|« Administration||INDEX||Configuration »|
SecurityLiteSpeed Web server is designed with security as top consideration in mind.
Every HTTP request is strictly checked by LiteSpeed web server.
"/." is not allowed in a decoded URL, this will deny accessing hidden files and parent directories.
Request size is limited by Max Request URL Length, Max Request Header Length and Max Request Body Length.
Request header and body can be checked against signatures of possible attacks like XSS attack or SQL injection attackes, and block those requests in the first place.
LiteSpeed web server will serve a static file only if the following conditions are satisfied:
LiteSpeed Web server forwards requests to external applications such as CGI, Fast CGI and Servlet engine to process/generate dynamic content. Usually each request requires one instance of the external application. Those applications may use a lot of system resources, and the performance of the whole system will be severely degraded when system resource consumption reaches certain point, for example, when swapping space has to be used. DoS attack can be conducted by flooding the web server with concurrent requests to an external application that consumes a lot of system resources.
LiteSpeed web server can pipeline requests and control the concurrent level of external applications to prevent over consumption of system resources. It only forwards completed request to external application and caches the response. Thus external application will be immediately available to process next request without waiting for the response completely received by the client. In this way, the server can utilize fewer instances of external applications to serve more concurrent requests and will achieve higher performance and scalability as well. LiteSpeed web server uses its own virtual memory to cache the request and response body to minimize the usage of system memory without sacrificing performance.
LiteSpeed web server restricts system resources that can be consumed by CGI applications. For each request to a CGI script, the web server needs to start a standalone CGI process to handle it. On a Unix system number of concurrent processes is limited, excessive concurrent processes will degrade the performance of the whole system and it could become a target of DoS attack. Maximum number of concurrent CGI instances that the web server can launch can be configured. In order to control the number of processes that can be spawned by CGI application itself, system process limit can be specified per user. Each process is further confined by CPU and memory limits.
In order to reduce security risks of a CGI or Fast CGI script, LiteSpeed web server
can restrict the system resources the CGI script can access by running it in "suEXEC" and
"chroot jail" mode. "suEXEC" is to have a CGI or Fast CGI script started with a different
user ID from that of web server, which greatly improves security of shared hosting environment
by preventing one user's CGI script from accessing other users' files.
"chroot jail" is to have a CGI script started under an assigned alternative root directory, the script can not access files beyond the new root directory. With it, you no longer need to worry about confidential system files being exposed by vulnerable scripts.
LiteSpeed web server can run in chroot environment (known as a chroot jail). In chroot environment, the web server and its children processes cannot access file system outside of the chroot jail. This protects system from attacks of malicious code.
|« Administration||INDEX||Configurations »|
Copyright © 2003. Lite Speed Technologies Inc.
All rights reserved.