|
Server Security |
|
|
Table of Contents |
|
|
Follow Symbolic Link |  |
|
Description: Specifies the server level default setting of following symbolic links
when serving static files.
Choices are Yes, If Owner Match and No.
Yes will always follow a symbolic link;
If Owner Match will follow a symbolic link only if the owner of the link and of the target are same.
No will never follow a symbolic link.
This setting can be overridden by each individual virtual host.
|
Syntax: Select from drop down list |
Apply: On the fly with reload. |
Tips: [Performance & security] For better security select No or If Owner Match;
for better performance, select Yes. |
|
Check Symbolic Link |  |
|
Description: Specifies whether to check symbolic links against Access Denied Directories
when Follow Symbolic Link is turned on. If enabled, the canonical real path of the resource
referred by a URL will be checked against the configurable access denied directories.
Access will be denied if it falls inside an access denied directory.
|
Syntax: Select from radio box |
Apply: On the fly with reload. |
Tips: [Performance & security] For better security, enable it; for better performance, disable it. |
|
Required Permission Mask |  |
|
Description: Specifies the required permission mask for static files that the
web server will serve. For e.g., to only serve files that are readable
by everyone, set the value to 0004.
See man 2 stat for all values.
|
Syntax: octal numbers |
Apply: On the fly with reload. |
|
Restricted Permission Mask |  |
|
Description: Specifies the restricted permission mask for static files that the
web server will not serve. For e.g., to prohibit files that are
executable, set the mask to 0111.
See man 2 stat for all values.
|
Syntax: octal numbers |
Apply: On the fly with reload. |
|
Per Client Connection Control |  |
|
Description: These settings are connection control per IP address.
They help against DoS (Denied of Service) and DDoS (Distributed Denied of Service) attacks. |
|
Throttle Limit |  |
|
Description: Specifies the maximum allowed throughput (input/output each way) from a single IP address.
Throttle limit is at IP level regardless of how many connections are established.
The real bandwidth could be slightly higher than this setting for efficiency.
Bandwidth is allocated in 4KB units. Set to 0 to disable throttling.
|
Syntax: Integer number |
Apply: On the fly with reload. |
Tips: [Performance] Set the bandwidth in 8KB units for better performance.
[Security] Trusted IP or sub-network is not limited. |
|
Connection Soft Limit |  |
|
Description: Specifies the soft limit of concurrent connections allowed from one IP.
Soft Limit can be exceeded temporarily during Grace Period (sec) as long as
the number is below the Connection Hard Limit, but Keep-Alive connections
will be closed as soon as possible until the number of connections is lower
than the limit. If number of connections is still over the limit after the
Grace Period (sec), that IP will be blocked for Banned Period (sec).
For example, if a page contains many small graphs, the browser may try to set up
many connections at same time, especially for HTTP/1.0 clients. You would want to allow
those connections for a short period.
Even HTTP/1.1 clients may setup multiple connections to speed up downloading and SSL
requires separate connections from non-SSL connections. Make sure the limit is set properly,
not to affect normal web service. The recommended limit is between 5 and 10.
|
Syntax: Integer number |
Apply: On the fly with reload. |
Tips: [Security] A lower number will enable serving more distinct clients.
[Security] Trusted IP or sub-network is not limited.
[Performance] Set a higher value when you perform a benchmark test with limited number of client machines. |
|
Connection Hard Limit |  |
|
Description: Specifies the maximum allowed concurrent connections from a single IP address.
This limit is always enforced and a client will never be able to exceed this limit.
HTTP/1.0 clients usually try to setup as many connections as it needs to download embedded
content at the same time. This limit should be set higher enough for HTTP/1.0 client and
use Connection Soft Limit to set the desired connection limit.
The recommended limit is between 20 and 50, depends on the content of your web page.
|
Syntax: Integer number |
Apply: On the fly with reload. |
Tips: [Security] A lower number will enable serving more distinct clients.
[Security] Trusted IP or sub-network is not limited.
[Performance] Set a higher value when you perform a benchmark test with limited number of client machines. |
|
Grace Period (sec) |  |
|
Description: Specifies for how long new connections can be accepted after number of connections
established from one IP is over - . Within this period, new connections
will be accepted if the total connections still below Connection Hard Limit. After this
period, if the number of connections still higher than
- , then that
IP will be blocked for Banned Period (sec).
|
Syntax: Integer number |
Apply: On the fly with reload. |
Tips: [Performance & Security] Set to a proper number big enough for downloading
a complete page, and short enough to prevent attacks. |
|
Banned Period (sec) |  |
|
Description: Specifies for how long new connections will be rejected from one IP at the end of
Grace Period (sec), if the number of connections is still more than - .
That IP is considered as an unfriendly user, maybe an attacker. During this period,
no connections request will be accepted from that IP.
|
Syntax: Integer number |
Apply: On the fly with reload. |
|
Max Concurrent CGI Instances |  |
|
Description: Specifies the maximum concurrent CGI processes that the web server can start.
For each request to a CGI script, the web server needs to start a standalone CGI process
to handle it. On a Unix system number of concurrent processes is limited, excessive
concurrent processes will degrade the performance of the whole system and it could
become a target of DoS attack. LiteSpeed Web Server pipelines requests to CGI script
and limits concurrent CGI processes to ensure the maximum performance and reliability.
The hard limit is 2000.
|
Syntax: Integer number |
Apply: On the fly with reload. |
Tips: [Security & Performance] Higher limit does not necessarily mean higher performance,
in most cases lower limit gives better performance and security. Higher limit only helps
when I/O latency is high during CGI processing. |
|
Minimum UID |  |
|
Description: Specifies the minimum user id of a CGI script. If LiteSpeed web
server is started by "root" user, it can run CGI script in "suEXEC"
mode found in Apache (to change to another user/group id other than the web
server's). Execution of CGI with user id lower than value specified
here will be denied.
|
Syntax: Integer number |
Apply: On the fly with reload. |
Tips: [Security] Set it high enough to exclude all system user. |
|
Minimum GID |  |
|
Description: Specifies the minimum group id of a CGI script. If LiteSpeed web
server is started by "root" user, it can run CGI script in "suEXEC"
mode found in Apache (to change to another user/groupd id other than the web
server's). Execution of CGI with group id lower than value specified
here will be denied.
|
Syntax: Integer number |
Apply: On the fly with reload. |
Tips: [Security] Set it high enough to exclude all groups used by system user. |
|
CGI Priority |  |
|
Description: Specifies priority of the server process. Value range from
[-20] to [20], lower number means higher priority.
|
Syntax: int |
Apply: Restart required. |
Tips: Usually should be above 0. |
|
CPU Soft Limit |  |
|
Description: Specifies CPU consumption time limit in seconds for CGI process. When the process
reaches the soft limit, it will be notified by a signal. Operating system's default will
be used if the value is set to 0 or absent.
|
Syntax: Integer number |
Apply: On the fly with reload. |
|
CPU Hard Limit |  |
|
Description: Specifies maximum CPU consumption time limit in seconds for CGI process.
If the process continues to consume CPU time and reach the hard limit, the process
will be force killed. Operating system's default will be used if the value is set to 0 or absent.
|
Syntax: Integer number |
Apply: On the fly with reload. |
|
Memory Soft Limit |  |
|
Description: Specifies memory consumption limit in bytes for CGI process.
Operating system's default will be used if the value is set to 0 or absent.
|
Syntax: Integer number |
Apply: On the fly with reload. |
|
Memory Hard Limit |  |
|
Description: Specifies maximum memory consumption limit in bytes for CGI process.
Operating system's default will be used if the value is set to 0 or absent.
|
Syntax: Integer number |
Apply: On the fly with reload. |
|
Process Soft Limit |  |
|
Description: Limits the number of children processes can be created for the real userID
of the server process. This effectively limits the number of children processes
the CGI process can launch. Operating system's default value will be used if the
value is set to 0 or absent.
|
Syntax: Integer number |
Apply: On the fly with reload. |
|
Process Hard Limit |  |
|
Description: Limits the maximum number of processes that can be created for the real userID
of the server process. No more process can be forked upon reaching this limit.
Operating system's default value will be used if the value is set to 0 or absent.
|
Syntax: Integer number |
Apply: On the fly with reload. |
|
Access Denied Directories |  |
|
Description: Specifies the directories that should be blocked from access.
Add directories that contain sensitive data to this list to prevent accidentally
sending a file to clients. Append a "*" to the path to include all sub-directories.
If both Follow Symbolic Link and Check Symbolic Link are enabled, symbolic
links will be checked against the denied directories.
|
Syntax: comma-separated list of directories |
Apply: On the fly with reload. |
Tips: [Security] Important! It only prevents serving static files to clients,
does not prevent error prone CGI scripts. |
|
Access Control |  |
|
Description: Specifies what sub network and/or IP address can access the server.
This is a server level setting that affects all virtual hosts. You can also set up
access control for each virtual host in addition to this. Virtual host setting will NOT
override the server setting.
Whether to block/allow an IP is determined by the combination of allowed list and denied list.
If you want to block certain IP or sub-network, put * or ALL in
Allowed List and list the blocked IP or sub-network in Denied List.
If you want to only allow certain IP or sub-network, put * or ALL
in Denied List and list the allowed IP or sub-network in Allowed List.
The setting of the smallest scope that fits for an IP will be used to determine whether
to block or allow.
Trusted IP or sub-network must be specified in the Allowed List by adding a
trailing "T". Trusted IP or sub-network is not limited by connection/throttling limits.
Only server level access control can set up trusted IP/sub-network. |
Tips: [Security] Only put here restrictions that apply to all virtual hosts. |
|
Allowed List |  |
|
Description: Specifies the list of IP or sub-net allowed.
|
Syntax: comma-separated list of IP address or sub-network.
* or ALL, sub-network can be like
192.168.1.0/255.255.255.0, 192.168.1 or 192.168.1.*.
A trailing "T" can be used to indicate a trusted IP or sub-network, like 192.168.1.*T. |
Apply: On the fly with reload. |
Tips: [Security] Trusted IP or sub-network can be set in server level access
control and they are not limited by connection/throttling limits. |
|
Denied List |  |
|
Description: Specifies the list of IP or sub-net disallowed.
|
Syntax: comma-separated list of IP address or sub-network, * or ALL,
sub-network can be like 192.168.1.0/255.255.255.0 or 192.168.1.* |
Apply: On the fly with reload. |
|
|
|
|
Copyright © 2003. Lite Speed Technologies Inc. All rights reserved. |