Virtual Host Security
 
Table of Contents
General Context Access Control   
Hotlink Control Enable Hotlink Protection   Suffix   Allow Direct Access   Redirect URL   Only Self Reference   Allowed Domains   
Authorization Realms Name   DB Type   User DB Location   User DB Max Cache Size   User DB Cache Timeout   Group DB Location   Group DB Max Cache Size   Group DB Cache Timeout   
Access Control Allowed List   Denied List   
 
Context Access ControlGo to top
Description: Specifies whether to allow context level IP/Sub-Network access control. Context level access control rules are optional, and only effective under that context. Rules can be set in Context configuration via the web interface or in an Access Control File (.htaccess) placed under a directory. Virtual host level access control is always applied first.
Syntax: Select from radio box
Apply: On the fly with reload.
Tips: [Security & Performance] Context level access control can be used to protect part of the web site from being accessed by certain IP/Sub-Network. Disable it for better performance if this feature is not needed.
Hotlink ControlGo to top
Description: Hotlinking is when another website links directly to images or files on your website with a hyper link in their web page. It will introduce additional bandwidth usage that you need to pay for.
LiteSpeed web server can prevent others from hotlinking content on your web site by checking "Referer" header in a HTTP request.
Enable Hotlink ProtectionGo to top
Description: Specifies whether to activate hotlink protection.
Syntax: Select from radio box
Apply: On the fly with reload.
SuffixGo to top
Description: Specifies what kind of file will be protected from hotlinking by listing file suffixes here.
Syntax: comma separated list, "." is prohibited
Apply: On the fly with reload.
Allow Direct AccessGo to top
Description: Specifies whether to allow direct access without a referrer. There is no "Referer" header in HTTP request when a user types in an address directly in the address box, or uses a feature like "Save Target Link As".
Syntax: Select from radio box
Apply: On the fly with reload.
Redirect URLGo to top
Description: Specifies a url that a user will be redirected to when a hotlinking action is detected. You can redirect users to an image or page saying hotlinking is not allowed. If it is not specified, "403 Forbidden" will be returned.
Syntax: Absolute URL
Apply: On the fly with reload.
Only Self ReferenceGo to top
Description: Specifies whether to only allow reference from current web site itself. When set to "Yes", "Allowed Domains" has no effect and no other web site can link to protected files. It is convenient if multiple domain names are parked on current web site.
Syntax: Select from radio box
Apply: On the fly with reload.
Allowed DomainsGo to top
Description: Specifies which web site can link to protected content.
Syntax: comma separated list of domain name
Apply: On the fly with reload.
Authorization RealmsGo to top
Description: Lists all authorization realms for this virtual host. Authorization realms is used to block unauthorized users from accessing protected web pages. A realm is a user directory containing user names and passwords with optional group classification. Authorization is performed at context level. Since different contexts can share the same realm(user database), so realms are defined separately. You can refer to a realm by its name in context configuration.
NameGo to top
Description: Specifies a unique name for the realm.
Apply: On the fly with reload.
DB TypeGo to top
Description: Specifies the type of a realm. It could be a flat file, a DBM file, LDAP or ODBC. Currently, only flat password file is supported.
Syntax: Select from drop down list
Apply: On the fly with reload.
User DB LocationGo to top
Description: Specifies the location of the user database. For DB type of Password File, it is the path to the flat file containing user definitions. You can edit this file through the WebAdmin by clicking on the file name. Each line of the user file contains a username followed by a colon, followed by crypt() encrypted password, optionally followed by a colon and group names that user belongs to, group names are delimitated by comma. If group information is specified in the user DB, then the group database will not be checked. Example:
john:HZ.U8kgjnMOHo:admin,user
Syntax: File name which can be absolute, or relative to $SERVER_ROOT, or relative to $VH_ROOT.
Apply: On the fly with reload.
Tips: [Security] It is recommended to store a user password file outside of the document tree. If it has to be placed under the document root, simply name it with a leading "." like .htpasswd to prevent being served as a static file. (LiteSpeed web server does not serve hidden files.)
User DB Max Cache SizeGo to top
Description: Specifies the maximum cache size of the user database. Most recently accessed user authentication data will be cached in memory in order to provide the maximum performance.
Syntax: Integer number
Apply: On the fly with reload.
Tips: [Performance] As larger cache will consume more memory, a higher value may or may not provide better performance. Set it to an appropriate size according to your system configuration and usage.
User DB Cache TimeoutGo to top
Description: Specifies how often the backend user database will be checked for changes. Every entry in the cache has a loading timestamp. When cached data is older than the specified timeout, the backend database will be checked for changes. If there is no change, the timestamp will be reset to current time, otherwise the new data will be loaded. Reloading a virtual host will clear the cache immediately.
Syntax: Integer number
Apply: On the fly with reload.
Tips: [Performance] If the backend database does not change very often, set a longer timeout for better performance.
Group DB LocationGo to top
Description: Specifies the location of the group database. For DB type of Password File, it is the path to the flat file containing group definitions. Group information can be set either in user database or in this standalone group DB. For user authentication, user DB will be checked first, if there also contains group information, then group DB will not be checked. You can edit this file through the WebAdmin by clicking on the file name. Each line of the group file contains a groupname followed by a colon, then followed by space delimited group user names. Example:
testgroup: user1 user2 user3
Syntax: File name which can be absolute, or relative to $SERVER_ROOT, or relative to $VH_ROOT.
Apply: On the fly with reload.
Tips: [Security] It is recommended to store a group file outside the document tree. If it has to be placed inside document tree, simply name it with a leading "." like .htgroup to prevent being served as a static file. (LiteSpeed web server does not serve hidden files.)
Group DB Max Cache SizeGo to top
Description: Specifies the maximum cache size of the group database. For more detail please refer to User DB Max Cache Size.
Syntax: Integer number
Apply: On the fly with reload.
Group DB Cache TimeoutGo to top
Description: Specifies how often the backend group database will be checked for changes. For more detail please refer to User DB Cache Timeout.
Syntax: Integer number
Apply: On the fly with reload.
Access ControlGo to top
Description: Specifies what sub network and/or IP address can access this virtual host in addition to server level access control. Virtual host setting does NOT override the server setting. Whether to block/allow an IP is determined by the combination of allowed list and denied list. If you want to block certain IP or sub-network, put * or ALL in the allowed list and list the blocked IP or sub-network in the denied list. If you want to only allow certain IP or sub-network, put * or ALL in the denied list and list the allowed IP or sub-network in the allowed list. The setting of the smallest scope that fits for an IP will be used to determine whether to block or allow.
Allowed ListGo to top
Description: Specifies the list of IP or sub-net allowed.
Syntax: comma-separated list of IP address or sub-network. * or ALL, sub-network can be like 192.168.1.0/255.255.255.0, 192.168.1 or 192.168.1.*.
Apply: On the fly with reload.
Denied ListGo to top
Description: Specifies the list of IP or sub-net disallowed.
Syntax: comma-separated list of IP address or sub-network, * or ALL, sub-network can be like 192.168.1.0/255.255.255.0 or 192.168.1.*
Apply: On the fly with reload.