. |
|
| Max CGI Instances | |
|
| Description: Specifies the maximum concurrent CGI processes the server can start.
For each request to a CGI script, the server needs to start a standalone CGI process.
On a Unix system the number of concurrent processes is limited. Excessive
concurrent processes will degrade the performance of the whole system and will be target of a DoS attack.
LiteSpeed server pipelines requests to CGI scripts
and limits concurrent CGI processes to ensure the optimal performance and reliability.
The hard limit is 2000.
|
| Syntax: Integer number |
| Tips: [Security & Performance] Higher limit does not necessarily translate to faster performance.
In most cases lower limit gives better performance and security. Higher limit will only help
when I/O latency is excessive during CGI processing. |
|
| Minimum UID | |
|
| Description: Specifies the minimum user id of external applications. If LiteSpeed web
server is started by "root" user, it can run external applications in "suEXEC"
mode found in Apache (to change to another user/group id other than the
server's). Execution of a external script with uid lower than the value specified
here will be denied.
|
| Syntax: Integer number |
| Tips: [Security] Set it high enough to exclude all system, priviledged, users. |
|
| Minimum GID | |
|
| Description: Specifies the minimum group id of external applications. If LiteSpeed
server is started by "root" user, it can run external applications in "suEXEC"
mode found in Apache (to change to another user/group id other than the web
server's). Execution of an external with gid lower than the value specified
here will be denied.
|
| Syntax: Integer number |
| Tips: [Security] Set it high enough to exclude all groups used by system user. |
|
| Force GID | |
|
| Description: Specifies a group id to be used for all external applications started in suEXEC mode.
When set to non-zero value, all suEXEC external applications (CGI/FastCGI/LSAPI)
will use this gid. This can be used to prevent an external application
from accessing files owned by other users.
For example, in a shared hosting environment, LiteSpeed runs as user
www-data, group www-data, each docroot is owned by a user account,
group is www-data and permission mode is 0750. In this example, if 'Force GID' is set to
'nogroup' or any group other than 'www-data', all suEXEC external applications will run
on behalf of the user who owns the document and group 'nogroup'. The
external application process can only access files owned by that user while the server still
can serve files under all user's docroot directory.
|
| Syntax: Integer number |
| Tips: [Security] Set it high enough to exclude all groups used by system user. |
|
| CGI Priority | |
|
| Description: Specifies priority of the external application process. Value ranges from
-20 to 20, lower number means higher priority. This
priority cannot be set higher (lower number) than server's or else the server's
priority will be used.
|
| Syntax: int |
| See Also: Server Priority |
|
| CPU Soft Limit | |
|
| Description: Specifies CPU consumption time limit in seconds for an external application process. When the process
reaches the soft limit, it will be notified by a signal. Operating system's default will
be used if the value is set to 0 or absent.
|
| Syntax: Integer number |
|
| CPU Hard Limit | |
|
| Description: Specifies maximum CPU consumption time limit in seconds for an external application process.
If the process continues to consume CPU time and reach the hard limit, the process
will be force killed. Operating system's default will be used if the value is set to 0 or absent.
|
| Syntax: Integer number |
|
| Memory Soft Limit | |
|
| Description: Specifies memory consumption limit in bytes for an external application process
or an external application started by server.
The main purpose of this limit is to prevent excessive memory usage
because of software bug or intention attacks, not to impose a limit on
normal usage, make sure to leave enough head room, otherwise your
application will fail and 503 error may be returned. It can be set at server
level or at
individual external application level. Server level limit will be used if
it is not set at individual application level.
Operating system's default will be used if the value is set to
0 or absent at both levels.
|
| Syntax: Integer number |
| Tips: [Attention] Do not over tune this limit, it may result in 503 errors
if your application need more memory. |
|
| Memory Hard Limit | |
|
| Description: same as Memory Soft Limit, "Soft Limit" can be raised up to the
"Hard Limit" from within a user process. It can be set at server
level or at
individual external application level. Server level limit will be used if
it is not set at individual application level.
Operating system's default will be used if the value is set to
0 or absent at both levels.
|
| Syntax: Integer number |
|
| Process Soft Limit | |
|
Description: Limits the total number of processes can be created on behalf
of a user.
This effectively limits the number of processes can be launched by
web server on behalf of a user. All existing processes will be counted
against this limit, not just new process to be started.
If the limit is set to 10, and there are more than 10 processes
running under one user, then no new process can be started by web
server for that user (suEXEC).
The main purpose of this limit is to prevent "fork bomb"
attacks or excessive usage, not to impose a limit on normal usage,
make sure to leave enough head room. It can be set at server level or at
individual external application level. Server level limit will be used if
it is not set at individual application level. Operating system's
default value will be used if this value is 0 or absent at
both levels.
|
| Syntax: Integer number |
|
| Process Hard Limit | |
|
| Description: Same as Process Soft Limit, "Soft Limit" can be raised up to the
"Hard Limit" from within a user process. It can be set at server level or at
individual external application level. Server level limit will be used if
it is not set at individual application level.
Operating system's default value will be used if the value is set to
0 or absent at both levels.
|
| Syntax: Integer number |
|
| Access Denied Directories | |
|
| Description: Specifies the directories that should be blocked from access.
Add directories that contain sensitive data to this list to prevent accidentally
exposing sensitive files to clients. Append a "*" to the path to include all sub-directories.
If both Follow Symbolic Link and Check Symbolic Link are enabled, symbolic
links will be checked against the denied directories.
|
| Syntax: comma-separated list of directories |
| Tips: [Security] Critical. It only prevents serving static files to clients and
does not prevent error prone from external scripts such as PHP/Ruby/CGI. |
|
| Access Control | |
|
Description: Specifies what sub network and/or IP address can access the server.
This is a server level setting that affects all virtual hosts. You can also set up
access control unique to each virtual host. Virtual host setting will NOT
override the server setting.
Whether to block/allow an IP is determined by the combination of allowed list and denied list.
If you want to block certain IP or sub-network, put * or ALL in
Allowed List and list the blocked IP or sub-network in Denied List.
If you want to only allow certain IP or sub-network, put * or ALL
in Denied List and list the allowed IP or sub-network in Allowed List.
The setting of the smallest scope that fits for an IP will be used to determine whether
to block or allow.
Trusted IP or sub-network must be specified in the Allowed List by adding a
trailing "T". Trusted IP or sub-network is not affected by connection/throttling limits.
Only server level access control can set up trusted IP/sub-network. |
| Tips: [Security] Use this for general restrictions that apply to all virtual hosts. |
|
| Allowed List | |
|
| Description: Specifies the list of IPs or sub-networks allowed.
|
Syntax: Comma separated list of IP addresses or sub-networks.
* or ALL, sub-network can be like
192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1 or
192.168.1.*.
IPv6 address should be like ::1 or [::1], IPv6 subnet
should be like 3ffe:302:11:2:20f:1fff:fe29:717c/64 or
[3ffe:302:11:2:20f:1fff:fe29:717c]/64.
A trailing "T" can be used to indicate a trusted IP or sub-network, like 192.168.1.*T. |
| Tips: [Security] Trusted IPs or sub-networks set at server level access
control will be excluded from connection/throttling limits. |
|
| Denied List | |
|
| Description: Specifies the list of IPs or sub-networks disallowed.
|
Syntax: Comma separated list of IP address or sub-network, * or ALL,
sub-network can be like
192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1 or
192.168.1.*.
IPv6 address should be like ::1 or [::1], IPv6 subnet
should be like 3ffe:302:11:2:20f:1fff:fe29:717c/64 or
[3ffe:302:11:2:20f:1fff:fe29:717c]/64. |
|
| |
|
|
| |
Copyright © 2003-2007. Lite Speed Technologies Inc.
All rights reserved. |