|
|
| Virtual Host Security |
|
|
| |
| Table of Contents |
|
| |
| Follow Symbolic Link |  |
|
| Description: Specifies whether to follow symbolic links in this virtual host.
IF OWNER MATCH option will follow a symbolic link only if it has the same ownership.
This setting overrides the default server level setting.
|
| Syntax: Select from drop down list |
| Tips: [Performance & security] For better security, disable this feature. For better performance, enable it. |
|
| Enable Script | |
|
| Description: Specifies whether scripting (non-static pages) is allowed in this virtual host.
If disabled, CGI, FastCGI, LSAPI, Servlet and other scripting language are not allowed in this virtual host.
Therefore if you want to use script handler, you need to enable it here as well.
|
| Syntax: Select from radio box |
|
| Restrained | |
|
| Description: Specifies whether files beyond this virtual host root($VH_ROOT) can be accessed
though this web site. If set to Yes, only files under $VH_ROOT can be accessed.
And access to symbolic link or context pointing to files or directories beyond $VH_ROOT
will be denied. However, it does not limit the accessibility of CGI scripts. This is useful
in shared hosting environment. Follow Symbolic Link can be set to Yes to allow
users using symbolic links under $VH_ROOT, but not anything beyond $VH_ROOT with this option turned on.
|
| Syntax: Select from radio box |
| Tips: [Security] Turn it on in shared hosting environment. |
|
| Static Requests/Second | |
|
| Description: Specifies the maximum number of requests to static content coming from a single
IP address can be processed in each second regardless of number of
connections established.
When the limit is reached, all future requests are tar-pitted until the next
second.
Request limit for dynamically generated content is independent of this limit.
Per client request limit can be set at server or virtual host level where
virtual host level setting overrides server level setting.
|
| Syntax: Integer number |
| Tips: [Security] Trusted IP or sub-network is not effected. |
| See Also: Dynamic Requests/Second |
|
| Dynamic Requests/Second | |
|
| Description: Specifies the maximum number of requests to dynamically generated content
coming from a single IP address can be processed in each second
regardless of number of connections established.
When the limit is reached, all future requests to dynamic content
are tar-pitted until next second.
Request limit for static content is independent of this limit.
Per client request limit can be set at server or virtual host level where
virtual host level setting overrides server level setting.
|
| Syntax: Integer number |
| Tips: [Security] Trusted IP or sub-network is not effected |
| See Also: Static Requests/Second |
|
| Outbound Bandwidth | |
|
| Description: Specifies the maximum allowed outgoing throughput to a single
IP address regardless of number of connections established.
The real bandwidth could be slightly higher than this setting for efficiency.
Bandwidth is allocated in 4KB units. Set to 0 to disable throttling.
Per client bandwidth limit (bytes/sec) can be set at server or virtual host level where
virtual host level setting overrides server level setting.
|
| Syntax: Integer number |
Tips: [Performance] Set the bandwidth in 8KB units for better performance.
[Security] Trusted IP or sub-network is not effected. |
| See Also: Inbound Bandwidth |
|
| Inbound Bandwidth | |
|
| Description: Specifies the maximum allowed incoming throughput from a single
IP address regardless of number of connections established.
The real bandwidth could be slightly higher than this setting for efficiency.
Bandwidth is allocated in 1KB units. Set to 0 to disable throttling.
Per client bandwidth limit (bytes/sec) can be set at server or virtual host level where
virtual host level setting overrides server level setting.
|
| Syntax: Integer number |
| Tips: [Security] Trusted IP or sub-network is not effected. |
| See Also: Outbound Bandwidth |
|
| ExtApp Set UID Mode | |
|
Description: Specifies how user id is set for an external application process. Three choices
are available:
- Server UID, set user/group id of external application process same as
server's user/group id;
- File UID, set user/group id of external application process based
on the user/group id of the external application executable;
- Doc Root UID, set user/group id of external application process based
on the user/group id of the document root of current virtual
host.
|
| Syntax: Select from drop down list |
| Tips: [Security] In shared hosting environment, it is recommended to
use File UID or Doc Root UID mode to prevent files
owned by one virtual host from being accessed by external application script of another
virtual host. |
|
| ExtApp Chroot Mode | |
|
Description: Specifies how the root directory is set for an external application
process. In order to protect confidential system data file from being
accessed by a vulnerable external application script, an alternative root path can be
set for the external application process and files beyond the new root directory become
inaccessible. It is generally referred to as a "chroot jail".
Three choices are available:
- Same as Server: external application process is in the same jail as specified in the server level.
- Virtual host root: set chroot jail to the
root directory of the virtual host and external application script can only access files
inside the virtual host root;
- Customized chroot path: chroot path is
specified by ExtApp Chroot Path below.
|
| Syntax: Select from drop down list |
| Tips: If used properly, chroot will greatly enhance the security
of external application scripts. Make sure the external application script is functional
in the limited chroot jail environment. |
|
| ExtApp Chroot Path | |
|
| Description: Specifies a new root directory for external application scripts of current
virtual host when ExtApp Chroot Mode is set to Customized chroot path.
|
| Syntax: Absolute path. |
|
| Hotlink Control | |
|
Description: Hotlinking are requests made from an external website to
files on your own website often referred to as "leeching". This practice
introduce additional bandwidth usage that you should not be responsible for.
LiteSpeed server can prevent others from hotlinking content on
your web site by checking the "Referer" header within a HTTP request. If the "Referer" header does not match your own website,
the request is denied. |
|
| Enable Hotlink Protection | |
|
| Description: Specifies whether to activate hotlink protection.
|
| Syntax: Select from radio box |
|
| Suffix | |
|
| Description: Specifies what kind of file will be protected from hotlinking
by listing file suffixes here.
|
| Syntax: comma separated list, "." is prohibited |
|
| Redirect URL | |
|
| Description: Specifies a URL that a user will be redirected to when a
hotlinking action is detected. You can redirect users to an image or
page saying hotlinking is not allowed. If it is not specified,
403 Forbidden will be returned.
|
| Syntax: Absolute URL |
|
| Allow Direct Access | |
|
| Description: Specifies whether to allow direct access without a
referrer. There is no "Referer" header in HTTP request when a user types
in an address directly in the address box, or uses a feature like "Save
Target Link As".
|
| Syntax: Select from radio box |
|
| Only Self Reference | |
|
| Description: Specifies whether to only allow reference from current web site
itself. When set to Yes, Allowed Domains has no effect and no
other web site can link to protected files. It is convenient if
multiple domain names are parked on current web site.
|
| Syntax: Select from radio box |
|
| Allowed Domains | |
|
| Description: Specifies which web site can link to protected content.
|
| Syntax: comma separated list of domain name |
|
| REGEX Matched Domains | |
|
| Description: Specifies web sites that can link to protected content in
regular expression. The regular expression will match the domain
name only and not the full URL.
|
| Syntax: Regular expression |
|
| Access Control | |
|
| Description: Specifies what sub-network and/or IP address can access this virtual host
in addition to server level access control. Virtual host setting does NOT override
the server setting. Whether to block/allow an IP is determined by the combination
of allowed list and denied list. If you want to block certain IP or sub-network,
put * or ALL in the allowed list and list the blocked IP or
sub-network in the denied list. If you want to only allow certain IP or sub-network,
put * or ALL in the denied list and list the allowed IP or
sub-network in the allowed list. The setting of the smallest scope that fits for
an IP will be used to determine whether to block or allow access. |
|
| Allowed List | |
|
| Description: Specifies the list of IP or sub-net allowed.
|
| Syntax: comma-separated list of IP address or sub-network. * or ALL,
sub-network can be like 192.168.1.0/255.255.255.0, 192.168.1 or 192.168.1.*. |
|
| Denied List | |
|
| Description: Specifies the list of IPs or sub-networks disallowed.
|
Syntax: Comma separated list of IP address or sub-network, * or ALL,
sub-network can be like
192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1 or
192.168.1.*.
IPv6 address should be like ::1 or [::1], IPv6 subnet
should be like 3ffe:302:11:2:20f:1fff:fe29:717c/64 or
[3ffe:302:11:2:20f:1fff:fe29:717c]/64. |
|
| Authorization Realms | |
|
| Description: Lists all authorization realms for this virtual host.
Authorization realms is used to block unauthorized users from accessing protected web pages.
A realm is a user directory containing user names and passwords with optional
group classification. Authorization is performed at context level.
Since different contexts can share the same realm(user database), so realms are defined separately.
You can refer to a realm by its name in context configuration. |
|
| Realm Name | |
|
| Description: Specifies a unique name for the authorization realm.
|
|
| DB Type | |
|
| Description: Specifies how user/group data is stored for a authorization realm. Currently,
user/group data can be stored in flat files or on a LDAP server.
|
| Syntax: Select from drop down list |
|
| User DB Location | |
|
Description: Specifies the location of the user database.
For DB type of Password File, it is the path to the flat file
containing user/password definitions.
You can edit this file through the WebAdmin by clicking on the file name.
Each line of the user file contains a username followed by a colon,
followed by crypt() encrypted password optionally followed by a colon
and group names that user belongs to. Group names are delimitated by comma.
If group information is specified in the user DB, then the group
database will not be checked.
Example:john:HZ.U8kgjnMOHo:admin,user
For DB type of LDAP, it is the LDAP URL to query the user
information. For each valid user, the authentication data stored in the LDAP
server should contain at least the user id and user password. One and only
one record should be returned in the LDAP search request based on the
this URL and username received in the HTTP Authentication header. "$k"
must be specified in the filter part of the URL and it will be
replaced with the username. User password attribute
must be returned in the query result. Attribute name of user password
is specified by Password Attribute. Group information can be
optionally specified by Member-of Attribute.
Example: At minimum, a user can be defined in LDAP with object
classes: uidObject, simpleSecurityObject and organizationalRole. The
following URL could be used:
ldap://localhost/ou=UserDB,dc=example,dc=com???(&(objectClass=*)(uid=$k))
|
| Syntax: path to the user DB file or LDAP URL (RFC 2255) |
| Tips: [Security] It is recommended to store a user password file outside of the document tree.
If it has to be placed inside document tree, simply name it with a leading ".ht"
like .htuser to prevent being served as a static file. LiteSpeed web server
does not serve files prefixed with ".ht". |
| See Also: Group DB Location, Password Attribute, Member-of Attribute |
|
| Password Attribute | |
|
| Description: Specifies the name of the password attribute for a user record
stored in LDAP server. Default value is userPassword.
|
| Syntax: string |
|
| Member-of Attribute | |
|
| Description: Specifies the name of the Member-of attribute for a user record
stored in LDAP server. Default value is memberOf. Member-of
attribute can be used to specify the group name that the user belongs to.
|
| Syntax: string |
|
| User DB Max Cache Size | |
|
| Description: Specifies the maximum cache size of the user database.
Most recently accessed user authentication data will be cached in memory
to provide maximum performance.
|
| Syntax: Integer number |
| Tips: [Performance] As larger cache will consume more memory,
a higher value may or may not provide better performance. Set it to an appropriate size according
to your user database size and site usage. |
|
| User DB Cache Timeout | |
|
| Description: Specifies how often the backend user database will be checked for changes.
Every entry in the cache has a loading timestamp.
When cached data is older than the specified timeout, the backend database will be checked
for changes. If there is no change, the timestamp will be reset to current time, otherwise
the new data will be loaded. Sever reload, graceful restart, will clear the cache immediately.
|
| Syntax: Integer number |
| Tips: [Performance] If the backend database does not change very often,
set a longer timeout for better performance. |
|
| Group DB Location | |
|
Description: Specifies the location of the group database.
Group information can be set either in user database or in this
standalone group DB. For user authentication, user DB will be checked
first, if there also contains group information, then group DB will
not be checked.
For DB type of Password File, it is the path to the flat file
containing group definitions. You can edit this file through the
WebAdmin by clicking on the file name.
Each line of the group file contains a groupname followed by a colon,
then followed by space delimited group user names. Example:
testgroup: user1 user2 user3
For DB type of LDAP, it is the LDAP URL to query group
information. For each valid group, one and only
one record should be returned in the LDAP search request based on the
this URL and group name specified in Required. "$k"
must be specified in the filter part of the URL and it will be
replaced with the group name. The name of the attribute that
specifies member in this group
is specified by Group Member Attribute.
Example: If objectClass posixGroup is being used to store group
information. The following URL could be used:
ldap://localhost/ou=GroupDB,dc=example,dc=com???(&(objectClass=*)(cn=$k))
|
| Syntax: File name which can be absolute, or relative to $SERVER_ROOT, or relative to $VH_ROOT. |
| Tips: [Security] It is recommended to store a group file outside the document tree.
If it has to be placed inside document tree, simply name it with a leading ".ht"
like .htgroup to prevent being served as a static file. LiteSpeed web server
does not serve files prefixed with ".ht". |
| See Also: User DB Location, Required, Group Member Attribute |
|
| Group Member Attribute | |
|
| Description: Specifies the name of the Member attribute for a group record
stored in LDAP server. Default value is memberUid.
|
| Syntax: string |
|
|
|
| Group DB Cache Timeout | |
|
| Description: Specifies how often the backend group database will be checked for changes.
For more detail please refer to User DB Cache Timeout.
|
| Syntax: Integer number |
| See Also: User DB Cache Timeout |
|
| LDAP Bind DN | |
|
| Description: Specifies a DN used to bind to the server. If the LDAP Server
requires authentication, a bind DN and password must be specified. If
not specified, anonymous bind will be used.
|
| Syntax: string |
| See Also: LDAP Bind Password |
|
| LDAP Bind Password | |
|
| Description: Specifies a password used to bind to the server. If the LDAP Server
requires authentication, a bind DN and password must be specified.
|
| Syntax: string |
| See Also: LDAP Bind DN |
|
| Enable Request Filtering | |
|
| Description: Specifies whether to enable request content deep inspection. This
feature is equvialent to Apache's mod_security, which can be used to detect
and block requests with ill intention by matching known signatures.
|
| Syntax: Select from radio box |
|
| Log Level | |
|
| Description: Specifies the log level of the censoring engine debug output.
Value ranges from 0 - 9, 0 will disable logging and 9 will produce the
most detailed log. The log level of the server and the virtual host's error log
must be set to at least INFO for this option to take effect.
This is useful when testing your censoring rules.
|
| Syntax: Integer number |
| See Also: Server Log Level, Virtual Host Log Level |
|
| Default Action | |
|
| Description: Specifies the default actions should be taken when a censoring rule
was matched. The action string is compatible with the syntax of Apache
mod_security, please refer to mod_security manual for more detail. Default
value is "deny,log,satatus:403", which means to deny access with status code 403 and
log the incident in the error log.
|
| Syntax: string |
|
| Scan Request Body | |
|
| Description: Specifies whether to check the body part of a HTTP POST request.
Default is no.
|
| Syntax: Select from radio box |
|
| |
|
|
| |
Copyright © 2003-2007. Lite Speed Technologies Inc.
All rights reserved. |