|
Virtual Host Security |
|
|
Table of Contents |
|
|
Context Access Control |  |
|
Description: Specifies whether to allow context level IP/Sub-Network access control.
Context level access control rules are optional, and only effective under that context.
Rules can be set in Context configuration via the web interface or in an Access
Control File (.htaccess) placed under a directory.
Virtual host level access control is always applied first.
|
Syntax: Select from radio box |
Apply: On the fly with reload. |
Tips: [Security & Performance] Context level access control can be used to
protect part of the web site from being accessed by certain IP/Sub-Network.
Disable it for better performance if this feature is not needed. |
|
Hotlink Control |  |
|
Description: Hotlinking is when another website links directly to images or
files on your website with a hyper link in their web page. It will
introduce additional bandwidth usage that you need to pay for.
LiteSpeed web server can prevent others from hotlinking content on
your web site by checking "Referer" header in a HTTP request. |
|
Enable Hotlink Protection |  |
|
Description: Specifies whether to activate hotlink protection.
|
Syntax: Select from radio box |
Apply: On the fly with reload. |
|
Suffix |  |
|
Description: Specifies what kind of file will be protected from hotlinking
by listing file suffixes here.
|
Syntax: comma separated list, "." is prohibited |
Apply: On the fly with reload. |
|
Allow Direct Access |  |
|
Description: Specifies whether to allow direct access without a
referrer. There is no "Referer" header in HTTP request when a user types
in an address directly in the address box, or uses a feature like "Save
Target Link As".
|
Syntax: Select from radio box |
Apply: On the fly with reload. |
|
Redirect URL |  |
|
Description: Specifies a url that a user will be redirected to when a
hotlinking action is detected. You can redirect users to an image or
page saying hotlinking is not allowed. If it is not specified,
"403 Forbidden" will be returned.
|
Syntax: Absolute URL |
Apply: On the fly with reload. |
|
Only Self Reference |  |
|
Description: Specifies whether to only allow reference from current web site
itself. When set to "Yes", "Allowed Domains" has no effect and no
other web site can link to protected files. It is convenient if
multiple domain names are parked on current web site.
|
Syntax: Select from radio box |
Apply: On the fly with reload. |
|
Allowed Domains |  |
|
Description: Specifies which web site can link to protected content.
|
Syntax: comma separated list of domain name |
Apply: On the fly with reload. |
|
Authorization Realms |  |
|
Description: Lists all authorization realms for this virtual host.
Authorization realms is used to block unauthorized users from accessing protected web pages.
A realm is a user directory containing user names and passwords with optional
group classification. Authorization is performed at context level.
Since different contexts can share the same realm(user database), so realms are defined separately.
You can refer to a realm by its name in context configuration. |
|
Name |  |
|
Description: Specifies a unique name for the realm.
|
Apply: On the fly with reload. |
|
DB Type |  |
|
Description: Specifies the type of a realm. It could be a flat file, a DBM file, LDAP or ODBC.
Currently, only flat password file is supported.
|
Syntax: Select from drop down list |
Apply: On the fly with reload. |
|
User DB Location |  |
|
Description: Specifies the location of the user database.
For DB type of Password File, it is the path to the flat file
containing user definitions.
You can edit this file through the WebAdmin by clicking on the file name.
Each line of the user file contains a username followed by a colon,
followed by crypt() encrypted password, optionally followed by a colon
and group names that user belongs to, group names are delimitated by comma.
If group information is specified in the user DB, then the group
database will not be checked.
Example:
john:HZ.U8kgjnMOHo:admin,user
|
Syntax: File name which can be absolute, or relative to $SERVER_ROOT, or relative to $VH_ROOT. |
Apply: On the fly with reload. |
Tips: [Security] It is recommended to store a user password file outside of the document tree.
If it has to be placed under the document root, simply name it with a leading "."
like .htpasswd to prevent being served as a static file.
(LiteSpeed web server does not serve hidden files.) |
|
User DB Max Cache Size |  |
|
Description: Specifies the maximum cache size of the user database.
Most recently accessed user authentication data will be cached in memory
in order to provide the maximum performance.
|
Syntax: Integer number |
Apply: On the fly with reload. |
Tips: [Performance] As larger cache will consume more memory,
a higher value may or may not provide better performance. Set it to an appropriate size according
to your system configuration and usage. |
|
User DB Cache Timeout |  |
|
Description: Specifies how often the backend user database will be checked for changes.
Every entry in the cache has a loading timestamp.
When cached data is older than the specified timeout, the backend database will be checked
for changes. If there is no change, the timestamp will be reset to current time, otherwise
the new data will be loaded. Reloading a virtual host will clear the cache immediately.
|
Syntax: Integer number |
Apply: On the fly with reload. |
Tips: [Performance] If the backend database does not change very often,
set a longer timeout for better performance. |
|
Group DB Location |  |
|
Description: Specifies the location of the group database.
For DB type of Password File, it is the path to the flat file
containing group definitions.
Group information can be set either in user database or in this
standalone group DB. For user authentication, user DB will be checked
first, if there also contains group information, then group DB will
not be checked.
You can edit this file through the WebAdmin by clicking on the file name.
Each line of the group file contains a groupname followed by a colon,
then followed by space delimited group user names. Example:
testgroup: user1 user2 user3
|
Syntax: File name which can be absolute, or relative to $SERVER_ROOT, or relative to $VH_ROOT. |
Apply: On the fly with reload. |
Tips: [Security] It is recommended to store a group file outside the document tree.
If it has to be placed inside document tree, simply name it with a leading "."
like .htgroup to prevent being served as a static file.
(LiteSpeed web server does not serve hidden files.) |
|
Group DB Max Cache Size |  |
|
Description: Specifies the maximum cache size of the group database. For more detail please refer to
User DB Max Cache Size.
|
Syntax: Integer number |
Apply: On the fly with reload. |
|
Group DB Cache Timeout |  |
|
Description: Specifies how often the backend group database will be checked for changes.
For more detail please refer to User DB Cache Timeout.
|
Syntax: Integer number |
Apply: On the fly with reload. |
|
Access Control |  |
|
Description: Specifies what sub network and/or IP address can access this virtual host
in addition to server level access control. Virtual host setting does NOT override
the server setting. Whether to block/allow an IP is determined by the combination
of allowed list and denied list. If you want to block certain IP or sub-network,
put * or ALL in the allowed list and list the blocked IP or
sub-network in the denied list. If you want to only allow certain IP or sub-network,
put * or ALL in the denied list and list the allowed IP or
sub-network in the allowed list. The setting of the smallest scope that fits for
an IP will be used to determine whether to block or allow. |
|
Allowed List |  |
|
Description: Specifies the list of IP or sub-net allowed.
|
Syntax: comma-separated list of IP address or sub-network. * or ALL,
sub-network can be like 192.168.1.0/255.255.255.0, 192.168.1 or 192.168.1.*. |
Apply: On the fly with reload. |
|
Denied List |  |
|
Description: Specifies the list of IP or sub-net disallowed.
|
Syntax: comma-separated list of IP address or sub-network, * or ALL,
sub-network can be like 192.168.1.0/255.255.255.0 or 192.168.1.* |
Apply: On the fly with reload. |
|
|
|
|
Copyright © 2003. Lite Speed Technologies Inc. All rights reserved. |