File manager

File manager - Edit - /home/newsbmcs.com/public_html/static/img/logo/ServSecurity_Help.html.tar

Back
usr/local/lswsbak/docs/ja-JP/ServSecurity_Help.html��0000644��00000171270�15030443174�0016264 0��ustar�00��<!DOCTYPE html> <head> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" /> <title>Open LiteSpeed Web Serverユーザーズマニュアル - サーバーのセキュリティ</title> <meta name="description" content="Open LiteSpeed Web Serverユーザーズマニュアル - サーバーのセキュリティ." /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta name="robots" content="noindex"> <link rel="shortcut icon" href="../img/favicon.ico" /> <link rel="stylesheet" type="text/css" href="../css/hdoc.css"> </head> <body> <div class="pagewrapper clearfix"><aside class="sidetree ls-col-1-5"> <figure> <img src="../img/ols_logo.svg" alt="openlitespeed logo" width="150px"/> </figure> <h3 class="ls-text-thin">OpenLiteSpeed Web Server <a href="index.html"> ユーザーズマニュアル</a></h3> <h5 class="ls-text-muted">Version 1.8  — Rev. 0</h5> <hr/> <div> <ul> <li><a href="license.html">ライセンス</a></li> <li><a href="intro.html">はじめに</a></li> <li><a href="install.html">インストール</a></li> <li> <a href="admin.html">管理</a> <ul class="level2"> <li><a href="ServerStat_Help.html">サービスマネージャ</a></li> <li><a href="Real_Time_Stats_Help.html">Real-Time Stats</a></li> </ul> </li> <li><a href="security.html">セキュリティ</a></li> <li><a href="config.html">設定</a> <ul class="level2"> <li><a href="ServGeneral_Help.html">サーバー全般</a></li> <li><a href="ServLog_Help.html">サーバーログ</a></li> <li><a href="ServTuning_Help.html">サーバーのチューニング</a></li> <li><span class="current"><a href="ServSecurity_Help.html">サーバーのセキュリティ</a></span></li> <li><a href="ExtApp_Help.html">外部アプリ</a></li> <ul class="level3"> <li><a href="External_FCGI.html">Fast CGIアプリ</a></li> <li><a href="External_FCGI_Auth.html">Fast CGIオーソライザー</a></li> <li><a href="External_LSAPI.html">LSAPIアプリ</a></li> <li><a href="External_Servlet.html">サーブレットエンジン</a></li> <li><a href="External_WS.html">Webサーバー</a></li> <li><a href="External_PL.html">パイプロガー</a></li> <li><a href="External_LB.html">ロードバランサ</a></li> </ul> <li><a href="ScriptHandler_Help.html">スクリプトハンドラ</a></li> <li><a href="Rails_Help.html">Rack/Railsの設定</a></li> <li><a href="Module_Help.html">モジュール設定</a></li> <li><a href="Listeners_General_Help.html">リスナー全般</a></li> <li><a href="Listeners_SSL_Help.html">リスナーのSSL</a></li> <li><a href="Templates_Help.html">テンプレート</a></li> <li><a href="VirtualHosts_Help.html">バーチャルホストの基本</a></li> <li><a href="VHGeneral_Help.html">バーチャルホスト全般</a></li> <li><a href="VHSecurity_Help.html">バーチャルホストのセキュリティ</a></li> <li><a href="VHSSL_Help.html">バーチャルホストのSSL</a></li> <li><a href="Rewrite_Help.html">Rewrite</a></li> <li><a href="Context_Help.html">コンテキスト</a></li> <ul class="level3"> <li><a href="Static_Context.html">静的コンテテキスト</a></li> <li><a href="Java_Web_App_Context.html">Java Webアプリのコンテキスト</a></li> <li><a href="Servlet_Context.html">サーブレットコンテキスト</a></li> <li><a href="FCGI_Context.html">Fast CGIコンテキスト</a></li> <li><a href="LSAPI_Context.html">LSAPIコンテキスト</a></li> <li><a href="Proxy_Context.html">プロキシコンテキスト</a></li> <li><a href="CGI_Context.html">CGIコンテキスト</a></li> <li><a href="LB_Context.html">ロードバランサコンテキスト</a></li> <li><a href="Redirect_Context.html">コンテキストのリダイレクト</a></li> <li><a href="Rails_Context.html">Rack/Railsのコンテキスト</a></li> <li><a href="Module_Context.html">モジュールハンドラのコンテキスト</a></li> </ul> <li><a href="VHWebSocket_Help.html">Web Socketプロキシ</a></li> </ul> </li> <li><a href="webconsole.html">Webコンソール</a> <ul class="level2"> <li><a href="AdminGeneral_Help.html">管理コンソール全般</a></li> <li><a href="AdminSecurity_Help.html">管理コンソールのセキュリティ</a></li> <li><a href="AdminListeners_General_Help.html">管理リスナー全般</a></li> <li><a href="AdminListeners_SSL_Help.html">管理リスナーのSSL</a></li> </ul> </li> </ul> </div> </aside> <article class="contentwrapper ls-col-3-5 clearfix"><div class="nav-bar ls-spacer-micro-top"><div class="prev">&#171 <a href="ServTuning_Help.html">サーバーのチューニング</a></div><div class="center"><a href="config.html">設定</a></div><div class="next"><a href="ExtApp_Help.html">外部アプリケーション</a> »</div></div> <h1>サーバーのセキュリティ</h1><h2 id="top">目次</h2><section class="toc"><section class="toc-row"><header>ファイルアクセス</header><p> <a href="#followSymbolLink">シンボリックリンクに従う</a> \| <a href="#checkSymbolLink">シンボリックリンクを確認する</a> \| <a href="#forceStrictOwnership">厳格な所有権チェックを強制する</a> \| <a href="#requiredPermissionMask">必要な許可マスク</a> \| <a href="#restrictedPermissionMask">制限付き許可マスク</a> \| <a href="#restrictedScriptPermissionMask">スクリプトのアクセス許可マスクの制限</a> \| <a href="#restrictedDirPermissionMask">スクリプトディレクトリのアクセス許可マスクの制限</a></p></section> <section class="toc-row"><header><a href="#perClientConnLimit">クライアント単位のスロットル</a></header><p> <a href="#staticReqPerSec">静的リクエスト/秒</a> \| <a href="#dynReqPerSec">動的リクエスト/秒</a> \| <a href="#outBandwidth">送信帯域幅（バイト/秒）</a> \| <a href="#inBandwidth">受信帯域幅（バイト/秒）</a> \| <a href="#softLimit">接続ソフトリミット</a> \| <a href="#hardLimit">接続ハードリミット</a> \| <a href="#blockBadReq">不良リクエストをブロックする</a> \| <a href="#gracePeriod">猶予期間（秒）</a> \| <a href="#banPeriod">禁止期間（秒）</a></p></section> <section class="toc-row"><header><a href="#cgiResource">CGI設定</a></header><p> <a href="#cgidSock">CGIデーモンソケット</a> \| <a href="#maxCGIInstances">最大CGIインスタンス</a> \| <a href="#minUID">最小UID</a> \| <a href="#minGID">最小GID</a> \| <a href="#forceGID">強制GID</a> \| <a href="#umask">umask</a> \| <a href="#CGIPriority">CGI プライオリティ</a> \| <a href="#CPUSoftLimit">CPUソフトリミット(秒)</a> \| <a href="#CPUHardLimit">CPUハードリミット</a> \| <a href="#memSoftLimit">メモリソフトリミット（バイト）</a> \| <a href="#memHardLimit">メモリハードリミット</a> \| <a href="#procSoftLimit">プロセスソフトリミット</a> \| <a href="#procHardLimit">プロセスハードリミット</a> \| <a href="#cgroups">cgroups</a></p></section> <section class="toc-row"><header><a href="#lsrecaptcha">reCAPTCHA Protection</a></header><p> <a href="#enableRecaptcha">Enable reCAPTCHA</a> \| <a href="#recaptchaSiteKey">Site Key</a> \| <a href="#recaptchaSecretKey">Secret Key</a> \| <a href="#recaptchaType">reCAPTCHA Type</a> \| <a href="#recaptchaMaxTries">Max Tries</a> \| <a href="#recaptchaAllowedRobotHits">Allowed Robot Hits</a> \| <a href="#recaptchaBotWhiteList">Bot White List</a> \| <a href="#recaptchaRegConnLimit">Connection Limit</a> \| <a href="#recaptchaSslConnLimit">SSL Connection Limit</a></p></section> <section class="toc-row"><header>Containers</header><p> <a href="#bubbleWrap">Bubblewrap Container</a> \| <a href="#bubbleWrapCmd">Bubblewrap Command</a> \| <a href="#namespace">Namespace Container</a> \| <a href="#namespaceConf">Namespace Template File</a></p></section> <section class="toc-row"><header>アクセスが拒否されたディレクトリ</header><p> <a href="#accessDenyDir">アクセスが拒否されたディレクトリ</a></p></section> <section class="toc-row"><header><a href="#accessControl">アクセス制御</a></header><p> <a href="#accessControl_allow">許可リスト</a> \| <a href="#accessControl_deny">拒否リスト</a></p></section> </section> <section><div class="helpitem"><article class="ls-helpitem"><div><header id="followSymbolLink"><h3>シンボリックリンクに従う<span class="ls-permlink"><a href="#followSymbolLink"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>静的ファイルを提供する際のシンボリックリンクのサーバーレベルのデフォルト設定を指定します。 <br/><br/> 選択肢は<span class="val">はい</span>、<span class="val">オーナーと一致する場合</span> <span class="val">いいえ</span>です。 <br/><br/> <span class="val">はい</span>は、シンボリックリンクに常に従うようにサーバーを設定します。 <span class="val">所有者の一致がの場合</span>は、リンクの所有者とターゲットの所有者が同じ場合にのみシンボリックリンクに従うようにサーバーを設定します。 <span class="val">いいえ</span>は、サーバーがシンボリックリンクを決して辿らないことを意味します。この設定はバーチャルホスト設定で上書きできますが、.htaccessファイルで上書きすることはできません。</p> <h4>構文</h4><p>ドロップダウンリストから選択</p> <h4>ヒント</h4><p>[パフォーマンスとセキュリティ]最高のセキュリティを実現するには、<span class="val">いいえ</span>または<span class="val">{Owner}が一致する場合</span>を選択します。最高のパフォーマンスを得るには、<span class="val">はい</span>を選択します。</p> <h4>参照</h4><p class="ls-text-small"><span class="tagl"><a href="#checkSymbolLink">シンボリックリンクを確認する</a></span>.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="checkSymbolLink"><h3>シンボリックリンクを確認する<span class="ls-permlink"><a href="#checkSymbolLink"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p><span class="tagl"><a href="#followSymbolLink">シンボリックリンクに従う</a></span>がオンになっているときに、<span class="tagl"><a href="#accessDenyDir">アクセスが拒否されたディレクトリ</a></span>に対するシンボリックリンクをチェックするかどうかを指定します。有効にすると、URLで参照されるリソースのカノニカル実パスが、設定可能なアクセス拒否ディレクトリと照合されます。アクセスが拒否されたディレクトリ内にある場合、アクセスは拒否されます。</p> <h4>構文</h4><p>ラジオボックスから選択</p> <h4>ヒント</h4><p>[パフォーマンス & セキュリティ]最高のセキュリティを実現するには、このオプションを有効にします。最高のパフォーマンスを得るには、無効にしてください。</p> <h4>参照</h4><p class="ls-text-small"><span class="tagl"><a href="#followSymbolLink">シンボリックリンクに従う</a></span>, <span class="tagl"><a href="#accessDenyDir">アクセスが拒否されたディレクトリ</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="forceStrictOwnership"><h3>厳格な所有権チェックを強制する<span class="ls-permlink"><a href="#forceStrictOwnership"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>厳密なファイル所有権チェックを実施するかどうかを指定します。有効になっている場合、Webサーバーは、提供されるファイルの所有者がバーチャルホストの所有者と同じかどうかをチェックします。異なる場合は、403アクセス拒否エラーが返されます。これはデフォルトではオフになっています。</p> <h4>構文</h4><p>ラジオボックスから選択</p> <h4>ヒント</h4><p>[セキュリティ]共有ホスティングの場合、このチェックを有効にしてセキュリティを強化します。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="requiredPermissionMask"><h3>必要な許可マスク<span class="ls-permlink"><a href="#requiredPermissionMask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>サーバーが提供する静的ファイルに必要なアクセス許可マスクを指定します。たとえば、全員が読み取り可能なファイルのみを処理できる場合は、値を<span class="val">0004</span>に設定します。すべての値について<span class="cmd">man 2 stat</span>を参照してください</p> <h4>構文</h4><p>8進数</p> <h4>参照</h4><p class="ls-text-small"><span class="tagl"><a href="#restrictedPermissionMask">制限付き許可マスク</a></span>.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="restrictedPermissionMask"><h3>制限付き許可マスク<span class="ls-permlink"><a href="#restrictedPermissionMask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>サーバーが提供しない静的ファイルに対する制限付きのアクセス許可マスクを指定します。たとえば、実行可能ファイルの配信を禁止するには、マスクを<span class="val">0111</span>に設定します。<br/><br/> すべての値について<span class="cmd">man 2 stat</span>を参照してください。</p> <h4>構文</h4><p>8進数</p> <h4>参照</h4><p class="ls-text-small"><span class="tagl"><a href="#requiredPermissionMask">必要な許可マスク</a></span>.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="restrictedScriptPermissionMask"><h3>スクリプトのアクセス許可マスクの制限<span class="ls-permlink"><a href="#restrictedScriptPermissionMask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>サーバーが提供しないスクリプトファイルに対する制限付きアクセス許可マスクを指定します。たとえば、グループおよびワールド書き込み可能なPHPスクリプトの配信を禁止するには、マスクを<span class="val">022</span>に設定します。デフォルト値は<span class="val">000</span>です。<br/><br/> すべての値について<span class="cmd">man 2 stat</span>を参照してください。</p> <h4>構文</h4><p>8進数</p> <h4>参照</h4><p class="ls-text-small"><span class="tagl"><a href="#restrictedDirPermissionMask">スクリプトディレクトリのアクセス許可マスクの制限</a></span>.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="restrictedDirPermissionMask"><h3>スクリプトディレクトリのアクセス許可マスクの制限<span class="ls-permlink"><a href="#restrictedDirPermissionMask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>Sサーバーが提供しないスクリプトファイルの親ディレクトリの制限付きアクセス許可マスクを指定します。たとえば、グループおよびワールド書き込み可能なディレクトリでPHPスクリプトを処理することを禁止するには、マスクを<span class="val">022</span>に設定します。デフォルト値は<span class="val">000</span>です。このオプションを使用して、アップロードされたファイルのディレクトリ下でスクリプトを提供しないようにすることができます。<br/><br/> すべての値について<span class="cmd">man 2 stat</span>を参照してください。</p> <h4>構文</h4><p>8進数</p> <h4>参照</h4><p class="ls-text-small"><span class="tagl"><a href="#restrictedScriptPermissionMask">スクリプトのアクセス許可マスクの制限</a></span>.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="perClientConnLimit"><h3>クライアント単位のスロットル<span class="ls-permlink"><a href="#perClientConnLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>これらは、クライアントIPに基づいた接続制御設定です。これらの設定は、DoS（サービス拒否）攻撃とDDoS（分散サービス拒否）攻撃を緩和するのに役立ちます。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="staticReqPerSec"><h3>静的リクエスト/秒<span class="ls-permlink"><a href="#staticReqPerSec"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>確立された接続の数に関係なく、1秒間に処理できる単一のIPアドレスからの静的コンテンツへの要求の最大数を指定します。<br/><br/> この制限に達すると、将来のすべての要求は次の秒までタールピットされます。動的に生成されるコンテンツのリクエスト制限は、この制限とは関係ありません。クライアントごとの要求制限は、サーバーまたはバーチャルホストレベルで設定できます。バーチャルホストレベルの設定は、サーバーレベルの設定よりも優先されます。</p> <h4>構文</h4><p>整数</p> <h4>ヒント</h4><p>[セキュリティ]信頼できるIPまたはサブネットワークは影響を受けません。</p> <h4>参照</h4><p class="ls-text-small"><span class="tagl"><a href="#dynReqPerSec">動的リクエスト/秒</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="dynReqPerSec"><h3>動的リクエスト/秒<span class="ls-permlink"><a href="#dynReqPerSec"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>確立された接続の数に関係なく、1秒ごとに処理できる単一のIPアドレスからの動的に生成されるコンテンツへの要求の最大数を指定します。この制限に達すると、今後のすべての動的コンテンツへのリクエストは、次の秒までタールピットされます。 <br/><br/> 静的コンテンツの要求制限は、この制限とは関係ありません。このクライアントごとの要求制限は、サーバーまたはバーチャルホストレベルで設定できます。バーチャルホストレベルの設定は、サーバーレベルの設定よりも優先されます。</p> <h4>構文</h4><p>整数</p> <h4>ヒント</h4><p>[セキュリティ]この制限によって、信頼できるIPまたはサブネットワークは制限されません。</p> <h4>参照</h4><p class="ls-text-small"><span class="tagl"><a href="#staticReqPerSec">静的リクエスト/秒</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="outBandwidth"><h3>送信帯域幅（バイト/秒）<span class="ls-permlink"><a href="#outBandwidth"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>確立された接続の数に関係なく、単一のIPアドレスへの最大の送信スループット。実際の帯域幅は効率上の理由からこの設定よりわずかに高くなることがあります。帯域幅は4KB単位で割り当てられます。スロットルを無効にするには、<span class="val">0</span>に設定します。クライアント単位の帯域幅制限（バイト/秒）は、バーチャルホストレベルの設定がサーバーレベルの設定を上回るサーバーまたはバーチャルホストレベルで設定できます。</p> <h4>構文</h4><p>整数</p> <h4>ヒント</h4><p>[パフォーマンス]パフォーマンスを向上させるため、帯域幅を8KB単位で設定します。.<br/><br/> [セキュリティ]信頼できるIPまたはサブネットワークは影響を受けません。</p> <h4>参照</h4><p class="ls-text-small"><span class="tagl"><a href="#inBandwidth">受信帯域幅（バイト/秒）</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="inBandwidth"><h3>受信帯域幅（バイト/秒）<span class="ls-permlink"><a href="#inBandwidth"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>確立された接続の数に関係なく、単一のIPアドレスからの最大許容着信スループット。実際の帯域幅は効率上の理由からこの設定よりわずかに高くなることがあります。帯域幅は1KB単位で割り当てられます。スロットルを無効にするには、<span class="val">0</span>に設定します。クライアント単位の帯域幅制限（バイト/秒）は、バーチャルホストレベルの設定がサーバーレベルの設定を上回るサーバーまたはバーチャルホストレベルで設定できます。</p> <h4>構文</h4><p>整数</p> <h4>ヒント</h4><p>[セキュリティ]信頼できるIPまたはサブネットワークは影響を受けません。</p> <h4>参照</h4><p class="ls-text-small"><span class="tagl"><a href="#outBandwidth">送信帯域幅（バイト/秒）</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="softLimit"><h3>接続ソフトリミット<span class="ls-permlink"><a href="#softLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>1つのIPから許可される同時接続のソフト制限を指定します。このソフトリミットは、<span class="tagl"><a href="#gracePeriod">猶予期間（秒）</a></span>の間に<span class="tagl"><a href="#hardLimit">接続ハードリミット</a></span>以下になると一時的に超過することができますが、接続の数が限界よりも少なくなるまで、キープアライブ接続はできるだけ早く閉じられます。 <span class="tagl"><a href="#gracePeriod">猶予期間（秒）</a></span>の後に接続数がまだ制限を超えている場合、そのIPは<span class="tagl"><a href="#banPeriod">禁止期間（秒）</a></span>でブロックされます。<br/><br/> 例えば、ページに多数の小さなグラフが含まれている場合、ブラウザは、特にHTTP/1.0クライアントの場合、同時に多くの接続を設定しようとする可能性があります。これらの接続を短期間で許可する必要があります。<br/><br/> HTTP/1.1クライアントは、複数の接続を設定してダウンロード速度を上げることができ、SSLにはSSL以外の接続とは別の接続が必要です。通常のサービスに悪影響を及ぼさないように、制限値が適切に設定されていることを確認してください。推奨される制限は、<span class="val">5</span>〜<span class="val">10</span>です。</p> <h4>構文</h4><p>整数</p> <h4>ヒント</h4><p>[セキュリティ]数字が小さいほど、より明確なクライアントに対応できます。<br/> [セキュリティ]信頼できるIPまたはサブネットワークは影響を受けません。<br/> [パフォーマンス]多数の同時クライアントマシンでベンチマークテストを実行する場合は、高い値に設定します。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="hardLimit"><h3>接続ハードリミット<span class="ls-permlink"><a href="#hardLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>単一のIPアドレスから同時に許可される接続の最大数を指定します。この制限は常に強制され、クライアントはこの制限を超えることはできません。 HTTP/1.0クライアントは通常、埋め込みコンテンツを同時にダウンロードするのに必要な数の接続を設定しようとします。この制限は、HTTP/1.0クライアントが引き続きサイトにアクセスできるように十分に高く設定する必要があります。 <span class="tagl"><a href="#softLimit">接続ソフトリミット</a></span>を使用して、目的の接続制限を設定します。</p> <h4>構文</h4><p>整数</p> <h4>ヒント</h4><p>[セキュリティ]数字が小さいほど、より明確なクライアントに対応できます。<br/> [セキュリティ]信頼できるIPまたはサブネットワークは影響を受けません。<br/> [パフォーマンス]多数の同時クライアントマシンでベンチマークテストを実行する場合は、高い値に設定します。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="blockBadReq"><h3>不良リクエストをブロックする<span class="ls-permlink"><a href="#blockBadReq"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p><span class="tagl"><a href="#banPeriod">禁止期間（秒）</a></span>に不正な形式のHTTP要求を送信し続けるIPをブロックします。デフォルトは<span class="val">はい</span>です。これは、ジャンク要求を繰り返し送信するボットネット攻撃をブロックするのに役立ちます。</p> <h4>構文</h4><p>ラジオボックスから選択</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="gracePeriod"><h3>猶予期間（秒）<span class="ls-permlink"><a href="#gracePeriod"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>1つのIPから確立された接続の数が<span class="tagl"><a href="#softLimit">接続ソフトリミット</a></span>を超えた後に新しい接続が受け入れられる期間を指定します。この期間内に、総接続数が<span class="tagl"><a href="#hardLimit">接続ハードリミット</a></span>未満の場合は、新しい接続が受け入れられます。この期間が経過した後、まだ接続数が<span class="tagl"><a href="#softLimit">接続ソフトリミット</a></span>よりも高い場合、問題のIPは<span class="tagl"><a href="#banPeriod">禁止期間（秒）</a></span>でブロックされます。</p> <h4>構文</h4><p>整数</p> <h4>ヒント</h4><p>[パフォーマンス & セキュリティ]ダウンロードに十分な大きさに設定してください。完全なページですが、故意の攻撃を防ぐのに十分な低さです。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="banPeriod"><h3>禁止期間（秒）<span class="ls-permlink"><a href="#banPeriod"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p><span class="tagl"><a href="#gracePeriod">猶予期間（秒）</a></span>経過後、接続数がまだ<span class="tagl"><a href="#softLimit">接続ソフトリミット</a></span>以上の場合、新しい接続がIPから拒否される期間を指定します。 IPが繰り返し禁止されている場合は、禁止期間を延長して虐待のペナルティを強化することをお勧めします。</p> <h4>構文</h4><p>整数</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="cgiResource"><h3>CGI設定<span class="ls-permlink"><a href="#cgiResource"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>次の設定は、CGIプロセスを制御します。これらのアプリケーションに対して制限が明示的に設定されていない場合は、メモリおよびプロセスの制限も他の外部アプリケーションのデフォルトとして機能します。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="cgidSock"><h3>CGIデーモンソケット<span class="ls-permlink"><a href="#cgidSock"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>CGIデーモンとの通信に使用される一意のソケットアドレス。 LiteSpeedサーバーは、スタンドアロンのCGIデーモンを使用して、最高のパフォーマンスとセキュリティを実現するCGIスクリプトを生成します。デフォルトソケットは<span class="val">uds://$SERVER_ROOT/admin/lscgid/.cgid.sock</span> "です。別の場所に配置する必要がある場合は、ここにUnixドメインソケットを指定します。</p> <h4>構文</h4><p>UDS://path</p> <h4>例</h4><div class="ls-example">UDS://tmp/lshttpd/cgid.sock</div></article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="maxCGIInstances"><h3>最大CGIインスタンス<span class="ls-permlink"><a href="#maxCGIInstances"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>サーバーが開始できる同時CGIプロセスの最大数を指定します。 CGIスクリプトに対する各要求に対して、サーバーはスタンドアロンCGIプロセスを開始する必要があります。 Unixシステムでは、並行プロセスの数が制限されています。過度の並行処理は、システム全体のパフォーマンスを低下させ、DoS攻撃を実行する1つの方法です。 LiteSpeedサーバーはCGIスクリプトへの要求をパイプライン処理し、同時のCGIプロセスを制限して最適なパフォーマンスと信頼性を確保します。上限は<span class="val">2000</span>です。</p> <h4>構文</h4><p>整数</p> <h4>ヒント</h4><p>[セキュリティ & パフォーマンス]上限が高いと必ずしもパフォーマンスが向上するとは限りません。ほとんどの場合、下限値を指定するとパフォーマンスとセキュリティが向上します。上限は、CGI処理中にI / O待ち時間が過大になる場合にのみ役立ちます。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="minUID"><h3>最小UID<span class="ls-permlink"><a href="#minUID"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>外部アプリケーションの最小ユーザーIDを指定します。ここで指定した値よりも小さいユーザーIDを持つ外部スクリプトの実行は拒否されます。 LiteSpeed Webサーバーが「root」ユーザーによって起動された場合、Apacheなどの「suEXEC」モードで外部アプリケーションを実行できます（Webサーバー以外のユーザー/グループIDに変更する）。</p> <h4>構文</h4><p>整数</p> <h4>ヒント</h4><p>[セキュリティ]すべてのシステム/特権ユーザーを除外するのに十分な高さに設定します。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="minGID"><h3>最小GID<span class="ls-permlink"><a href="#minGID"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>外部アプリケーションの最小グループIDを指定します。ここで指定した値よりも小さいグループIDを持つ外部の実行は拒否されます。 LiteSpeed Webサーバーが "root"ユーザーによって起動された場合、Apacheで見つかった "suEXEC"モードで外部アプリケーションを実行できます（Webサーバー以外のユーザー/グループIDに変更する）。</p> <h4>構文</h4><p>整数</p> <h4>ヒント</h4><p>[セキュリティ]システムユーザーが使用するすべてのグループを除外するのに十分な高さに設定します。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="forceGID"><h3>強制GID<span class="ls-permlink"><a href="#forceGID"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>suEXECモードで起動したすべての外部アプリケーションに使用するグループIDを指定します。ゼロ以外の値に設定すると、すべてのsuEXEC外部アプリケーション（CGI/FastCGI/LSAPI）がこのグループIDを使用します。これにより、外部アプリケーションが他のユーザーが所有するファイルにアクセスするのを防ぐことができます。<br/><br/> たとえば、共有ホスティング環境では、LiteSpeedはユーザー "www-data"として実行され、グループ "www-data"として実行されます。各docrootは、 "www-data"のグループと許可モード0750を持つユーザーアカウントによって所有されています。強制GIDが "nogroup"（または 'www-data'以外のグループ）に設定されている場合、すべてのsuEXEC外部アプリケーションは特定のユーザーとして実行されますが、グループ "nogroup"に実行されます。これらの外部アプリケーション・プロセスは（ユーザーIDのために）特定のユーザーが所有するファイルには引き続きアクセスできますが、他のユーザーのファイルにアクセスするためのグループ権限は持っていません。一方、サーバは、（グループIDのために）どんなユーザのdocrootディレクトリ下でもファイルを提供することができます。</p> <h4>構文</h4><p>整数</p> <h4>ヒント</h4><p>[セキュリティ]システムユーザーが使用するすべてのグループを除外するのに十分な高さに設定します。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="umask"><h3>umask<span class="ls-permlink"><a href="#umask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>CGIプロセスのデフォルトのumaskを設定します。詳細は、<span class="cmd">man 2 umask</span>を参照してください。これは、外部アプリケーション<span class="tagl"><a href="ExtApp_Help.html#extUmask">umask</a></span>のデフォルト値としても機能します。</p> <h4>構文</h4><p>有効範囲値[000]〜[777]。</p> <h4>参照</h4><p class="ls-text-small">ExtApp <span class="tagl"><a href="ExtApp_Help.html#extUmask">umask</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="CGIPriority"><h3>CGI プライオリティ<span class="ls-permlink"><a href="#CGIPriority"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>外部アプリケーションプロセスの優先度を指定します。値の範囲は-20〜20です。数値が小さいほど優先度が高くなります。<br/><br/> CGIプロセスは、Webサーバーよりも高い優先度を持つことはできません。この優先度がサーバーの数値より低い数値に設定されている場合は、サーバーの優先度がこの値に使用されます。</p> <h4>構文</h4><p>int</p> <h4>参照</h4><p class="ls-text-small">Server <span class="tagl"><a href="ServGeneral_Help.html#serverPriority">プライオリティ</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="CPUSoftLimit"><h3>CPUソフトリミット(秒)<span class="ls-permlink"><a href="#CPUSoftLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>CGIプロセスのCPU消費制限時間を秒単位で指定します。プロセスがソフトリミットに達すると、シグナルによって通知されます。値が存在しない場合、または<span class="val">0</span>に設定されている場合は、オペレーティングシステムのデフォルト設定が使用されます。.</p> <h4>構文</h4><p>整数</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="CPUHardLimit"><h3>CPUハードリミット<span class="ls-permlink"><a href="#CPUHardLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>CGIプロセスの最大CPU使用時間制限を秒単位で指定します。プロセスがCPU時間を消費してハードリミットに達すると、プロセスは強制終了されます。値が存在しないか、<span class="val">0</span>に設定されている場合は、オペレーティングシステムのデフォルト設定が使用されます。</p> <h4>構文</h4><p>整数</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="memSoftLimit"><h3>メモリソフトリミット（バイト）<span class="ls-permlink"><a href="#memSoftLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>外部アプリケーション・プロセスまたはサーバーによって開始された外部アプリケーションのメモリー消費制限をバイト単位で指定します。<br/><br/> この制限の主な目的は、ソフトウェアのバグや意図的な攻撃のために過度のメモリ使用を防止し、通常の使用に制限を設けないことです。十分なヘッドスペースを確保してください。そうしないと、アプリケーションが失敗し、503エラーが返される可能性があります。サーバーレベルまたは個々の外部アプリケーションレベルで設定できます。サーバーレベルの制限は、個々のアプリケーションレベルで設定されていない場合に使用されます。<br/><br/> オペレーティングシステムのデフォルト設定は、値が両方のレベルにないか、<span class="val">0</span>に設定されている場合に使用されます。</p> <h4>構文</h4><p>整数</p> <h4>ヒント</h4><p>[注意]この制限を過度に調整しないでください。アプリケーションでより多くのメモリが必要な場合は、503のエラーが発生する可能性があります。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="memHardLimit"><h3>メモリハードリミット<span class="ls-permlink"><a href="#memHardLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>ソフトリミットをユーザープロセス内のハードリミットまで上げることができることを除けば、<span class="tagl"><a href="#memSoftLimit">メモリソフトリミット（バイト）</a></span>と同じくらい同じです。ハード・リミットは、サーバー・レベルまたは個々の外部アプリケーション・レベルで設定できます。サーバーレベルの制限は、個々のアプリケーションレベルで設定されていない場合に使用されます。 <br/><br/> 値が両方のレベルにないか、<span class="val">0</span>に設定されている場合、オペレーティングシステムのデフォルトが使用されます。</p> <h4>構文</h4><p>整数</p> <h4>ヒント</h4><p><span title="Attention" class="ls-icon-attention"></span> Do not over adjust this limit. This may result in 503 errors if your application need more memory.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="procSoftLimit"><h3>プロセスソフトリミット<span class="ls-permlink"><a href="#procSoftLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>ユーザーに代わって作成できるプロセスの総数を制限します。既存のすべてのプロセスは、開始される新しいプロセスだけでなく、この限度に対してカウントされます。制限は、サーバーレベルまたは個々の外部アプリケーションレベルで設定できます。<br/> サーバーレベルの制限は、個々のアプリケーションレベルで設定されていない場合に使用されます。この値が0または両方のレベルにない場合、オペレーティングシステムのデフォルト設定が使用されます。</p> <h4>構文</h4><p>整数</p> <h4>ヒント</h4><p><span title="Information" class="ls-icon-info"></span> PHPスクリプトはプロセスをフォークするために呼び出すことができます。この制限の主な目的は、フォーク爆弾や他のプロセスを作成するPHPプロセスによって引き起こされる他の攻撃を防ぐための最終防衛線です。<br/> この設定を低すぎると、機能が著しく損なわれる可能性があります。この設定は特定のレベル以下では無視されます。<br/> suEXECデーモンモードを使用する場合、親プロセスが制限されないように、実際のプロセス制限はこの設定よりも高くなります。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="procHardLimit"><h3>プロセスハードリミット<span class="ls-permlink"><a href="#procHardLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>ソフトリミットをユーザープロセス内のハードリミットまで上げることができることを除けば、<span class="tagl"><a href="#procSoftLimit">プロセスソフトリミット</a></span>とほとんど同じです。ハードリミットは、サーバー・レベルまたは個々の外部アプリケーションレベルで設定できます。サーバーレベルの制限は、個々のアプリケーションレベルで設定されていない場合に使用されます。オペレーティングシステムのデフォルト値は、値が両方のレベルにないか、<span class="val">0</span>に設定されている場合に使用されます。</p> <h4>構文</h4><p>整数</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="cgroups"><h3>cgroups<span class="ls-permlink"><a href="#cgroups"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>A Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes. You must be running cgroups v2 which is determined by the existence of the file <span class="val">/sys/fs/cgroup/cgroup.controllers</span>.<br/><br/> Setting this to <span class="val">Disabled</span> at the Server level will disable this setting server-wide. In all other cases, the Server level setting can be overridden at the Virtual Host level.<br/><br/> Default values:<br/> <b>Server level:</b> Off<br/> <b>VH level:</b> Inherit Server level setting</p> <h4>構文</h4><p>ドロップダウンリストから選択</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="lsrecaptcha"><h3>reCAPTCHA Protection<span class="ls-permlink"><a href="#lsrecaptcha"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>reCAPTCHA Protection is a service provided as a way to mitigate heavy server load. reCAPTCHA Protection will activate after one of the below situations is hit. Once active, all requests by NON TRUSTED(as configured) clients will be redirected to a reCAPTCHA validation page. After validation, the client will be redirected to their desired page.<br/><br/> The following situations will activate reCAPTCHA Protection:<br/> 1. The server or vhost concurrent requests count passes the configured connection limit.<br/> 2. Anti-DDoS is enabled and a client is hitting a url in a suspicious manner. The client will redirect to reCAPTCHA first instead of getting denied when triggered.<br/> 3. A new rewrite rule environment is provided to activate reCAPTCHA via RewriteRules. 'verifycaptcha' can be set to redirect clients to reCAPTCHA. A special value ': deny' can be set to deny the client if it failed too many times. For example, [E=verifycaptcha] will always redirect to reCAPTCHA until verified. [E=verifycaptcha: deny] will redirect to reCAPTCHA until Max Tries is hit, after which the client will be denied.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="enableRecaptcha"><h3>Enable reCAPTCHA<span class="ls-permlink"><a href="#enableRecaptcha"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>Enable the reCAPTCHA Protection feature at the current level. This setting must be set to <span class="val">Yes</span> at the Server level before the reCAPTCHA Protection feature can be used.<br/><br/> Default values:<br/> <b>Server-level:</b> <span class="val">Yes</span><br/> <b>VH-Level:</b> Inherit Server level setting</p> <h4>構文</h4><p>ラジオボックスから選択</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaSiteKey"><h3>Site Key<span class="ls-permlink"><a href="#recaptchaSiteKey"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>The site key is the public key provided by Google via its reCAPTCHA service. A default Site Key will be used if not set.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaSecretKey"><h3>Secret Key<span class="ls-permlink"><a href="#recaptchaSecretKey"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>The secret key is the private key provided by Google via its reCAPTCHA service. A default Secret Key will be used if not set.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaType"><h3>reCAPTCHA Type<span class="ls-permlink"><a href="#recaptchaType"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>Specify the reCAPTCHA type to use with the key pairs.<br/> If a key pair has not been provided and this setting is set to <span class="val">Not Set</span>, a default key pair of type <span class="val">Invisible</span> will be used.<br/><br/> <span class="val">Checkbox</span> will display a checkbox reCAPTCHA for the visitor to validate.<br/><br/> <span class="val">Invisible</span> will attempt to validate the reCAPTCHA automatically and if successful, will redirect to the desired page.<br/><br/> <span class="val">hCaptcha</span> can be used to support reCAPTCHA provider <a href="https://www.hcaptcha.com" target="_blank" rel="noopener noreferrer">hCaptcha</a>.<br/><br/> Default value is <span class="val">Invisible</span>.</p> <h4>構文</h4><p>ドロップダウンリストから選択</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaMaxTries"><h3>Max Tries<span class="ls-permlink"><a href="#recaptchaMaxTries"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>Max Tries specifies the maximum number of reCAPTCHA attempts permitted before denying the visitor.<br/><br/> Default value is <span class="val">3</span>.</p> <h4>構文</h4><p>整数</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaAllowedRobotHits"><h3>Allowed Robot Hits<span class="ls-permlink"><a href="#recaptchaAllowedRobotHits"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>Number of hits per 10 seconds to allow ‘good bots’ to pass. Bots will still be throttled when the server is under load.<br/><br/> Default value is <span class="val">3</span>.</p> <h4>構文</h4><p>整数</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaBotWhiteList"><h3>Bot White List<span class="ls-permlink"><a href="#recaptchaBotWhiteList"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>List of custom user agents to allow access. Will be subject to the ‘good bots’ limitations, including allowedRobotHits.</p> <h4>構文</h4><p>List of user agents, one per line. Regex is supported.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaRegConnLimit"><h3>Connection Limit<span class="ls-permlink"><a href="#recaptchaRegConnLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>The number of concurrent connections (SSL & non-SSL) needed to activate reCAPTCHA. reCAPTCHA will be used until concurrent connections drop below this number.<br/><br/> Default value is <span class="val">15000</span>.</p> <h4>構文</h4><p>整数</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaSslConnLimit"><h3>SSL Connection Limit<span class="ls-permlink"><a href="#recaptchaSslConnLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>The number of concurrent SSL connections needed to activate reCAPTCHA. reCAPTCHA will be used until concurrent connections drop below this number.<br/><br/> Default value is <span class="val">10000</span>.</p> <h4>構文</h4><p>整数</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="bubbleWrap"><h3>Bubblewrap Container<span class="ls-permlink"><a href="#bubbleWrap"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>Set to <span class="val">Enabled</span> if you wish to start CGI processes (including PHP programs) in a bubblewrap sandbox. See <a href=" https://wiki.archlinux.org/title/Bubblewrap " target="_blank" rel="noopener noreferrer"> https://wiki.archlinux.org/title/Bubblewrap </a> for details on using bubblewrap. Bubblewrap must be installed on your system prior to using this setting.<br/><br/> This setting cannot be turned on at the Virtual Host level if set to "Disabled" at the Server level.<br/><br/> Default values:<br/> <b>Server level:</b> Disabled<br/> <b>VH level:</b> Inherit Server level setting</p> <h4>構文</h4><p>ドロップダウンリストから選択</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="bubbleWrapCmd"><h3>Bubblewrap Command<span class="ls-permlink"><a href="#bubbleWrapCmd"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>The full bubblewrap use command, including the bubblewrap program itself. More on configuring this command can be found here: <a href=" https://openlitespeed.org/kb/bubblewrap-in-openlitespeed/ " target="_blank" rel="noopener noreferrer"> https://openlitespeed.org/kb/bubblewrap-in-openlitespeed/ </a>. If not specified, the default command listed below will be used.<br/><br/> Default value: <span class="cmd">/bin/bwrap --ro-bind /usr /usr --ro-bind /lib /lib --ro-bind-try /lib64 /lib64 --ro-bind /bin /bin --ro-bind /sbin /sbin --dir /var --dir /tmp --proc /proc --symlink ../tmp var/tmp --dev /dev --ro-bind-try /etc/localtime /etc/localtime --ro-bind-try /etc/ld.so.cache /etc/ld.so.cache --ro-bind-try /etc/resolv.conf /etc/resolv.conf --ro-bind-try /etc/ssl /etc/ssl --ro-bind-try /etc/pki /etc/pki --ro-bind-try /etc/man_db.conf /etc/man_db.conf --ro-bind-try /home/$USER /home/$USER --bind-try /var/lib/mysql/mysql.sock /var/lib/mysql/mysql.sock --bind-try /home/mysql/mysql.sock /home/mysql/mysql.sock --bind-try /tmp/mysql.sock /tmp/mysql.sock --unshare-all --share-net --die-with-parent --dir /run/user/$UID ‘$PASSWD 65534’ ‘$GROUP 65534’</span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="namespace"><h3>Namespace Container<span class="ls-permlink"><a href="#namespace"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>Set to <span class="val">Enabled</span> if you wish to start CGI processes (including PHP programs) in a namespace container sandbox. Only used when <span class="tagl"><a href="ServSecurity_Help.html#bubbleWrap">Bubblewrap Container</a></span> is set to <span class="val">Disabled</span>.<br/><br/> When not <span class="val">Disabled</span> at the Server level, this settings value can be overridden at the Virtual Host level.<br/><br/> Default values:<br/> <b>Server level:</b> <span class="val">Disabled</span><br/> <b>Virtual Host Level:</b> Inherit Server level setting</p> <h4>構文</h4><p>ドロップダウンリストから選択</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="namespaceConf"><h3>Namespace Template File<span class="ls-permlink"><a href="#namespaceConf"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>Path to an existing configuration file containing a list of directories to be mounted along with the methods used to mount them. When <span class="tagl"><a href="ServSecurity_Help.html#namespace">Namespace Container</a></span> is set to <span class="val">Enabled</span> and this value is not set, the following secure default configuration settings will be used:<br/><br/> <span class="val"> $HOMEDIR/.lsns/tmp /tmp,tmp<br/> /usr,ro-bind<br/> /lib,ro-bind<br/> /lib64,ro-bind-try<br/> /bin,ro-bind<br/> /sbin,ro-bind<br/> /var,dir<br/> /var/www,ro-bind-try<br/> /proc,proc<br/> ../tmp var/tmp,symlink<br/> /dev,dev<br/> /etc/localtime,ro-bind-try<br/> /etc/ld.so.cache,ro-bind-try<br/> /etc/resolv.conf,ro-bind-try<br/> /etc/ssl,ro-bind-try<br/> /etc/pki,ro-bind-try<br/> /etc/man_db.conf,ro-bind-try<br/> /usr/local/bin/msmtp /etc/alternatives/mta,ro-bind-try<br/> /usr/local/bin/msmtp /usr/sbin/exim,ro-bind-try<br/> $HOMEDIR,bind-try<br/> /var/lib/mysql/mysql.sock,bind-try<br/> /home/mysql/mysql.sock,bind-try<br/> /tmp/mysql.sock,bind-try<br/> /run/mysqld/mysqld.sock,bind-try<br/> /var/run/mysqld.sock,bind-try<br/> /run/user/$UID,bind-try<br/> $PASSWD<br/> $GROUP<br/> /etc/exim.jail/$USER.conf $HOMEDIR/.msmtprc,copy-try<br/> /etc/php.ini,ro-bind-try<br/> /etc/php-fpm.conf,ro-bind-try<br/> /etc/php-fpm.d,ro-bind-try<br/> /var/run,ro-bind-try<br/> /var/lib,ro-bind-try<br/> /etc/imunify360/user_config/,ro-bind-try<br/> /etc/sysconfig/imunify360,ro-bind-try<br/> /opt/plesk/php,ro-bind-try<br/> /opt/alt,bind-try<br/> /opt/cpanel,bind-try<br/> /opt/psa,bind-try<br/> /var/lib/php/sessions,bind-try </span></p> <h4>構文</h4><p>絶対パス又は$SERVER_ROOTからの相対パス。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="accessDenyDir"><h3>アクセスが拒否されたディレクトリ<span class="ls-permlink"><a href="#accessDenyDir"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>アクセスをブロックするディレクトリを指定します。重要なデータを含むディレクトリをこのリストに追加して、誤って機密ファイルをクライアントに公開しないようにします。すべてのサブディレクトリを含めるためにパスに「」を追加します。 <span class="tagl"><a href="#followSymbolLink">シンボリックリンクに従う</a></span>と<span class="tagl"><a href="#checkSymbolLink">シンボリックリンクを確認する</a></span>の両方を有効にすると、拒否されたディレクトリに対してシンボリックリンクがチェックされます。</p> <h4>構文</h4><p>ディレクトリのカンマ区切りリスト</p> <h4>ヒント</h4><p>[セキュリティ]重要な点：この設定では、これらのディレクトリから静的ファイルを提供することができません。これは、PHP/Ruby/CGIなどの外部スクリプトによるエクスポージャーを防ぐものではありません。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="accessControl"><h3>アクセス制御<span class="ls-permlink"><a href="#accessControl"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>どのサブネットワークおよび/またはIPアドレスがサーバーにアクセスできるかを指定します。サーバレベルでは、この設定はすべてのバーチャルホストに影響します。バーチャルホストレベルで各バーチャルホストに固有のアクセス制御を設定することもできます。バーチャルホストレベルの設定はサーバーレベルの設定を上書きしません。 <br/><br/> ブロック/ IPの許可は、許可リストと拒否リストの組み合わせによって決まります。特定のIPまたはサブネットワークのみをブロックする場合は、<span class="tagl"><a href="#accessControl_allow">許可リスト</a></span>に<span class="val"></span>または<span class="val">ALL</span>を入れ、ブロックされたIPまたはサブネットワークを<span class="tagl"><a href="#accessControl_deny">拒否リスト</a></span>。<br/> 特定のIPまたはサブネットワークのみを許可する場合は、<span class="tagl"><a href="#accessControl_deny">拒否リスト</a></span>に<span class="val"></span>または<span class="val">ALL</span>を入れ、許可されたIPまたはサブネットワークを<span class="tagl"><a href="#accessControl_allow">許可リスト</a></span>。<br/> IPに適合する最小スコープの設定は、アクセスを決定するために使用されます。<br/><br/> <b>サーバーレベル：</b>信頼できるIPまたはサブネットワークは、<span class="tagl"><a href="#accessControl_allow">許可リスト</a></span>に、末尾の "T"を追加することで指定する必要があります。信頼できるIPまたはサブネットワークは、接続/スロットリング制限の影響を受けません。信頼できるIP/サブネットワークは、サーバーレベルのアクセス制御でのみ設定できます。</p> <h4>ヒント</h4><p>[セキュリティ]すべてのバーチャルホストに適用される一般的な制限については、サーバーレベルでこれを使用してください。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="accessControl_allow"><h3>許可リスト<span class="ls-permlink"><a href="#accessControl_allow"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>許可されるIPまたはサブネットワークのリストを指定します。 <span class="val"></span>または<span class="val">ALL</span>が受け入れられます。</p> <h4>構文</h4><p>IPアドレスまたはサブネットワークのカンマ区切りリスト。末尾の「T」は、<span class="val">192.168.1.T</span>などの信頼できるIPまたはサブネットワークを示すために使用できます。</p> <h4>例</h4><div class="ls-example"><b>Sub-networks:</b> 192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1, or 192.168.1.<br/> <b>IPv6 addresses:</b> ::1 or [::1] <br/> <b>IPv6 subnets:</b> 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64</div><h4>ヒント</h4><p>[セキュリティ]サーバーレベルのアクセス制御で設定された信頼されたIPまたはサブネットワークは、接続/スロットリングの制限から除外されます。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="accessControl_deny"><h3>拒否リスト<span class="ls-permlink"><a href="#accessControl_deny"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>説明</h4><p>許可されていないIPまたはサブネットワークのリストを指定します。</p> <h4>構文</h4><p>IPアドレスまたはサブネットワークのカンマ区切りリスト。 <span class="val"></span>または<span class="val">ALL</span>が受け入れられます。</p> <h4>例</h4><div class="ls-example"><b>Sub-networks:</b> 192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1, or 192.168.1.<br/> <b>IPv6 addresses:</b> ::1 or [::1] <br/> <b>IPv6 subnets:</b> 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64</div></article> </div> </section> </article><div class="ls-col-1-1"><footer class="copyright">Copyright © 2013-2020. <a href="https://www.litespeedtech.com">LiteSpeed Technologies Inc.</a> All rights reserved.</footer> </div></div> </body> </html> ��usr/local/CyberCP/lsws-6.2/docs/ServSecurity_Help.html��0000644��00000207074�15030451465�0016503 0��ustar�00��<!DOCTYPE html> <head> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" /> <title>LiteSpeed Web Server Users' Manual - Server Security</title> <meta name="description" content="LiteSpeed Web Server Users' Manual - Server Security." /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta name="robots" content="noindex"> <link rel="shortcut icon" href="img/favicon.ico" /> <link rel="stylesheet" type="text/css" href="css/hdoc.css"> </head> <body> <div class="pagewrapper clearfix"><aside class="sidetree ls-col-1-5"> <figure> <img src="img/lsws_logo.svg" alt="lightspeed web server logo" width="100px"/> </figure> <h2 class="ls-text-thin"> LiteSpeed Web Server <br /> <span class="current"><a href="index.html">Users' Manual</a></span> </h2> <h3 class="ls-text-muted">Version 6.1  — Rev. 3</h3> <hr/> <div> <ul> <li><a href="license.html">License Enterprise</a></li> <li><a href="intro.html">Introduction</a></li> <li><a href="install.html">Installation</a></li> <li> <a href="admin.html">Administration</a> <ul class=" menu level2"> <li><a href="ServerStat_Help.html">Service Manager</a></li> </ul> </li> <li><a href="security.html">Security</a></li> <li> <a href="config.html">Configuration</a> <ul class="level2"> <li><a href="ServGeneral_Help.html">Server General</a></li> <li><a href="ServLog_Help.html">Server Log</a></li> <li><a href="ServTuning_Help.html">Server Tuning</a></li> <li><span class="current"><a href="ServSecurity_Help.html">Server Security</a></span></li> <li><a href="Cache_Help.html">Page Cache</a></li> <li><a href="PageSpeed_Config.html">PageSpeed Config</a></li> <li><a href="ExtApp_Help.html">External Apps</a></li> <ul class="level3"> <li><a href="External_FCGI.html">Fast CGI App</a></li> <li><a href="External_FCGI_Auth.html">Fast CGI Authorizer</a></li> <li><a href="External_LSAPI.html">LSAPI App</a></li> <li><a href="External_Servlet.html">Servlet Engine</a></li> <li><a href="External_WS.html">Web Server</a></li> <li><a href="External_PL.html">Piped logger</a></li> <li><a href="External_LB.html">Load Balancer</a></li> </ul> <li><a href="ScriptHandler_Help.html">Script Handler</a></li> <li><a href="PHP_Help.html">PHP</a></li> <li><a href="App_Server_Help.html">App Server Settings</a></li> <li><a href="Listeners_General_Help.html">Listener General</a></li> <li><a href="Listeners_SSL_Help.html">Listener SSL</a></li> <li><a href="Templates_Help.html">Virtual Host Templates</a></li> <li><a href="VirtualHosts_Help.html">Virtual Host Basic</a></li> <li><a href="VHGeneral_Help.html">Virtual Host General</a></li> <li><a href="VHSecurity_Help.html">Virtual Host Security</a></li> <li><a href="VHSSL_Help.html">Virtual Host SSL</a></li> <li> <a href="VHPageSpeed_Config.html">Virtual Host PageSpeed Config</a> </li> <li><a href="Rewrite_Help.html">Rewrite</a></li> <li><a href="Context_Help.html">Context</a></li> <ul class="level3"> <li><a href="Static_Context.html">Static Context</a></li> <li> <a href="Java_Web_App_Context.html">Java Web App Context</a> </li> <li><a href="Servlet_Context.html">Servlet Context</a></li> <li><a href="FCGI_Context.html">Fast CGI Context</a></li> <li><a href="LSAPI_Context.html">LSAPI Context</a></li> <li><a href="Proxy_Context.html">Proxy Context</a></li> <li><a href="CGI_Context.html">CGI Context</a></li> <li><a href="LB_Context.html">Load Balancer Context</a></li> <li><a href="Redirect_Context.html">Redirect Context</a></li> <li><a href="App_Server_Context.html">App Server Context</a></li> <li><a href="Rails_Context.html">Rack/Rails Context</a></li> </ul> <li><a href="VHAddOns_Help.html">Add-ons</a></li> </ul> </li> <li> <a href="webconsole.html">Web Console</a> <ul class="level2"> <li><a href="AdminGeneral_Help.html">Admin Console General</a></li> <li><a href="AdminSecurity_Help.html">Admin Console Security</a></li> <li> <a href="AdminListeners_General_Help.html"> Admin Listener General </a> </li> <li> <a href="AdminListeners_SSL_Help.html">Admin Listener SSL</a> </li> </ul> </li> </ul> </div> </aside> <article class="contentwrapper ls-col-3-5 clearfix"><div class="nav-bar ls-spacer-micro-top"><div class="prev">&#171 <a href="ServTuning_Help.html">Server Tuning</a></div><div class="center"><a href="config.html">Configuration</a></div><div class="next"><a href="Cache_Help.html">Page Cache Settings</a> »</div></div> <h1>Server Security</h1><h2 id="top">Table of Contents</h2><section class="toc"><section class="toc-row"><header>WordPress Brute Force Attack Protection</header><p> <a href="#wpProtectAction">Protection Mode</a> \| <a href="#wpProtectLimit">Allowed Login Attempts</a></p></section> <section class="toc-row"><header>Web Application Firewall (WAF)</header><p> <a href="#enableCensorship">Enable WAF</a> \| <a href="#censorLogLevel">Log Level</a> \| <a href="#defaultAction">Default Action</a> \| <a href="#scanPOST">Scan Request Body</a> \| <a href="#uploadTmpDir">Temporary File Path</a> \| <a href="#uploadTmpFilePermission">Temporary File Permissions</a> \| <a href="#disableSecHtaccess">Disable .htaccess Override</a> \| <a href="#secAuditLogEngine">Enable Security Audit Log</a> \| <a href="#secAuditLog">Security Audit Log</a> \| <a href="#useRe2">Use RE2 regex engine</a></p></section> <section class="toc-row"><header><a href="#reqCensorshipRule">Web Application Firewall (WAF) Rule Set</a></header><p> <a href="#censorRuleSetName">Name</a> \| <a href="#ruleSetAction">Rule Set Action</a> \| <a href="#censorRuleSetEnabled">Enabled</a> \| <a href="#censorRuleSet">Rules Definition</a></p></section> <section class="toc-row"><header><a href="#perClientConnLimit">Per Client Throttling</a></header><p> <a href="#staticReqPerSec">Static Requests/Second</a> \| <a href="#dynReqPerSec">Dynamic Requests/Second</a> \| <a href="#outBandwidth">Outbound Bandwidth (bytes/sec)</a> \| <a href="#inBandwidth">Inbound Bandwidth (bytes/sec)</a> \| <a href="#softLimit">Connection Soft Limit</a> \| <a href="#hardLimit">Connection Hard Limit</a> \| <a href="#blockBadReq">Block Bad Request</a> \| <a href="#gracePeriod">Grace Period (sec)</a> \| <a href="#banPeriod">Banned Period (sec)</a></p></section> <section class="toc-row"><header>File Access</header><p> <a href="#followSymbolLink">Follow Symbolic Link</a> \| <a href="#checkSymbolLink">Check Symbolic Link</a> \| <a href="#forceStrictOwnership">Force Strict Ownership Checking</a> \| <a href="#requiredPermissionMask">Required Permission Mask</a> \| <a href="#restrictedPermissionMask">Restricted Permission Mask</a> \| <a href="#restrictedScriptPermissionMask">Script Restricted Permission Mask</a> \| <a href="#restrictedDirPermissionMask">Script Directory Restricted Permission Mask</a></p></section> <section class="toc-row"><header><a href="#cgiResource">CGI Settings</a></header><p> <a href="#cgidSock">CGI Daemon Socket</a> \| <a href="#maxCGIInstances">Max CGI Instances</a> \| <a href="#minUID">Minimum UID</a> \| <a href="#minGID">Minimum GID</a> \| <a href="#forceGID">Force GID</a> \| <a href="#umask">umask</a> \| <a href="#CGIPriority">CGI Priority</a> \| <a href="#CPUSoftLimit">CPU Soft Limit (sec)</a> \| <a href="#CPUHardLimit">CPU Hard Limit</a> \| <a href="#memSoftLimit">Memory Soft Limit (bytes)</a> \| <a href="#memHardLimit">Memory Hard Limit (bytes)</a> \| <a href="#procSoftLimit">Process Soft Limit</a> \| <a href="#procHardLimit">Process Hard Limit</a> \| <a href="#cgroups">cgroups</a></p></section> <section class="toc-row"><header><a href="#lsrecaptcha">reCAPTCHA Protection</a></header><p> <a href="#enableRecaptcha">Enable reCAPTCHA</a> \| <a href="#recaptchaSiteKey">Site Key</a> \| <a href="#recaptchaSecretKey">Secret Key</a> \| <a href="#recaptchaType">reCAPTCHA Type</a> \| <a href="#recaptchaSensitivity">Trigger Sensitivity</a> \| <a href="#recaptchaMaxTries">Max Tries</a> \| <a href="#verifyExpires">Verification Expires (secs)</a> \| <a href="#recaptchaAllowedRobotHits">Allowed Robot Hits</a> \| <a href="#recaptchaBotWhiteList">Bot White List</a></p></section> <section class="toc-row"><header>Bubblewrap Container</header><p> <a href="#bubbleWrap">Bubblewrap Container</a> \| <a href="#bubbleWrapCmd">Bubblewrap Command</a></p></section> <section class="toc-row"><header>Access Denied Directories</header><p> <a href="#accessDenyDir">Access Denied Directories</a></p></section> <section class="toc-row"><header><a href="#accessControl">Access Control</a></header><p> <a href="#accessControl_allow">Allowed List</a> \| <a href="#accessControl_deny">Denied List</a></p></section> </section> <section><div class="helpitem"><article class="ls-helpitem"><div><header id="wpProtectAction"><h3>Protection Mode<span class="ls-permlink"><a href="#wpProtectAction"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the action to be taken when the specified Allowed Login Attempts limit is reached within 5 minutes.<br/><br/> <span class="val">Throttle</span> gradually slows down the speed of the server response, <span class="val">Drop</span> severs the connection without any reply, <span class="val">Deny</span> returns a 403 response, and <span class="val">CAPTCHA or Drop</span> redirects to a CAPTCHA if reCAPTCHA Protection is enabled and drops otherwise.<br/><br/> <span class="val">WP Login CAPTCHA Full Protection</span> can also be selected. This setting will redirect to a CAPTCHA if ReCAPTCHA Protection is enabled regardless of Allowed Login Attempts limit and falls back to use <span class="val">Throttle</span> otherwise.<br/><br/> Default values:<br/> <b>Server level:</b> <span class="val">Throttle</span><br/> <b>VH level:</b> Inherit Server level setting. If Server level is set to <span class="val">Disable</span>, <span class="val">Throttle</span> will be used.</p> <h4>Syntax</h4><p>Select from drop down list</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Trusted IPs or sub-networks are not affected.<br/> <span title="Information" class="ls-icon-info"></span> This feature is enabled by default (Throttle) and does not need any further configuration in the WebAdmin GUI or in Apache configurations.<br/> <span title="Information" class="ls-icon-info"></span> This setting will override Apache conf <span class="val">WordPressProtect</span> setting for LSWS only. Apache will be unaffected.<br/><br/> <span title="Information" class="ls-icon-info"></span> This can be set at the Server level and overwritten at the Virtual Host level. If not overridden at the Virtual Host level, this setting can also be overridden in a user's docroot .htaccess file using Apache configuration directive <span class="val">WordPressProtect</span> with value <span class="val">0</span> (disabled), <span class="val">1</span> (use server level setting), <span class="val">throttle</span>, <span class="val">deny</span>, or <span class="val">drop</span>.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="wpProtectLimit"><h3>Allowed Login Attempts<span class="ls-permlink"><a href="#wpProtectLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the maximum number of wp-login.php and xmlrpc.php POST attempts allowed by an IP within 5 minutes before the action specified in <span class="tagl"><a href="#wpProtectAction">Protection Mode</a></span> is taken.<br/><br/> This limit is handled using a quota system where remaining attempts = limit. Each POST attempt will decrease the number of remaining attempts by 1, with the number of remaining attempts increasing back to the set limit over time. An IP will be throttled once the number of remaining attempts for that IP falls to 1/2 the set limit, throttling more as the remaining attempts drops further below the 1/2 mark. When remaining attempts reaches 0, the specified action is taken toward the IP.<br/><br/> In addition to this, if <span class="tagl"><a href="#enableRecaptcha">Enable reCAPTCHA</a></span> is also enabled, an additional per worker protection will be added. If wp-login.php and xmlrpc.php are visited by the same worker at a rate of 4x the set limit in a 30 second time frame, those URLs will be put into reCAPTCHA mode until the number of visits to these files decreases.<br/><br/> Resetting the server will clear blocked IPs.<br/><br/> Default values:<br/> <b>Server-level:</b> <span class="val">10</span><br/> <b>VH-Level:</b> Inherit Server level setting</p> <h4>Syntax</h4><p>Valid Range: 3 - 1000.</p> <h4>Example</h4><div class="ls-example">With an Attempt limit of 10, and a Mode of drop:<br/><br/> After the first POST attempt, the quota is decreased to 9.<br/><br/> Quota decreases by 1 for each POST attempt.<br/><br/> After Quota reaches half of the limit (5), the IP will be throttled.<br/><br/> Throttling will get worse with each POST attempt.<br/><br/> Once the quota reaches 0, the connection will be dropped.</div><h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Trusted IPs or sub-networks are not affected.<br/><br/> <span title="Information" class="ls-icon-info"></span> This setting will override Apache conf <span class="val">WordPressProtect</span> setting for LSWS only. Apache will be unaffected.<br/><br/> <span title="Information" class="ls-icon-info"></span> This can be set at the Server level and overwritten at the Virtual Host level. If not overridden at the Virtual Host level, this setting can also be overridden in a user's docroot .htaccess file using Apache configuration directive <span class="val">WordPressProtect</span> with integer value between 3 and 1000.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="enableCensorship"><h3>Enable WAF<span class="ls-permlink"><a href="#enableCensorship"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies whether to enable request content deep inspection. This feature is equivalent to Apache's mod_security, which can be used to detect and block requests with ill intention by matching them to known signatures.</p> <h4>Syntax</h4><p>Select from radio box</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="censorLogLevel"><h3>Log Level<span class="ls-permlink"><a href="#censorLogLevel"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the level of detail of the Web Application Firewall engine's debug output. This value ranges from <span class="val">0</span> - <span class="val">9</span>. <span class="val">0</span> disables logging. <span class="val">9</span> produces the most detailed log. The the server and virtual host's error log <span class="tagl"><a href="ServGeneral_Help.html#log_logLevel">Log Level</a></span> must be set to at least <span class="val">INFO</span> for this option to take effect. This is useful when testing request filtering rules.</p> <h4>Syntax</h4><p>Integer number</p> <h4>See Also</h4><p class="ls-text-small">Server <span class="tagl"><a href="ServGeneral_Help.html#log_logLevel">Log Level</a></span>, Virtual Host <span class="tagl"><a href="VHGeneral_Help.html#vhlog_logLevel">Log Level</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="defaultAction"><h3>Default Action<span class="ls-permlink"><a href="#defaultAction"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the default actions that should be taken when a censoring rule is met. Default value is <span class="val">deny,log,status:403</span>, which means to deny access with status code 403 and log the incident in the error log.</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#ruleSetAction">Rule Set Action</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="scanPOST"><h3>Scan Request Body<span class="ls-permlink"><a href="#scanPOST"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies whether to check the body of an HTTP POST request. Default is "No".</p> <h4>Syntax</h4><p>Select from radio box</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="uploadTmpDir"><h3>Temporary File Path<span class="ls-permlink"><a href="#uploadTmpDir"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Temporary directory where files being uploaded to server will be stored while request body parser is working. Default value is <span class="val">/tmp</span>.</p> <h4>Syntax</h4><p>Absolute path or path starting with $SERVER_ROOT (for Server and VHost levels).</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="uploadTmpFilePermission"><h3>Temporary File Permissions<span class="ls-permlink"><a href="#uploadTmpFilePermission"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Global setting determining file permissions used for files stored in the <b>Temporary File Path</b> directory.</p> <h4>Syntax</h4><p>3 digits octet number. Default value is 666.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="disableSecHtaccess"><h3>Disable .htaccess Override<span class="ls-permlink"><a href="#disableSecHtaccess"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Disable turning off mod_security engine in .htaccess. This is a global setting only available at the server level. Default is "No".</p> <h4>Syntax</h4><p>Select from radio box</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="secAuditLogEngine"><h3>Enable Security Audit Log<span class="ls-permlink"><a href="#secAuditLogEngine"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies whether to enable audit logging and in what format (Native, JSON, or Pretty JSON). This feature is equivalent to Apache's mod_security audit engine.<br/><br/> If this setting is enabled and the <span class="tagl"><a href="#secAuditLog">Security Audit Log</a></span> setting is set, detailed request information will be saved.</p> <h4>Syntax</h4><p>Select from drop down list</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#secAuditLog">Security Audit Log</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="secAuditLog"><h3>Security Audit Log<span class="ls-permlink"><a href="#secAuditLog"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the path of the security audit log, which gives more detailed information. This extra information can be useful if, for example, you wish to track the actions of a particular user. Use <span class="tagl"><a href="#secAuditLogEngine">Enable Security Audit Log</a></span> to turn on the logging.</p> <h4>Syntax</h4><p>Filename which can be an absolute path or a relative path to $SERVER_ROOT.</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#secAuditLogEngine">Enable Security Audit Log</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="useRe2"><h3>Use RE2 regex engine<span class="ls-permlink"><a href="#useRe2"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Use RE2 when evaluating regular expressions instead of PCRE.<br/><br/> Default value: <span class="val">No</span></p> <h4>Syntax</h4><p>Select from radio box</p> <h4>Tips</h4><p><span title="Information" class="ls-icon-info"></span> While PCRE provides more features than RE2, RE2 allows for a defined maximum memory usage and has a more predictable runtime than PCRE making it more suited for use in server applications.<br/> <span title="Performance" class="ls-icon-performance"></span> Unlike PCRE, RE2 uses a fixed stack and guarantees that run-time increases linearly (not exponentially) with the size of the input.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="reqCensorshipRule"><h3>Web Application Firewall (WAF) Rule Set<span class="ls-permlink"><a href="#reqCensorshipRule"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Rules configured here only work for virtual hosts configured with a native LSWS configuration, not for virtual hosts using Apache httpd.conf.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="censorRuleSetName"><h3>Name<span class="ls-permlink"><a href="#censorRuleSetName"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Give a group of censorship rules a name. For display only.</p> <h4>Syntax</h4><p>String</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="ruleSetAction"><h3>Rule Set Action<span class="ls-permlink"><a href="#ruleSetAction"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the actions that should be taken when a censoring rule in current ruleset is met. If not set, <span class="tagl"><a href="#defaultAction">Default Action</a></span> will be used.</p> <h4>Syntax</h4><p>String. This action string uses the same syntax as Apache's <a href=" https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecDefaultAction " target="_blank" rel="noopener noreferrer"> mod_security SecDefaultAction directive </a> .</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="censorRuleSetEnabled"><h3>Enabled<span class="ls-permlink"><a href="#censorRuleSetEnabled"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies whether to enable this rule set. With this option, a rule set can be quickly turned on and off without adding or removing the rule set. Default is "Yes".</p> <h4>Syntax</h4><p>Select from radio box</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="censorRuleSet"><h3>Rules Definition<span class="ls-permlink"><a href="#censorRuleSet"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies a list of censorship rules.<br/><br/> If you are using an Apache config file, you have to set up rules in httpd.conf. Rules defined here will have no effect.</p> <h4>Syntax</h4><p>String. Syntax of censoring rules follows that of Apache's mod_security directives. "SecFilter", "SecFilterSelective", and "SecRule" can be used here. You can copy and paste security rules from an Apache configuration file.<br/><br/> For more details about rule syntax, please refer to the <a href="http://www.modsecurity.org/documentation/index.html" target="_blank" rel="noopener noreferrer">Mod Security documentation</a>.</p> <h4>Tips</h4><p><span title="Information" class="ls-icon-info"></span> Rules configured here only work for vhosts configured in native LSWS configuration, not for vhosts from Apache httpd.conf.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="perClientConnLimit"><h3>Per Client Throttling<span class="ls-permlink"><a href="#perClientConnLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>These are connection control settings are based on client IP. These settings help to mitigate DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="staticReqPerSec"><h3>Static Requests/Second<span class="ls-permlink"><a href="#staticReqPerSec"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the maximum number of requests to static content coming from a single IP address that can be processed in a single second regardless of the number of connections established.<br/><br/> When this limit is reached, all future requests are tar-pitted until the next second. Request limits for dynamically generated content are independent of this limit. Per-client request limits can be set at server- or virtual host-level. Virtual host-level settings override server-level settings.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Trusted IPs or sub-networks are not affected.</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#dynReqPerSec">Dynamic Requests/Second</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="dynReqPerSec"><h3>Dynamic Requests/Second<span class="ls-permlink"><a href="#dynReqPerSec"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the maximum number of requests to dynamically generated content coming from a single IP address that can be processed in each second regardless of the number of connections established. When this limit is reached, all future requests to dynamic content are tar-pitted until the next second.<br/><br/> The request limit for static content is independent of this limit. This per client request limit can be set at server or virtual host level. Virtual host-level settings override server-level settings.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Trusted IPs or sub-networks are not restrained by this limit.</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#staticReqPerSec">Static Requests/Second</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="outBandwidth"><h3>Outbound Bandwidth (bytes/sec)<span class="ls-permlink"><a href="#outBandwidth"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The maximum allowed outgoing throughput to a single IP address, regardless of the number of connections established. The real bandwidth may end up being slightly higher than this setting for efficiency reasons. Bandwidth is allocated in 4KB units. Set to <span class="val">0</span> to disable throttling. Per-client bandwidth limits (bytes/sec) can be set at the server or virtual host level where virtual host level settings override server level settings.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Performance" class="ls-icon-performance"></span> Set the bandwidth in 8KB units for better performance.<br/><br/> <span title="Security" class="ls-icon-security"></span> Trusted IPs or sub-networks are not affected.</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#inBandwidth">Inbound Bandwidth (bytes/sec)</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="inBandwidth"><h3>Inbound Bandwidth (bytes/sec)<span class="ls-permlink"><a href="#inBandwidth"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The maximum allowed incoming throughput from a single IP address, regardless of the number of connections established. The real bandwidth may end up being slightly higher than this setting for efficiency reasons. Bandwidth is allocated in 1KB units. Set to <span class="val">0</span> to disable throttling. Per-client bandwidth limits (bytes/sec) can be set at the server or virtual host level where virtual host level settings override server level settings.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Trusted IPs or sub-networks are not affected.</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#outBandwidth">Outbound Bandwidth (bytes/sec)</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="softLimit"><h3>Connection Soft Limit<span class="ls-permlink"><a href="#softLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the soft limit of concurrent connections allowed from one IP. This soft limit can be exceeded temporarily during <span class="tagl"><a href="#gracePeriod">Grace Period (sec)</a></span> as long as the number is below the <span class="tagl"><a href="#hardLimit">Connection Hard Limit</a></span>, but Keep-Alive connections will be closed as soon as possible until the number of connections is lower than the limit. If number of connections is still over the limit after the <span class="tagl"><a href="#gracePeriod">Grace Period (sec)</a></span>, that IP will be blocked for the <span class="tagl"><a href="#banPeriod">Banned Period (sec)</a></span>.<br/><br/> For example, if a page contains many small graphs, the browser may try to set up many connections at same time, especially for HTTP/1.0 clients. You would want to allow those connections for a short period.<br/><br/> HTTP/1.1 clients may also set up multiple connections to speed up downloading and SSL requires separate connections from non-SSL connections. Make sure the limit is set properly, as not to adversely affect normal service. The recommended limit is between <span class="val">5</span> and <span class="val">10</span>.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> A lower number will enable serving more distinct clients.<br/> <span title="Security" class="ls-icon-security"></span> Trusted IPs or sub-networks are not affected.<br/> <span title="Performance" class="ls-icon-performance"></span> Set to a high value when you are performing benchmark tests with a large number of concurrent client machines.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="hardLimit"><h3>Connection Hard Limit<span class="ls-permlink"><a href="#hardLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the maximum number of allowed concurrent connections from a single IP address. This limit is always enforced and a client will never be able to exceed this limit. HTTP/1.0 clients usually try to set up as many connections as they need to download embedded content at the same time. This limit should be set high enough so that HTTP/1.0 clients can still access the site. Use <span class="tagl"><a href="#softLimit">Connection Soft Limit</a></span> to set the desired connection limit.<br/><br/> The recommended limit is between <span class="val">20</span> and <span class="val">50</span> depending on the content of your web page and your traffic load.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> A lower number will enable serving more distinct clients.<br/> <span title="Security" class="ls-icon-security"></span> Trusted IPs or sub-networks are not affected.<br/> <span title="Performance" class="ls-icon-performance"></span> Set to a high value when you are performing benchmark tests with a large number of concurrent client machines.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="blockBadReq"><h3>Block Bad Request<span class="ls-permlink"><a href="#blockBadReq"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Block IPs that keep sending badly-formated HTTP requests for the <span class="tagl"><a href="#banPeriod">Banned Period (sec)</a></span>. Default is <span class="val">Yes</span>. This helps to block botnet attacks that repeatedly sending junk requests.</p> <h4>Syntax</h4><p>Select from radio box</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="gracePeriod"><h3>Grace Period (sec)<span class="ls-permlink"><a href="#gracePeriod"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies how long new connections can be accepted after the number of connections established from one IP is over the <span class="tagl"><a href="#softLimit">Connection Soft Limit</a></span>. Within this period, new connections will be accepted if the total connections is still below the <span class="tagl"><a href="#hardLimit">Connection Hard Limit</a></span>. After this period has elapsed, if the number of connections still higher than the <span class="tagl"><a href="#softLimit">Connection Soft Limit</a></span>, then the offending IP will be blocked for the <span class="tagl"><a href="#banPeriod">Banned Period (sec)</a></span>.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Performance" class="ls-icon-performance"></span><span title="Security" class="ls-icon-security"></span> Set to a proper number big enough for downloading a complete page but low enough to prevent deliberate attacks.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="banPeriod"><h3>Banned Period (sec)<span class="ls-permlink"><a href="#banPeriod"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies how long new connections will be rejected from an IP if, after the <span class="tagl"><a href="#gracePeriod">Grace Period (sec)</a></span> has elapsed, the number of connections is still more than the <span class="tagl"><a href="#softLimit">Connection Soft Limit</a></span>. If IPs are getting banned repeatedly, we suggest that you increase your banned period to stiffen the penalty for abuse.</p> <h4>Syntax</h4><p>Integer number</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="followSymbolLink"><h3>Follow Symbolic Link<span class="ls-permlink"><a href="#followSymbolLink"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the server-level default setting of following symbolic links when serving static files.<br/><br/> Choices are <span class="val">Yes</span>, <span class="val">If Owner Match</span> and <span class="val">No</span>.<br/><br/> <span class="val">Yes</span> sets the server to always follow symbolic links. <span class="val">If Owner Match</span> sets the server to follow a symbolic link only if the owner of the link and of the target are same. <span class="val">No</span> means the server will never follow a symbolic link. This setting can be overridden in the virtual host configurations but cannot be overridden from an .htaccess file.</p> <h4>Syntax</h4><p>Select from drop down list</p> <h4>Tips</h4><p><span title="Performance" class="ls-icon-performance"></span><span title="Security" class="ls-icon-security"></span> For best security select <span class="val">No</span> or <span class="val">If Owner Match</span>. For best performance, select <span class="val">Yes</span>.</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#checkSymbolLink">Check Symbolic Link</a></span>.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="checkSymbolLink"><h3>Check Symbolic Link<span class="ls-permlink"><a href="#checkSymbolLink"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies whether to check symbolic links against <span class="tagl"><a href="#accessDenyDir">Access Denied Directories</a></span> when <span class="tagl"><a href="#followSymbolLink">Follow Symbolic Link</a></span> is turned on. If enabled, the canonical real path of the resource referred by a URL will be checked against the configurable access denied directories. Access will be denied if it falls inside an access denied directory.</p> <h4>Syntax</h4><p>Select from radio box</p> <h4>Tips</h4><p><span title="Performance" class="ls-icon-performance"></span><span title="Security" class="ls-icon-security"></span> For best security, enable this option. For best performance, disable it.</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#followSymbolLink">Follow Symbolic Link</a></span>, <span class="tagl"><a href="#accessDenyDir">Access Denied Directories</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="forceStrictOwnership"><h3>Force Strict Ownership Checking<span class="ls-permlink"><a href="#forceStrictOwnership"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies whether to enforce strict file ownership checking. If it is enabled, the web server will check if the owner of the file being served is the same as the owner of the virtual host. If it is different, a 403 Access Denied Error will be returned. This is turned off by default.</p> <h4>Syntax</h4><p>Select from radio box</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> For shared hosting, enable this check for better security.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="requiredPermissionMask"><h3>Required Permission Mask<span class="ls-permlink"><a href="#requiredPermissionMask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the required permission mask for static files that the server will serve. For example, if only files that are readable by everyone can be served, set the value to <span class="val">0004</span>. See <span class="cmd">man 2 stat</span> for all values.</p> <h4>Syntax</h4><p>octal numbers</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#restrictedPermissionMask">Restricted Permission Mask</a></span>.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="restrictedPermissionMask"><h3>Restricted Permission Mask<span class="ls-permlink"><a href="#restrictedPermissionMask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the restricted permission mask for static files that the server will not serve. For example, to prohibit serving files that are executable, set the mask to <span class="val">0111</span>.<br/><br/> See <span class="cmd">man 2 stat</span> for all values.</p> <h4>Syntax</h4><p>octal numbers</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#requiredPermissionMask">Required Permission Mask</a></span>.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="restrictedScriptPermissionMask"><h3>Script Restricted Permission Mask<span class="ls-permlink"><a href="#restrictedScriptPermissionMask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the restricted permission mask for script files that the server will not serve. For example, to prohibit serving PHP scripts that are group and world writable, set the mask to <span class="val">022</span>. Default value is <span class="val">000</span>.<br/><br/> See <span class="cmd">man 2 stat</span> for all values.</p> <h4>Syntax</h4><p>octal numbers</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#restrictedDirPermissionMask">Script Directory Restricted Permission Mask</a></span>.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="restrictedDirPermissionMask"><h3>Script Directory Restricted Permission Mask<span class="ls-permlink"><a href="#restrictedDirPermissionMask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the restricted permission mask of parent directories of script files that the server will not serve. For example, to prohibit serving PHP scripts in a directory that is group and world writable, set the mask to <span class="val">022</span>. Default value is <span class="val">000</span>. This option can be used to prevent serving scripts under a directory of uploaded files.<br/><br/> See <span class="cmd">man 2 stat</span> for all values.</p> <h4>Syntax</h4><p>octal numbers</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#restrictedScriptPermissionMask">Script Restricted Permission Mask</a></span>.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="cgiResource"><h3>CGI Settings<span class="ls-permlink"><a href="#cgiResource"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The following settings control CGI processes. Memory and process limits also serve as the default for other external applications if limits have not been set explicitly for those applications.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="cgidSock"><h3>CGI Daemon Socket<span class="ls-permlink"><a href="#cgidSock"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>A unique socket address used to communicate with the CGI daemon. LiteSpeed server uses a standalone CGI daemon to spawn CGI scripts for best performance and security. If you need to change this location, specify a Unix domain socket here.<br/><br/> Default value: <span class="val">uds://$SERVER_ROOT/admin/lscgid/.cgid.sock</span></p> <h4>Syntax</h4><p>UDS://path</p> <h4>Example</h4><div class="ls-example">UDS://tmp/lshttpd/cgid.sock</div></article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="maxCGIInstances"><h3>Max CGI Instances<span class="ls-permlink"><a href="#maxCGIInstances"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the maximum number of concurrent CGI processes the server can start. For each request to a CGI script, the server needs to start a standalone CGI process. On a Unix system, the number of concurrent processes is limited. Excessive concurrent processes will degrade the performance of the whole system and are one way to perform a DoS attack. LiteSpeed server pipelines requests to CGI scripts and limits concurrent CGI processes to ensure the optimal performance and reliability. The hard limit is <span class="val">2000</span>.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span><span title="Performance" class="ls-icon-performance"></span> A higher limit does not necessarily translate to faster performance. In most cases, a lower limit gives better performance and security. A higher limit will only help when I/O latency is excessive during CGI processing.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="minUID"><h3>Minimum UID<span class="ls-permlink"><a href="#minUID"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the minimum user ID allowed to run external applications when running as a specified user. Execution of an external script with a user ID lower than the value specified here will be denied.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Set it high enough to exclude all system/privileged users.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="minGID"><h3>Minimum GID<span class="ls-permlink"><a href="#minGID"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the minimum group ID allowed to run external applications when running as a specified group. Execution of an external script with a group ID lower than the value specified here will be denied.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Set it high enough to exclude all groups used by system users.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="forceGID"><h3>Force GID<span class="ls-permlink"><a href="#forceGID"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies a group ID to be used for all external applications started in suEXEC mode. When set to non-zero value, all suEXEC external applications (CGI/FastCGI/LSAPI) will use this group ID. This can be used to prevent an external application from accessing files owned by other users.<br/><br/> For example, in a shared hosting environment, LiteSpeed runs as user "www-data", group "www-data". Each docroot is owned by a user account, with a group of "www-data" and permission mode 0750. If Force GID is set to "nogroup" (or any group other than 'www-data'), all suEXEC external applications will run as a particular user but in the group "nogroup". These external application processes will still be able to access files owned by that particular user (because of their user ID), but will not have group permission to access anyone else's files. The server, on the other hand, still can serve files under any user's docroot directory (because of its group ID).</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Set it high enough to exclude all groups used by system users.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="umask"><h3>umask<span class="ls-permlink"><a href="#umask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Sets default umask for CGI processes. See <span class="cmd"> man 2 umask </span> for details. This also serves as the default value for external applications <span class="tagl"><a href="ExtApp_Help.html#extUmask">umask</a></span>.</p> <h4>Syntax</h4><p>value valid range [000]-[777].</p> <h4>See Also</h4><p class="ls-text-small">ExtApp <span class="tagl"><a href="ExtApp_Help.html#extUmask">umask</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="CGIPriority"><h3>CGI Priority<span class="ls-permlink"><a href="#CGIPriority"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies priority of the external application process. Value ranges from <span class="val">-20</span> to <span class="val">20</span>. A lower number means a higher priority.<br/><br/> A CGI process cannot have a higher priority than the web server. If this priority is set to a lower number than the server's, the server's priority will be used for this value.</p> <h4>Syntax</h4><p>int</p> <h4>See Also</h4><p class="ls-text-small">Server <span class="tagl"><a href="ServGeneral_Help.html#serverPriority">Priority</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="CPUSoftLimit"><h3>CPU Soft Limit (sec)<span class="ls-permlink"><a href="#CPUSoftLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies CPU consumption time limit in seconds for a CGI process. When the process reaches the soft limit, it will be notified by a signal. The operating system's default setting will be used if the value is absent or set to <span class="val">0</span>.</p> <h4>Syntax</h4><p>Integer number</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="CPUHardLimit"><h3>CPU Hard Limit<span class="ls-permlink"><a href="#CPUHardLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies maximum CPU consumption time limit in seconds for a CGI process. If the process continues to consume CPU time and reach the hard limit, the process will be force killed. The operating system's default setting will be used if the value is absent or set to <span class="val">0</span>.</p> <h4>Syntax</h4><p>Integer number</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="memSoftLimit"><h3>Memory Soft Limit (bytes)<span class="ls-permlink"><a href="#memSoftLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the memory consumption limit in bytes for an external application process or an external application started by the server.<br/><br/> The main purpose of this limit is to prevent excessive memory usage because of software bugs or intentional attacks, not to impose a limit on normal usage. Make sure to leave enough head room, otherwise your application may fail and 503 error may be returned. It can be set at the server- level or at an individual external application level. The server-level limit will be used if it is not set at the individual application level.<br/><br/> The operating system's default setting will be used if the value is absent at both levels or set to <span class="val">0</span>.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Attention" class="ls-icon-attention"></span> Do not over adjust this limit. This may result in 503 errors if your application needs more memory.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="memHardLimit"><h3>Memory Hard Limit (bytes)<span class="ls-permlink"><a href="#memHardLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Much the same as <span class="tagl"><a href="#memSoftLimit">Memory Soft Limit (bytes)</a></span>, except the soft limit can be raised up to the hard limit from within a user process. The hard limit can be set at server level or at an individual external application level. The server-level limit will be used if it is not set at an individual application level.<br/><br/> The operating system's default will be used if the value is absent at both levels or set to <span class="val">0</span>.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Attention" class="ls-icon-attention"></span> Do not over adjust this limit. This may result in 503 errors if your application need more memory.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="procSoftLimit"><h3>Process Soft Limit<span class="ls-permlink"><a href="#procSoftLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Limits the total number of processes that can be created on behalf of a user. All existing processes will be counted against this limit, not just new processes to be started.<br/><br/> The limit can be set at the server level or at an individual external application level. The server-level limit will be used if it is not set at an individual application level. The operating system's default setting will be used if this value is 0 or absent at both levels.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Information" class="ls-icon-info"></span> To control how many processes LSWS will make for users in mod_suEXEC mode, use the suEXEC Max Conn setting. PHP scripts can call for forking processes and the number of processes needed for normal functioning can be above the suEXEC Max Conn setting. The main purpose of this limit is as a last line of defense to prevent fork bombs and other attacks caused by PHP processes creating other processes.<br/><br/> Setting this setting too low can severely hurt functionality. The setting will thus be ignored below certain levels.<br/><br/> When <b>Run On Start Up</b> is set to "Yes (Daemon mode)", the actual process limit will be higher than this setting to make sure parent processes are not limited.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="procHardLimit"><h3>Process Hard Limit<span class="ls-permlink"><a href="#procHardLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Much the same as <span class="tagl"><a href="#procSoftLimit">Process Soft Limit</a></span>, except the soft limit can be raised up to the hard limit from within a user process. The hard limit can be set at the server level or at an individual external application level. The server-level limit will be used if it is not set at an individual application level. The operating system's default value will be used if the value is absent at both levels or set to <span class="val">0</span>.</p> <h4>Syntax</h4><p>Integer number</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="cgroups"><h3>cgroups<span class="ls-permlink"><a href="#cgroups"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Apply cgroup settings to this CGI process if supported by the current OS. At this time, RedHat/Centos Linux v7.5+ and Ubuntu 18.04+ are supported. The currently executing user will be used to determine which cgroup configuration to apply.<br/><br/> Setting this to <span class="val">Disabled</span> at the Server level will disable this setting server-wide. In all other cases, the Server level setting can be overridden at the Virtual Host level.<br/><br/> Default values:<br/> <b>Server level:</b> Off<br/> <b>VH level:</b> Inherit Server level setting</p> <h4>Syntax</h4><p>Select from drop down list</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="lsrecaptcha"><h3>reCAPTCHA Protection<span class="ls-permlink"><a href="#lsrecaptcha"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>reCAPTCHA Protection is a service provided as a way to mitigate heavy server load. reCAPTCHA Protection will activate after one of the below situations is hit. Once active, all requests by NON TRUSTED(as configured) clients will be redirected to a reCAPTCHA validation page. After validation, the client will be redirected to their desired page.<br/><br/> The following situations will activate reCAPTCHA Protection:<br/> 1. The server or vhost concurrent requests count passes the configured connection limit.<br/> 2. Anti-DDoS is enabled and a client is hitting a url in a suspicious manner. The client will redirect to reCAPTCHA first instead of getting denied when triggered.<br/> 3. WordPress Brute Force Attack Protection is enabled and action is set to 'CAPTCHA or Drop’. When a brute force attack is detected, the client will redirect to reCAPTCHA first. After max tries is reached, the connection will be dropped, as per the ‘drop’ option.<br/> 4. WordPress Brute Force Attack Protection is enabled and action is set to 'WP Login CAPTCHA Full Protection'. The client will always redirect to reCAPTCHA first.<br/> 5. A new rewrite rule environment is provided to activate reCAPTCHA via RewriteRules. 'verifycaptcha' can be set to redirect clients to reCAPTCHA. A special value ': deny' can be set to deny the client if it failed too many times. For example, [E=verifycaptcha] will always redirect to reCAPTCHA until verified. [E=verifycaptcha: deny] will redirect to reCAPTCHA until Max Tries is hit, after which the client will be denied.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="enableRecaptcha"><h3>Enable reCAPTCHA<span class="ls-permlink"><a href="#enableRecaptcha"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Enable the reCAPTCHA Protection feature at the current level. This setting must be set to <span class="val">Yes</span> at the Server level before the reCAPTCHA Protection feature can be used.<br/><br/> Default values:<br/> <b>Server-level:</b> <span class="val">No</span><br/> <b>VH-Level:</b> Inherit Server level setting</p> <h4>Syntax</h4><p>Select from radio box</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaSiteKey"><h3>Site Key<span class="ls-permlink"><a href="#recaptchaSiteKey"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The site key is the public key provided by Google via its reCAPTCHA service. A default Site Key will be used if not set.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaSecretKey"><h3>Secret Key<span class="ls-permlink"><a href="#recaptchaSecretKey"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The secret key is the private key provided by Google via its reCAPTCHA service. A default Secret Key will be used if not set.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaType"><h3>reCAPTCHA Type<span class="ls-permlink"><a href="#recaptchaType"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specify the reCAPTCHA type to use with the key pairs. If a key pair has not been provided and this setting is set to <span class="val">Not Set</span>, a default key pair of type <span class="val">Invisible</span> will be used.<br/> <span class="val">Checkbox</span> will display a checkbox reCAPTCHA for the visitor to validate.<br/> <span class="val">Invisible</span> will attempt to validate the reCAPTCHA automatically and if successful, will redirect to the desired page.<br/><br/> Default value is <span class="val">Invisible</span>.</p> <h4>Syntax</h4><p>Select from drop down list</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaSensitivity"><h3>Trigger Sensitivity<span class="ls-permlink"><a href="#recaptchaSensitivity"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Automatic reCAPTCHA sensitivity. The higher the value, the more likely reCAPTCHA Protection will be used. A value of <span class="val">0</span> is equivalent to "Off" while a value of <span class="val">100</span> is equivalent to "Always On".<br/><br/> Default values:<br/> <b>Server level:</b> 0<br/> <b>Virtual Host level:</b> Inherit Server level setting</p> <h4>Syntax</h4><p>Integer value between 0 and 100.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaMaxTries"><h3>Max Tries<span class="ls-permlink"><a href="#recaptchaMaxTries"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Max Tries specifies the maximum number of reCAPTCHA attempts permitted before denying the visitor.<br/><br/> Default value is <span class="val">3</span>.</p> <h4>Syntax</h4><p>Integer number</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="verifyExpires"><h3>Verification Expires (secs)<span class="ls-permlink"><a href="#verifyExpires"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Sets the expire time of a successful reCAPTCHA submission, after which reCAPTCHA protection will re-trigger for that visitor.<br/><br/> Default value: <span class="val">86,400</span> (1 day).</p> <h4>Syntax</h4><p>Integer value between 30 and 31,536,000 (1 year).</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaAllowedRobotHits"><h3>Allowed Robot Hits<span class="ls-permlink"><a href="#recaptchaAllowedRobotHits"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Number of hits per 10 seconds to allow ‘good bots’ to pass. Bots will still be throttled when the server is under load.<br/><br/> Default value is <span class="val">3</span>.</p> <h4>Syntax</h4><p>Integer number</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaBotWhiteList"><h3>Bot White List<span class="ls-permlink"><a href="#recaptchaBotWhiteList"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>List of custom user agents to allow access. Will be subject to the ‘good bots’ limitations, including allowedRobotHits.</p> <h4>Syntax</h4><p>List of user agents, one per line. Regex is supported.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="bubbleWrap"><h3>Bubblewrap Container<span class="ls-permlink"><a href="#bubbleWrap"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Set to <span class="val">On</span> if you wish to start CGI processes (including PHP programs) in a bubblewrap sandbox. See <a href=" https://wiki.archlinux.org/title/Bubblewrap " target="_blank" rel="noopener noreferrer"> https://wiki.archlinux.org/title/Bubblewrap </a> for details on using bubblewrap. Bubblewrap must be installed on your system prior to using this setting.<br/><br/> This setting cannot be turned on at the Virtual Host level if set to "Disabled" at the Server level.<br/><br/> Default values:<br/> <b>Server level:</b> Disabled<br/> <b>VH level:</b> Inherit Server level setting</p> <h4>Syntax</h4><p>Select from drop down list</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="bubbleWrapCmd"><h3>Bubblewrap Command<span class="ls-permlink"><a href="#bubbleWrapCmd"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The full bubblewrap use command, including the bubblewrap program itself. More on configuring this command can be found here: <a href=" https://docs.litespeedtech.com/products/lsws/bubblewrap " target="_blank" rel="noopener noreferrer"> https://docs.litespeedtech.com/products/lsws/bubblewrap </a>. If not specified, the default command listed below will be used.<br/><br/> Default value: <span class="cmd">/bin/bwrap --ro-bind /usr /usr --ro-bind /lib /lib --ro-bind-try /lib64 /lib64 --ro-bind /bin /bin --ro-bind /sbin /sbin --dir /var --dir /tmp --proc /proc --symlink ../tmp var/tmp --dev /dev --ro-bind-try /etc/localtime /etc/localtime --ro-bind-try /etc/ld.so.cache /etc/ld.so.cache --ro-bind-try /etc/resolv.conf /etc/resolv.conf --ro-bind-try /etc/ssl /etc/ssl --ro-bind-try /etc/pki /etc/pki --ro-bind-try /etc/man_db.conf /etc/man_db.conf --ro-bind-try /home/$USER /home/$USER --bind-try /var/lib/mysql/mysql.sock /var/lib/mysql/mysql.sock --bind-try /home/mysql/mysql.sock /home/mysql/mysql.sock --bind-try /tmp/mysql.sock /tmp/mysql.sock --unshare-all --share-net --die-with-parent --dir /run/user/$UID ‘$PASSWD 65534’ ‘$GROUP 65534’</span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="accessDenyDir"><h3>Access Denied Directories<span class="ls-permlink"><a href="#accessDenyDir"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies directories that should be blocked from access. Add directories that contain sensitive data to this list to prevent accidentally exposing sensitive files to clients. Append a "" to the path to include all sub-directories. If both <span class="tagl"><a href="#followSymbolLink">Follow Symbolic Link</a></span> and <span class="tagl"><a href="#checkSymbolLink">Check Symbolic Link</a></span> are enabled, symbolic links will be checked against the denied directories.</p> <h4>Syntax</h4><p>Comma-delimited list of directories</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Of critical importance: This setting only prevents serving static files from these directories. This does not prevent exposure by external scripts such as PHP/Ruby/CGI.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="accessControl"><h3>Access Control<span class="ls-permlink"><a href="#accessControl"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies what sub networks and/or IP addresses can access the server. At the server level, this setting will affect all virtual hosts. You can also set up access control unique to each virtual host at the virtual host level. Virtual host level settings will NOT override server level settings.<br/><br/> Blocking/Allowing an IP is determined by the combination of the allowed list and the denied list. If you want to block only certain IPs or sub-networks, put <span class="val"></span> or <span class="val">ALL</span> in the <span class="tagl"><a href="#accessControl_allow">Allowed List</a></span> and list the blocked IPs or sub-networks in the <span class="tagl"><a href="#accessControl_deny">Denied List</a></span>. If you want to allow only certain IPs or sub-networks, put <span class="val"></span> or <span class="val">ALL</span> in the <span class="tagl"><a href="#accessControl_deny">Denied List</a></span> and list the allowed IPs or sub-networks in the <span class="tagl"><a href="#accessControl_allow">Allowed List</a></span>. The setting of the smallest scope that fits for an IP will be used to determine access.<br/><br/> <b>Server Level:</b> Trusted IPs or sub-networks must be specified in the <span class="tagl"><a href="#accessControl_allow">Allowed List</a></span> by adding a trailing "T". Trusted IPs or sub-networks are not affected by connection/throttling limits. Only server level access control can set up trusted IPs/sub-networks.</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Use this at the server level for general restrictions that apply to all virtual hosts.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="accessControl_allow"><h3>Allowed List<span class="ls-permlink"><a href="#accessControl_allow"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the list of IPs or sub-networks allowed. <span class="val"></span> or <span class="val">ALL</span> are accepted.</p> <h4>Syntax</h4><p>Comma delimited list of IP addresses or sub-networks. A trailing "T" can be used to indicate a trusted IP or sub-network, such as <span class="val">192.168.1.T</span>.</p> <h4>Example</h4><div class="ls-example"><b>Sub-networks:</b> 192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1, or 192.168.1.<br/> <b>IPv6 addresses:</b> ::1 or [::1]<br/> <b>IPv6 subnets:</b> 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64</div><h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Trusted IPs or sub-networks set at the server level access control will be excluded from connection/throttling limits.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="accessControl_deny"><h3>Denied List<span class="ls-permlink"><a href="#accessControl_deny"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the list of IPs or sub-networks disallowed.</p> <h4>Syntax</h4><p>Comma delimited list of IP addresses or sub-networks. <span class="val"></span> or <span class="val">ALL</span> are accepted.</p> <h4>Example</h4><div class="ls-example"><b>Sub-networks:</b> 192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1, or 192.168.1.<br/> <b>IPv6 addresses:</b> ::1 or [::1]<br/> <b>IPv6 subnets:</b> 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64</div></article> </div> </section> </article><div class="ls-col-1-1"><footer class="copyright">Copyright © 2003-2020. <a href="https://www.litespeedtech.com">LiteSpeed Technologies Inc.</a> All rights reserved.</footer> </div></div> </body> </html> ��usr/local/lswsbak/docs/zh-CN/ServSecurity_Help.html��0000644��00000145034�15030566134�0016303 0��ustar�00��<!DOCTYPE html> <head> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" /> <title>OpenLiteSpeed Users' Manual - 服务器安全</title> <meta name="description" content="OpenLiteSpeed Users' Manual - 服务器安全." /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta name="robots" content="noindex"> <link rel="shortcut icon" href="../img/favicon.ico" /> <link rel="stylesheet" type="text/css" href="../css/hdoc.css"> </head> <body> <div class="pagewrapper clearfix"><aside class="sidetree ls-col-1-5"> <figure> <img src="img/ols_logo.svg" alt="openlitespeed logo" width="150px"/> </figure> <h2 class="ls-text-thin"> OpenLiteSpeed Web Server <a href="index.html"> Users' Manual</a> </h2> <h3 class="ls-text-muted">Version 1.8  — Rev. 3</h3> <hr/> <div> <ul> <li><a href="license.html">License</a></li> <li><a href="intro.html">Introduction</a></li> <li><a href="install.html">Installation</a></li> <li> <a href="admin.html">Administration</a> <ul class="level2"> <li><a href="ServerStat_Help.html">Service Manager</a></li> <li><a href="Real_Time_Stats_Help.html">Real-Time Stats</a></li> </ul> </li> <li><a href="security.html">Security</a></li> <li> <a href="config.html">Configuration</a> <ul class="level2"> <li><a href="ServGeneral_Help.html">Server General</a></li> <li><a href="ServLog_Help.html">Server Log</a></li> <li><a href="ServTuning_Help.html">Server Tuning</a></li> <li><span class="current"><a href="ServSecurity_Help.html">Server Security</a></span></li> <li><a href="ExtApp_Help.html">External Apps</a></li> <ul class="level3"> <li><a href="External_FCGI.html">Fast CGI App</a></li> <li><a href="External_FCGI_Auth.html">Fast CGI Authorizer</a></li> <li><a href="External_LSAPI.html">LSAPI App</a></li> <li><a href="External_Servlet.html">Servlet Engine</a></li> <li><a href="External_WS.html">Web Server</a></li> <li><a href="External_PL.html">Piped logger</a></li> <li><a href="External_LB.html">Load Balancer</a></li> </ul> <li><a href="ScriptHandler_Help.html">Script Handler</a></li> <li><a href="App_Server_Help.html">App Server Settings</a></li> <li><a href="Module_Help.html">Module Configuration</a></li> <li><a href="Listeners_General_Help.html">Listener General</a></li> <li><a href="Listeners_SSL_Help.html">Listener SSL</a></li> <li><a href="Templates_Help.html">Virtual Host Templates</a></li> <li><a href="VirtualHosts_Help.html">Virtual Host Basic</a></li> <li><a href="VHGeneral_Help.html">Virtual Host General</a></li> <li><a href="VHSecurity_Help.html">Virtual Host Security</a></li> <li><a href="VHSSL_Help.html">Virtual Host SSL</a></li> <li><a href="Rewrite_Help.html">Rewrite</a></li> <li><a href="Context_Help.html">Context</a></li> <ul class="level3"> <li><a href="Static_Context.html">Static Context</a></li> <li> <a href="Java_Web_App_Context.html">Java Web App Context</a> </li> <li><a href="Servlet_Context.html">Servlet Context</a></li> <li><a href="FCGI_Context.html">Fast CGI Context</a></li> <li><a href="LSAPI_Context.html">LSAPI Context</a></li> <li><a href="Proxy_Context.html">Proxy Context</a></li> <li><a href="CGI_Context.html">CGI Context</a></li> <li><a href="LB_Context.html">Load Balancer Context</a></li> <li><a href="Redirect_Context.html">Redirect Context</a></li> <li><a href="App_Server_Context.html">App Server Context</a></li> <li><a href="Module_Context.html">Module Handler Context</a></li> </ul> <li><a href="VHWebSocket_Help.html">Web Socket Proxy</a></li> </ul> </li> <li><a href="webconsole.html">Web Console</a> <ul class="level2"> <li><a href="AdminGeneral_Help.html">Admin Console General</a></li> <li><a href="AdminSecurity_Help.html">Admin Console Security</a></li> <li> <a href="AdminListeners_General_Help.html"> Admin Listener General </a> </li> <li> <a href="AdminListeners_SSL_Help.html">Admin Listener SSL</a> </li> </ul> </li> </ul> </div> </aside> <article class="contentwrapper ls-col-3-5 clearfix"><div class="nav-bar ls-spacer-micro-top"><div class="prev">&#171 <a href="ServTuning_Help.html">服务器调节</a></div><div class="center"><a href="config.html">Configuration</a></div><div class="next"><a href="ExtApp_Help.html">外部应用</a> »</div></div> <h1>服务器安全</h1><h2 id="top">Table of Contents</h2><section class="toc"><section class="toc-row"><header>File Access</header><p> <a href="#followSymbolLink">跟随符号链接</a> \| <a href="#checkSymbolLink">检查符号链接</a> \| <a href="#forceStrictOwnership">强制严格属主检查</a> \| <a href="#requiredPermissionMask">必需的权限掩码</a> \| <a href="#restrictedPermissionMask">限制权限掩码</a> \| <a href="#restrictedScriptPermissionMask">脚本限制权限掩码</a> \| <a href="#restrictedDirPermissionMask">脚本目录限制权限掩码</a></p></section> <section class="toc-row"><header><a href="#perClientConnLimit">客户端流量限制</a></header><p> <a href="#staticReqPerSec">静态请求/秒</a> \| <a href="#dynReqPerSec">动态请求/秒</a> \| <a href="#outBandwidth">出口带宽 (bytes/sec)</a> \| <a href="#inBandwidth">入口带宽 (bytes/sec)</a> \| <a href="#softLimit">连接软限制</a> \| <a href="#hardLimit">连接硬限制</a> \| <a href="#blockBadReq">封锁坏请求</a> \| <a href="#gracePeriod">宽限期（秒）</a> \| <a href="#banPeriod">禁止期（秒）</a></p></section> <section class="toc-row"><header><a href="#cgiResource">CGI Settings</a></header><p> <a href="#cgidSock">CGI守护进程套接字</a> \| <a href="#maxCGIInstances">最大CGI实例数量</a> \| <a href="#minUID">最小的UID</a> \| <a href="#minGID">最小的GID</a> \| <a href="#forceGID">强制GID</a> \| <a href="#umask">umask</a> \| <a href="#CGIPriority">CGI优先级</a> \| <a href="#CPUSoftLimit">CPU软限制(秒)</a> \| <a href="#CPUHardLimit">CPU硬限制</a> \| <a href="#memSoftLimit">内存软限制 (bytes)</a> \| <a href="#memHardLimit">内存硬限制 (bytes)</a> \| <a href="#procSoftLimit">进程软限制</a> \| <a href="#procHardLimit">进程硬限制</a> \| <a href="#cgroups">cgroups</a></p></section> <section class="toc-row"><header><a href="#lsrecaptcha">reCAPTCHA保护</a></header><p> <a href="#enableRecaptcha">启用reCAPTCHA</a> \| <a href="#recaptchaSiteKey">网站密匙</a> \| <a href="#recaptchaSecretKey">密匙</a> \| <a href="#recaptchaType">reCAPTCHA类型</a> \| <a href="#recaptchaMaxTries">最大尝试次数</a> \| <a href="#recaptchaAllowedRobotHits">允许的机器人点击</a> \| <a href="#recaptchaBotWhiteList">Bot白名单</a> \| <a href="#recaptchaRegConnLimit">连接限制</a> \| <a href="#recaptchaSslConnLimit">SSL连接限制</a></p></section> <section class="toc-row"><header>Containers</header><p> <a href="#bubbleWrap">Bubblewrap Container</a> \| <a href="#bubbleWrapCmd">Bubblewrap Command</a> \| <a href="#namespace">Namespace Container</a> \| <a href="#namespaceConf">Namespace Template File</a></p></section> <section class="toc-row"><header>Access Denied Directories</header><p> <a href="#accessDenyDir">拒绝访问的目录</a></p></section> <section class="toc-row"><header><a href="#accessControl">登入限制</a></header><p> <a href="#accessControl_allow">允许列表</a> \| <a href="#accessControl_deny">拒绝列表</a></p></section> </section> <section><div class="helpitem"><article class="ls-helpitem"><div><header id="followSymbolLink"><h3>跟随符号链接<span class="ls-permlink"><a href="#followSymbolLink"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定服务静态文件时跟踪符号链接的服务器级别默认设置。<br/><br/> 选项有<span class="val">Yes</span>、<span class="val">If Owner Match</span>和<span class="val">No</span>。<br/><br/> <span class="val">Yes</span>设置服务器始终跟踪符号链接。 <span class="val">If Owner Match</span>设置服务器只有在链接和目标属主一致时才跟踪符号链接。 <span class="val">No</span>表示服务器永远不会跟踪符号链接。该设置可以在虚拟主机配置中覆盖，但不能通过.htaccess文件覆盖。</p> <h4>Syntax</h4><p>从列表中选择</p> <h4>提示</h4><p>[性能和安全建议] 要获得最佳安全性，选择{VAL}No</span>或<span class="val">If Owner Match</span>。要获得最佳性能，选择{VAL}Yes</span>。</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#checkSymbolLink">检查符号链接</a></span>.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="checkSymbolLink"><h3>检查符号链接<span class="ls-permlink"><a href="#checkSymbolLink"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定在启用了<span class="tagl"><a href="#followSymbolLink">跟随符号链接</a></span>时，是否检查符号链接在不在<span class="tagl"><a href="#accessDenyDir">拒绝访问的目录</a></span>中。如果启用检查，将检查网址对应的真正的资源路径是否在配置的禁止访问目录中。如果在禁止访问目录中，访问将被禁止。</p> <h4>Syntax</h4><p>从单选框选择</p> <h4>提示</h4><p>[性能和安全] 要获得最佳的安全性，启用该选项。要获得最佳性能，禁用该选项。</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#followSymbolLink">跟随符号链接</a></span>, <span class="tagl"><a href="#accessDenyDir">拒绝访问的目录</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="forceStrictOwnership"><h3>强制严格属主检查<span class="ls-permlink"><a href="#forceStrictOwnership"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定是否执行严格的文件所有权检查。如果启用，Web服务器将检查正在服务的文件的所有者与虚拟主机的所有者是否相同。如果不同，将返回403拒绝访问错误。该功能默认是关闭的。</p> <h4>Syntax</h4><p>从单选框选择</p> <h4>提示</h4><p>[安全建议] 对于共享主机，启用此检查以得到更好的安全性。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="requiredPermissionMask"><h3>必需的权限掩码<span class="ls-permlink"><a href="#requiredPermissionMask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>为静态文件指定必需的权限掩码。例如，如果只允许所有人都可读的文件可以被输出，将该值设置为<span class="val">0004</span>。用<span class="cmd">man 2 stat</span>命令了解所有可选值。</p> <h4>Syntax</h4><p>octal numbers</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#restrictedPermissionMask">限制权限掩码</a></span>.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="restrictedPermissionMask"><h3>限制权限掩码<span class="ls-permlink"><a href="#restrictedPermissionMask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>为不能输出的静态文件指定限制权限掩码。例如，要禁止服务可执行文件，将掩码设置为<span class="val">0111</span>。<br/><br/> 用<span class="cmd">man 2 stat</span>命令了解所有可选值。</p> <h4>Syntax</h4><p>octal numbers</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#requiredPermissionMask">必需的权限掩码</a></span>.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="restrictedScriptPermissionMask"><h3>脚本限制权限掩码<span class="ls-permlink"><a href="#restrictedScriptPermissionMask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>为不能服务的脚本文件指定限制权限掩码。例如，要禁止服务属组可写和全局可写的PHP脚本，设置掩码为<span class="val">022</span>。默认值是<span class="val">000</span>。<br/><br/> 用<span class="cmd">man 2 stat</span>命令了解所有可选值。</p> <h4>Syntax</h4><p>octal numbers</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#restrictedDirPermissionMask">脚本目录限制权限掩码</a></span>.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="restrictedDirPermissionMask"><h3>脚本目录限制权限掩码<span class="ls-permlink"><a href="#restrictedDirPermissionMask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the restricted permission mask of parent directories of script files that the server will not serve. For example, to prohibit serving PHP scripts in a directory that is group and world writable, set the mask to <span class="val">022</span>. Default value is <span class="val">000</span>. This option can be used to prevent serving scripts under a directory of uploaded files.<br/><br/> See <span class="cmd">man 2 stat</span> for all values.</p> <h4>Syntax</h4><p>octal numbers</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#restrictedScriptPermissionMask">脚本限制权限掩码</a></span>.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="perClientConnLimit"><h3>客户端流量限制<span class="ls-permlink"><a href="#perClientConnLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>这些是基于客户端IP的连接控制设置。这些设置有助于缓解DoS（拒绝服务）和DDoS（分布式拒绝服务）攻击。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="staticReqPerSec"><h3>静态请求/秒<span class="ls-permlink"><a href="#staticReqPerSec"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定每秒可处理的来自单个IP的静态内容请求数量（无论与该IP之间建立了多少个连接）。<br/><br/> 当达到此限制时，所有后来的请求将被延滞到下一秒。对于动态内容请求的限制与本限制无关。每个客户端的请求限制可以在服务器或虚拟主机级别设置。虚拟主机级别的设置将覆盖服务器级别的设置。</p> <h4>Syntax</h4><p>整数</p> <h4>提示</h4><p>[安全] 受信任的IP或子网不受影响。</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#dynReqPerSec">动态请求/秒</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="dynReqPerSec"><h3>动态请求/秒<span class="ls-permlink"><a href="#dynReqPerSec"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定每秒可处理的来自单个IP的动态请求的数量（无论与该IP之间建立了多少个连接）当达到此限制时，所有后来的请求将被延滞到下一秒。<br/><br/> 静态内容的请求限制与此限制无关。可以在服务器或虚拟主机级别设置每个客户端请求的限制。虚拟主机级别的设置将覆盖服务器级别的设置。</p> <h4>Syntax</h4><p>整数</p> <h4>提示</h4><p>[安全] 受信任的IP或子网不受影响。</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#staticReqPerSec">静态请求/秒</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="outBandwidth"><h3>出口带宽 (bytes/sec)<span class="ls-permlink"><a href="#outBandwidth"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定对单个IP地址允许的最大传出吞吐量（无论与该IP之间建立了多少个连接）。为提高效率，真正的带宽可能最终会略高于设定值。带宽按4KB为单位分配。设定值为<span class="val">0</span>可禁用限制。每个客户端的带宽限制（字节/秒）可以在服务器或虚拟主机级别设置。虚拟主机级别的设置将覆盖服务器级别的设置。</p> <h4>Syntax</h4><p>整数</p> <h4>提示</h4><p>[性能建议] 按8KB单位设置带宽可获得更好的性能。<br/> [安全建议] 受信任的IP或子网不受影响。</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#inBandwidth">入口带宽 (bytes/sec)</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="inBandwidth"><h3>入口带宽 (bytes/sec)<span class="ls-permlink"><a href="#inBandwidth"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定对单个IP地址允许的最大传入吞吐量（无论与该IP之间建立了多少个连接）。为提高效率，真正的带宽可能最终会略高于设定值。带宽是按1KB单位分配。设定值为<span class="val">0</span>可禁用限制。每个客户端的带宽限制（字节/秒）可以在服务器或虚拟主机级别设置。虚拟主机级别的设置将覆盖服务器级别的设置。</p> <h4>Syntax</h4><p>整数</p> <h4>提示</h4><p>[安全] 受信任的IP或子网不受影响。</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#outBandwidth">出口带宽 (bytes/sec)</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="softLimit"><h3>连接软限制<span class="ls-permlink"><a href="#softLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定来自单个IP的并发连接的软限制。并发连接数低于<span class="tagl"><a href="#hardLimit">连接硬限制</a></span>时，此软限制可以在<span class="tagl"><a href="#gracePeriod">宽限期（秒）</a></span>期间临时超过，但Keep-Alive连接将被尽快断开，直到连接数低于软限制。如果<span class="tagl"><a href="#gracePeriod">宽限期（秒）</a></span>之后，连接数仍然超过软限制，相应的IP将被封锁 <span class="tagl"><a href="#banPeriod">禁止期（秒）</a></span>所设置的时长。<br/> 例如，如果页面包含许多小图像，浏览器可能会尝试同时建立许多连接，尤其是HTTP/1.0客户端。你应当在短时间内允许这些连接。<br/><br/> HTTP/1.1客户端还可能建立多个连接，以加快下载，另外SSL需要为非SSL连接建立单独的连接。确保限制设置正确，以免影响正常服务。建议限制在<span class="val">5</span>与<span class="val">10</span>之间。</p> <h4>Syntax</h4><p>整数</p> <h4>提示</h4><p><span title="Information" class="ls-icon-info"></span> 安全建议] 一个较低的数字将使得服务器可以服务更多独立的客户。<br/> [安全建议] 受信任的IP或子网不受影响。<br/> [性能建议] 使用大量并发客户端进行性能评测时，请设置一个较高的值。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="hardLimit"><h3>连接硬限制<span class="ls-permlink"><a href="#hardLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定来自单个IP的并发连接的硬限制。此限制是永远执行的，客户端将永远无法超过这个限制。 HTTP/1.0客户端通常会尝试建立尽可能多的连接，因为它们需要同时下载嵌入的内容。此限制应设置得足够高，以使HTTP/1.0客户端仍然可以访问相应的网站。使用<span class="tagl"><a href="#softLimit">连接软限制</a></span>设置期望的连接限制。<br/><br/> 建议根据你的网页内容和流量负载，限制在<span class="val">20</span>与<span class="val">50</span>之间。</p> <h4>Syntax</h4><p>整数</p> <h4>提示</h4><p>[安全] 一个较低的数字将使得服务器可以服务更多独立的客户。<br/> [安全] 受信任的IP或子网不受影响。<br/> [性能] 使用大量并发客户端进行基准测试时，设置一个较高的值。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="blockBadReq"><h3>封锁坏请求<span class="ls-permlink"><a href="#blockBadReq"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>封锁持续发送坏HTTP请求的IP<span class="tagl"><a href="#banPeriod">禁止期（秒）</a></span>所设置的时长。默认为{VAL}Yes</span>。这有助于封锁反复发送垃圾请求的僵尸网络攻击。</p> <h4>Syntax</h4><p>从单选框选择</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="gracePeriod"><h3>宽限期（秒）<span class="ls-permlink"><a href="#gracePeriod"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定来自一个IP的连接数超过<span class="tagl"><a href="#softLimit">连接软限制</a></span>之后，多长时间之内可以继续接受新连接。在此期间，如果总连接数仍然低于<span class="tagl"><a href="#hardLimit">连接硬限制</a></span>，将继续接受新连接。之后，如果连接数仍然高于<span class="tagl"><a href="#softLimit">连接软限制</a></span>，相应的IP将被封锁<span class="tagl"><a href="#banPeriod">禁止期（秒）</a></span>里设置的时长。</p> <h4>Syntax</h4><p>整数</p> <h4>提示</h4><p>[性能与安全建议] 设置为足够大的数量，以便下载完整网页，但也要足够低以防范蓄意攻击。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="banPeriod"><h3>禁止期（秒）<span class="ls-permlink"><a href="#banPeriod"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定在<span class="tagl"><a href="#gracePeriod">宽限期（秒）</a></span>之后，如果连接数仍然高于 <span class="tagl"><a href="#softLimit">连接软限制</a></span>，来自该IP的新连接将被拒绝多长时间。如果IP 经常被屏蔽，我们建议您延长禁止期以更强硬地惩罚滥用.</p> <h4>Syntax</h4><p>整数</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="cgiResource"><h3>CGI Settings<span class="ls-permlink"><a href="#cgiResource"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The following settings control CGI processes. Memory and process limits also serve as the default for other external applications if limits have not been set explicitly for those applications.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="cgidSock"><h3>CGI守护进程套接字<span class="ls-permlink"><a href="#cgidSock"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>用于与CGI守护进程沟通的唯一套接字地址。为了最佳性能和安全性，LiteSpeed服务器使用一个独立的CGI 守护进程来产生CGI脚本的子进程。默认套接字是<span class="val">uds://$SERVER_ROOT/admin/lscgid/.cgid.sock</span>。如果你需要放置在另一个位置，在这里指定一个Unix域套接字。</p> <h4>Syntax</h4><p>UDS://path</p> <h4>例子</h4><div class="ls-example">UDS://tmp/lshttpd/cgid.sock</div></article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="maxCGIInstances"><h3>最大CGI实例数量<span class="ls-permlink"><a href="#maxCGIInstances"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>S指定服务器可以启动的CGI进程最大并发数量。对于每个对CGI脚本的请求，服务器需要启动一个独立的CGI进程。在Unix系统中，并发进程的数量是有限的。过多的并发进程会降低整个系统的性能，也是一种进行拒绝服务攻击的方法。 LiteSpeed服务器将对CGI脚本的请求放入管道队列，限制并发 CGI进程数量，以确保最优性能和可靠性。硬限制为<span class="val">2000</span>。</p> <h4>Syntax</h4><p>整数</p> <h4>提示</h4><p>[安全和性能建议] 更高的数量并不一定转化为更快的性能。在大多数情况下，更低的数量提供更好的性能和安全性。更高的数量只在CGI处理过程中读写延迟过高时有帮助。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="minUID"><h3>最小的UID<span class="ls-permlink"><a href="#minUID"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定外部应用程序的最小用户ID。如果用户ID比这里指定的值更低。其外部脚本的执行将被拒绝。如果的LiteSpeed Web服务器由“Root”用户启动，它可以在“suEXEC” 模式运行外部应用程序，类似Apache（可以切换到与Web服务器不同的用户/组ID）。</p> <h4>Syntax</h4><p>整数</p> <h4>提示</h4><p><span title="Security" class="ls-icon-security"></span> Set it high enough to exclude all system/privileged users.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="minGID"><h3>最小的GID<span class="ls-permlink"><a href="#minGID"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定外部应用程序的最小组ID。如果组ID比这里指定的值更小，其外部脚本的执行将被拒绝。如果的LiteSpeed Web服务器是由“Root”用户启动，它可以在“suEXEC” 模式运行外部应用程序，类似Apache（可以切换到与Web服务器不同的用户/组ID）。</p> <h4>Syntax</h4><p>整数</p> <h4>提示</h4><p>[安全] 设置足够高的值以排除所有系统用户所属的组。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="forceGID"><h3>强制GID<span class="ls-permlink"><a href="#forceGID"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定一组ID，以用于所有在suEXEC模式下启动的外部应用程序。当设置为非零值时，所有suEXEC的外部应用程序（CGI、FastCGI、 LSAPI）都将使用该组ID。这可以用来防止外部应用程序访问其他用户拥有的文件。<br/><br/> 例如，在共享主机环境，LiteSpeed以“www-data”用户、“www-data”组身份运行。每个文件根目录是由用户帐户所有，属组为“www-data”，权限为0750。如果强制GID被设置为“nogroup”（或“www-data”之外的任何一个组），所有suEXEC外部应用程序都将以特定用户身份运行，但属组为 “nogroup”。这些外部应用程序的进程依然能够访问属于相应用户的文件（因为他们的用户ID），但没有组权限访问其他人的文件。另一方面，服务器仍然可以服务在任何用户文件根目录下的文件（因为它的组ID）。</p> <h4>Syntax</h4><p>整数</p> <h4>提示</h4><p>[安全建议] 设置足够高的值以排除所有系统用户所在的组。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="umask"><h3>umask<span class="ls-permlink"><a href="#umask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>设置CGI进程默认的umask。通过<span class="cmd"> man 2 umask</span>命令了解详细信息。这也可作为外部应用程序<span class="tagl"><a href="ExtApp_Help.html#extUmask">umask</a></span>的默认值。</p> <h4>Syntax</h4><p>数值有效范围为[000] - [777]</p> <h4>See Also</h4><p class="ls-text-small">ExtApp <span class="tagl"><a href="ExtApp_Help.html#extUmask">umask</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="CGIPriority"><h3>CGI优先级<span class="ls-permlink"><a href="#CGIPriority"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定外部应用程序进程的优先级。数值范围从<span class="val">-20</span>到<span class="val">20</span>。数值越小，优先级越高。<br/><br/> CGI进程不能拥有比Web服务器更高的优先级。如果这个优先级数值被设置为低于服务器的优先级数值，则将使用服务器优先级作为替代。</p> <h4>Syntax</h4><p>int</p> <h4>See Also</h4><p class="ls-text-small">Server <span class="tagl"><a href="ServGeneral_Help.html#serverPriority">优先级</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="CPUSoftLimit"><h3>CPU软限制(秒)<span class="ls-permlink"><a href="#CPUSoftLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>以秒为单位，指定CGI进程的CPU占用时间限制。当进程达到软限制时，将收到通知信号。如果没有设置该限制，或者限制设为<span class="val">0</span>，将使用操作系统的默认设置。</p> <h4>Syntax</h4><p>整数</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="CPUHardLimit"><h3>CPU硬限制<span class="ls-permlink"><a href="#CPUHardLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>以秒为单位，指定CGI进程的CPU占用时间限制。如果进程持续占用CPU时间，达到硬限制，则进程将被强制杀死。如果没有设置该限制，或者限制设为<span class="val">0</span>，操作系统的默认设置将被使用。</p> <h4>Syntax</h4><p>整数</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="memSoftLimit"><h3>内存软限制 (bytes)<span class="ls-permlink"><a href="#memSoftLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>以字节为单位指定服务器启动的外部应用进程或程序的内存占用限制。<br/><br/> 此限制的目的主要是为了防范软件缺陷或蓄意攻击造成的过度内存使用，而不是限制正常使用。确保留有足够的内存，否则您的应用程序可能故障并返回503错误。限制可以在服务器级别或独立的外部应用程序级别设置。如果未在独立的外部应用程序级别设定限制，将使用服务器级别的限制。<br/><br/> 如果在两个级别都没有设置该限制，或者限制值设为<span class="val">0</span>，将使用操作系统的默认设置。</p> <h4>Syntax</h4><p>整数</p> <h4>提示</h4><p>[注意] 不要过度调整这个限制。如果您的应用程序需要更多的内存，这可能会导致503错误。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="memHardLimit"><h3>内存硬限制 (bytes)<span class="ls-permlink"><a href="#memHardLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>与<span class="tagl"><a href="#memSoftLimit">内存软限制 (bytes)</a></span>非常相同，但是在一个用户进程中，软限制可以被放宽到硬限制的数值。硬限制可以在服务器级别或独立的外部应用程序级别设置。如果未在独立的外部应用程序级别设定限制，将使用服务器级别的限制。<br/><br/> 如果在两个级别都没有设置该限制，或者限制值设为<span class="val">0</span>，将使用操作系统的默认设置。</p> <h4>Syntax</h4><p>整数</p> <h4>提示</h4><p>[注意] 不要过度调整这个限制。如果您的应用程序需要更多的内存，这可能会导致503错误。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="procSoftLimit"><h3>进程软限制<span class="ls-permlink"><a href="#procSoftLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>限制用户可以创建的进程总数.所有现有的进程都将被计算在这个限制之内,而不仅仅是要启动的新进程。<br/><br/> 该限制可以在服务器级别或单个外部应用级别进行设置.如果未在应用级别设置，则将使用服务器级别的限制. 如果该值为0或服务器级和应用级都没有设置,将使用操作系统的默认设置</p> <h4>Syntax</h4><p>整数</p> <h4>提示</h4><p><span title="Information" class="ls-icon-info"></span> PHP scripts can call for forking processes. The main purpose of this limit is as a last line of defense to prevent fork bombs and other attacks caused by PHP processes creating other processes.<br/><br/> Setting this setting too low can severely hurt functionality. The setting will thus be ignored below certain levels.<br/><br/> When <b>Run On Start Up</b> is set to "Yes (Daemon mode)", the actual process limit will be higher than this setting to make sure parent processes are not limited.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="procHardLimit"><h3>进程硬限制<span class="ls-permlink"><a href="#procHardLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>与<span class="tagl"><a href="#procSoftLimit">进程软限制</a></span>非常相同，但是，在用户进程中软限制可以被放宽到硬限制的数值。硬限制可以在服务器级别或独立的外部应用程序级别设置。如果未在独立的外部应用程序级别设定限制，将使用服务器级别的限制。如果在两个级别都没有设置该限制，或者限制值设为<span class="val">0</span>，将使用操作系统的默认设置。</p> <h4>Syntax</h4><p>整数</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="cgroups"><h3>cgroups<span class="ls-permlink"><a href="#cgroups"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>如果当前操作系统支持(目前支持RedHat/Centos Linux v7.5+和Ubuntu 18.04+)，则将cgroup设置应用于此CGI进程。。当前执行的用户将用于确定要应用的cgroup配置。<br/> 在服务器级别将此设置为<span class="val">Disabled</span>将在服务器范围内禁用此设置。在其他情况下，可以在虚拟主机级别覆盖服务器级别的设置。<br/><br/> 默认值:<br/> <b>服务器级别:</b> Off<br/> <b>虚拟主机级别:</b> 继承服务器级别设置</p> <h4>Syntax</h4><p>从列表中选择</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="lsrecaptcha"><h3>reCAPTCHA保护<span class="ls-permlink"><a href="#lsrecaptcha"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>reCAPTCHA 保护是一种减轻服务器负载的服务。在下列情况发生后，reCAPTCHA保护将激活激活后,所以不受信任的客户端(可自定)发出的请求将被重定向到reCAPTCHA验证页面验证完成后客户端将被重定向到其所需的页面<br/><br/> 下列情况将启用reCAPTCHA保护: 1. 服务器或虚拟主机并发请求计数超过连接限制。<br/> 2. 启用了Anti-DDoS，并且客户端以可疑的方式访问了URL。客户端将首先重定向到reCAPTCHA，而不是在触发时被拒绝。<br/> 3. 提供了新的重写规则，以通过重写规则激活reCAPTCHA。可以设置“verifycaptcha”将客户端重定向到reCAPTCHA。可以设置一个特殊值':deny'以在客户端失败太多次时拒绝它。例如，[E=verifycaptcha]将始终重定向到reCAPTCHA，直到通过验证。 [E=verifycaptcha: deny]将重定向到reCAPTCHA，如果客户端达到最大尝试次数,将被拒绝。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="enableRecaptcha"><h3>启用reCAPTCHA<span class="ls-permlink"><a href="#enableRecaptcha"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>必须先在服务器级别将此设置设置为<span class="val">是</span>,才能在当前级别启用并使用reCAPTCHA保护功能。 <br/><br/> 默认值:<br/> <b>服务器级别:</b> 是<br/> <b>虚拟主机级别:</b> 继承服务器级别设置</p> <h4>Syntax</h4><p>从单选框选择</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaSiteKey"><h3>网站密匙<span class="ls-permlink"><a href="#recaptchaSiteKey"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>站点密钥是Google通过其reCAPTCHA服务提供的公共密钥。如果未设置，将使用默认的站点密钥。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaSecretKey"><h3>密匙<span class="ls-permlink"><a href="#recaptchaSecretKey"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>密匙是Google通过其reCAPTCHA服务提供的私钥。如未设置将使用默认的密匙</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaType"><h3>reCAPTCHA类型<span class="ls-permlink"><a href="#recaptchaType"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定要与密钥对一起使用的reCAPTCHA类型。如果未提供密钥对，并且此设置设置为 <span class="val">未设置</span>，将使用<span class="val">隐形</span>类型的默认密钥对。<br/> <span class="val">复选框</span>将显示一个复选框reCAPTCHA，以供访问者验证。<br/> <span class="val">隐形</span>将尝试自动验证reCAPTCHA，如果成功，将重定向到所需的页面。<br/><br/> 默认值为<span class="val">隐形</span>。</p> <h4>Syntax</h4><p>从列表中选择</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaMaxTries"><h3>最大尝试次数<span class="ls-permlink"><a href="#recaptchaMaxTries"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>“最大尝试次数”指定在拒绝访客之前允许的最大reCAPTCHA次尝试次数。<br/> 默认值是 <span class="val">3</span>.</p> <h4>Syntax</h4><p>整数</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaAllowedRobotHits"><h3>允许的机器人点击<span class="ls-permlink"><a href="#recaptchaAllowedRobotHits"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>设置每10秒允许“好机器人”通过的点击次数。当服务器处于高负载状态时，僵尸程序仍会受到限制。<br/><br/> 默认值是<span class="val">3</span>.</p> <h4>Syntax</h4><p>整数</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaBotWhiteList"><h3>Bot白名单<span class="ls-permlink"><a href="#recaptchaBotWhiteList"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>自定义允许访问的用户代理列表。将受到“好机器人”的限制，包括allowedRobotHits。</p> <h4>Syntax</h4><p>用户代理列表，每行一个。支持正则表达式。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaRegConnLimit"><h3>连接限制<span class="ls-permlink"><a href="#recaptchaRegConnLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>激活reCAPTCHA所需的并发连接数（SSL和非SSL）。在并发连接数高于该数字之前，将使用reCAPTCHA。<br/><br/> 默认值是<span class="val">15000</span>.</p> <h4>Syntax</h4><p>整数</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaSslConnLimit"><h3>SSL连接限制<span class="ls-permlink"><a href="#recaptchaSslConnLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>激活reCAPTCHA所需的并发SSL连接数。在并发连接数高于该数字之前，将使用reCAPTCHA。<br/><br/> 默认值是 <span class="val">10000</span>.</p> <h4>Syntax</h4><p>整数</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="bubbleWrap"><h3>Bubblewrap Container<span class="ls-permlink"><a href="#bubbleWrap"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Set to <span class="val">Enabled</span> if you wish to start CGI processes (including PHP programs) in a bubblewrap sandbox. See <a href=" https://wiki.archlinux.org/title/Bubblewrap " target="_blank" rel="noopener noreferrer"> https://wiki.archlinux.org/title/Bubblewrap </a> for details on using bubblewrap. Bubblewrap must be installed on your system prior to using this setting.<br/><br/> This setting cannot be turned on at the Virtual Host level if set to "Disabled" at the Server level.<br/><br/> Default values:<br/> <b>Server level:</b> Disabled<br/> <b>VH level:</b> Inherit Server level setting</p> <h4>Syntax</h4><p>从列表中选择</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="bubbleWrapCmd"><h3>Bubblewrap Command<span class="ls-permlink"><a href="#bubbleWrapCmd"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>bubblewraps使用的完整的命令, 包括bubblewrap程序本身。有关配置此命令的更多信息，请参见： <a href=" https://openlitespeed.org/kb/bubblewrap-in-openlitespeed/ " target="_blank" rel="noopener noreferrer"> https://openlitespeed.org/kb/bubblewrap-in-openlitespeed/ </a>. 如果未指定，将使用下面列出的默认命令。<br/><br/> 默认值: <span class="cmd">/bin/bwrap --ro-bind /usr /usr --ro-bind /lib /lib --ro-bind-try /lib64 /lib64 --ro-bind /bin /bin --ro-bind /sbin /sbin --dir /var --dir /tmp --proc /proc --symlink../tmp var/tmp --dev /dev --ro-bind-try /etc/localtime /etc/localtime --ro-bind-try /etc/ld.so.cache /etc/ld.so.cache --ro-bind-try /etc/resolv.conf /etc/resolv.conf --ro-bind-try /etc/ssl /etc/ssl --ro-bind-try /etc/pki /etc/pki --ro-bind-try /etc/man_db.conf /etc/man_db.conf --ro-bind-try /home/$USER /home/$USER --bind-try /var/lib/mysql/mysql.sock /var/lib/mysql/mysql.sock --bind-try /home/mysql/mysql.sock /home/mysql/mysql.sock --bind-try /tmp/mysql.sock /tmp/mysql.sock --unshare-all --share-net --die-with-parent --dir /run/user/$UID ‘$PASSWD 65534’ ‘$GROUP 65534’</span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="namespace"><h3>Namespace Container<span class="ls-permlink"><a href="#namespace"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Set to <span class="val">Enabled</span> if you wish to start CGI processes (including PHP programs) in a namespace container sandbox. Only used when <span class="tagl"><a href="ServSecurity_Help.html#bubbleWrap">Bubblewrap Container</a></span> is set to <span class="val">Disabled</span>.<br/><br/> When not <span class="val">Disabled</span> at the Server level, this settings value can be overridden at the Virtual Host level.<br/><br/> Default values:<br/> <b>Server level:</b> <span class="val">Disabled</span><br/> <b>Virtual Host Level:</b> Inherit Server level setting</p> <h4>Syntax</h4><p>从列表中选择</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="namespaceConf"><h3>Namespace Template File<span class="ls-permlink"><a href="#namespaceConf"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Path to an existing configuration file containing a list of directories to be mounted along with the methods used to mount them. When <span class="tagl"><a href="ServSecurity_Help.html#namespace">Namespace Container</a></span> is set to <span class="val">Enabled</span> and this value is not set, the following secure default configuration settings will be used:<br/><br/> <span class="val"> $HOMEDIR/.lsns/tmp /tmp,tmp<br/> /usr,ro-bind<br/> /lib,ro-bind<br/> /lib64,ro-bind-try<br/> /bin,ro-bind<br/> /sbin,ro-bind<br/> /var,dir<br/> /var/www,ro-bind-try<br/> /proc,proc<br/> ../tmp var/tmp,symlink<br/> /dev,dev<br/> /etc/localtime,ro-bind-try<br/> /etc/ld.so.cache,ro-bind-try<br/> /etc/resolv.conf,ro-bind-try<br/> /etc/ssl,ro-bind-try<br/> /etc/pki,ro-bind-try<br/> /etc/man_db.conf,ro-bind-try<br/> /usr/local/bin/msmtp /etc/alternatives/mta,ro-bind-try<br/> /usr/local/bin/msmtp /usr/sbin/exim,ro-bind-try<br/> $HOMEDIR,bind-try<br/> /var/lib/mysql/mysql.sock,bind-try<br/> /home/mysql/mysql.sock,bind-try<br/> /tmp/mysql.sock,bind-try<br/> /run/mysqld/mysqld.sock,bind-try<br/> /var/run/mysqld.sock,bind-try<br/> /run/user/$UID,bind-try<br/> $PASSWD<br/> $GROUP<br/> /etc/exim.jail/$USER.conf $HOMEDIR/.msmtprc,copy-try<br/> /etc/php.ini,ro-bind-try<br/> /etc/php-fpm.conf,ro-bind-try<br/> /etc/php-fpm.d,ro-bind-try<br/> /var/run,ro-bind-try<br/> /var/lib,ro-bind-try<br/> /etc/imunify360/user_config/,ro-bind-try<br/> /etc/sysconfig/imunify360,ro-bind-try<br/> /opt/plesk/php,ro-bind-try<br/> /opt/alt,bind-try<br/> /opt/cpanel,bind-try<br/> /opt/psa,bind-try<br/> /var/lib/php/sessions,bind-try </span></p> <h4>Syntax</h4><p>绝对路径或相对于$SERVER_ROOT的相对路径。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="accessDenyDir"><h3>拒绝访问的目录<span class="ls-permlink"><a href="#accessDenyDir"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定应该拒绝访问的目录。将包含敏感数据的目录加入到这个列表，以防止向客户端意外泄露敏感文件。在路径后加一个“”，可包含所有子目录。如果<span class="tagl"><a href="#followSymbolLink">跟随符号链接</a></span>和<span class="tagl"><a href="#checkSymbolLink">检查符号链接</a></span>都被启用，符号链接也将被检查是否在被拒绝访问目录中。</p> <h4>Syntax</h4><p>Comma-delimited list of directories</p> <h4>提示</h4><p>[安全建议] 至关重要: 此设置只能防止服务这些目录中的静态文件。这不能防止外部脚本如PHP、Ruby、CGI造成的泄露。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="accessControl"><h3>登入限制<span class="ls-permlink"><a href="#accessControl"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定哪些子网络和/或IP地址可以访问该服务器。这是影响所有的虚拟主机的服务器级别设置。您还可以为每个虚拟主机设置登入限制。虚拟主机的设置不会覆盖服务器设置。<br/><br/> 是否阻止/允许一个IP是由允许列表与阻止列表共同决定。如果你想阻止某个特定IP或子网，请在<span class="tagl"><a href="#accessControl_allow">允许列表</a></span>中写入<span class="val"></span> 或 <span class="val">ALL</span>，并在<span class="tagl"><a href="#accessControl_deny">拒绝列表</a></span>中写入需要阻止的IP或子网。如果你想允许某个特定的IP或子网，请在<span class="tagl"><a href="#accessControl_deny">拒绝列表</a></span>中写入<span class="val"></span> 或 <span class="val">ALL</span>，并在<span class="tagl"><a href="#accessControl_allow">允许列表</a></span>中写入需要允许的IP或子网。单个IP地址是被允许访问还是禁止访问取决于该IP符合的最小限制范围。<br/><br/> 信任的IP或子网络可以在<span class="tagl"><a href="#accessControl_allow">允许列表</a></span>列表中添加后缀“T”来指定。受信任的IP或子网不受连接数/流量限制。只有服务器级别的登入限制才可以设置受信任的IP或子网。</p> <h4>提示</h4><p>[安全建议] 用此项设置适用于所有虚拟主机的常规限制。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="accessControl_allow"><h3>允许列表<span class="ls-permlink"><a href="#accessControl_allow"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定允许的IP地址或子网的列表。可以使用{VAL}</span>或{VAL}ALL</span>。</p> <h4>Syntax</h4><p>逗号分隔的IP地址或子网列表。结尾加上“T”可以用来表示一个受信任的IP或子网，如{VAL}192.168.1.T</span>。</p> <h4>例子</h4><div class="ls-example">子网: <span class="val">192.168.1.0/255.255.255.0</span>, <span class="val">192.168.1.0/24</span>, <span class="val">192.168.1</span> 或 <span class="val">192.168.1.</span>. <br/> IPv6 地址: <span class="val">::1</span> 或 <span class="val">[::1]</span> <br/> IPv6 子网: <span class="val">3ffe:302:11:2:20f:1fff:fe29:717c/64</span> 或 <span class="val">[3ffe:302:11:2:20f:1fff:fe29:717c]/64</span>.</div><h4>提示</h4><p>[安全建议] 在服务器级别设置的受信任的IP或子网不受连接/节流限制。</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="accessControl_deny"><h3>拒绝列表<span class="ls-permlink"><a href="#accessControl_deny"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定不允许的IP地址或子网的列表。</p> <h4>Syntax</h4><p>逗号分隔的IP地址或子网列表。可以使用{VAL}</span>或{VAL}ALL</span>。</p> <h4>例子</h4><div class="ls-example">子网: <span class="val">192.168.1.0/255.255.255.0</span>, <span class="val">192.168.1.0/24</span>, <span class="val">192.168.1</span> 或 <span class="val">192.168.1.</span>. <br/> IPv6 地址: <span class="val">::1</span> 或 <span class="val">[::1]</span> <br/> IPv6 子网: <span class="val">3ffe:302:11:2:20f:1fff:fe29:717c/64</span> 或 <span class="val">[3ffe:302:11:2:20f:1fff:fe29:717c]/64</span>.</div></article> </div> </section> </article><div class="ls-col-1-1"><footer class="copyright">Copyright © 2013-2020. <a href="https://www.litespeedtech.com">LiteSpeed Technologies Inc.</a> 版权所有.</footer> </div></div> </body> </html> ��

| ver. 1.4 | Github | . | PHP 8.2.28 | Generation time: 0.02 | proxy | phpinfo | Settings