File manager

File manager - Edit - /usr/local/lswsbak/docs/VHSecurity_Help.html

Back
<!DOCTYPE html> <head> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" /> <title>OpenLiteSpeed Users' Manual - Virtual Host Security</title> <meta name="description" content="OpenLiteSpeed Users' Manual - Virtual Host Security." /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta name="robots" content="noindex"> <link rel="shortcut icon" href="img/favicon.ico" /> <link rel="stylesheet" type="text/css" href="css/hdoc.css"> </head> <body> <div class="pagewrapper clearfix"><aside class="sidetree ls-col-1-5"> <figure> <img src="img/ols_logo.svg" alt="openlitespeed logo" width="150px"/> </figure> <h2 class="ls-text-thin"> OpenLiteSpeed Web Server <a href="index.html"> Users' Manual</a> </h2> <h3 class="ls-text-muted">Version 1.8  — Rev. 9</h3> <hr/> <div> <ul> <li><a href="license.html">License</a></li> <li><a href="intro.html">Introduction</a></li> <li><a href="install.html">Installation</a></li> <li> <a href="admin.html">Administration</a> <ul class="level2"> <li><a href="ServerStat_Help.html">Service Manager</a></li> <li><a href="Real_Time_Stats_Help.html">Real-Time Stats</a></li> </ul> </li> <li><a href="security.html">Security</a></li> <li> <a href="config.html">Configuration</a> <ul class="level2"> <li><a href="ServGeneral_Help.html">Server General</a></li> <li><a href="ServLog_Help.html">Server Log</a></li> <li><a href="ServTuning_Help.html">Server Tuning</a></li> <li><a href="ServSecurity_Help.html">Server Security</a></li> <li><a href="ExtApp_Help.html">External Apps</a></li> <ul class="level3"> <li><a href="External_FCGI.html">Fast CGI App</a></li> <li><a href="External_FCGI_Auth.html">Fast CGI Authorizer</a></li> <li><a href="External_LSAPI.html">LSAPI App</a></li> <li><a href="External_Servlet.html">Servlet Engine</a></li> <li><a href="External_WS.html">Web Server</a></li> <li><a href="External_PL.html">Piped logger</a></li> <li><a href="External_LB.html">Load Balancer</a></li> </ul> <li><a href="ScriptHandler_Help.html">Script Handler</a></li> <li><a href="App_Server_Help.html">App Server Settings</a></li> <li><a href="Module_Help.html">Module Configuration</a></li> <li><a href="Listeners_General_Help.html">Listener General</a></li> <li><a href="Listeners_SSL_Help.html">Listener SSL</a></li> <li><a href="Templates_Help.html">Virtual Host Templates</a></li> <li><a href="VirtualHosts_Help.html">Virtual Host Basic</a></li> <li><a href="VHGeneral_Help.html">Virtual Host General</a></li> <li><span class="current"><a href="VHSecurity_Help.html">Virtual Host Security</a></span></li> <li><a href="VHSSL_Help.html">Virtual Host SSL</a></li> <li><a href="Rewrite_Help.html">Rewrite</a></li> <li><a href="Context_Help.html">Context</a></li> <ul class="level3"> <li><a href="Static_Context.html">Static Context</a></li> <li> <a href="Java_Web_App_Context.html">Java Web App Context</a> </li> <li><a href="Servlet_Context.html">Servlet Context</a></li> <li><a href="FCGI_Context.html">Fast CGI Context</a></li> <li><a href="LSAPI_Context.html">LSAPI Context</a></li> <li><a href="Proxy_Context.html">Proxy Context</a></li> <li><a href="CGI_Context.html">CGI Context</a></li> <li><a href="LB_Context.html">Load Balancer Context</a></li> <li><a href="Redirect_Context.html">Redirect Context</a></li> <li><a href="App_Server_Context.html">App Server Context</a></li> <li><a href="Module_Context.html">Module Handler Context</a></li> </ul> <li><a href="VHWebSocket_Help.html">Web Socket Proxy</a></li> </ul> </li> <li><a href="webconsole.html">Web Console</a> <ul class="level2"> <li><a href="AdminGeneral_Help.html">Admin Console General</a></li> <li><a href="AdminSecurity_Help.html">Admin Console Security</a></li> <li> <a href="AdminListeners_General_Help.html"> Admin Listener General </a> </li> <li> <a href="AdminListeners_SSL_Help.html">Admin Listener SSL</a> </li> </ul> </li> </ul> </div> </aside> <article class="contentwrapper ls-col-3-5 clearfix"><div class="nav-bar ls-spacer-micro-top"><div class="prev">&#171 <a href="VHGeneral_Help.html">Virtual Host General</a></div><div class="center"><a href="config.html">Configuration</a></div><div class="next"><a href="VHSSL_Help.html">Virtual Host SSL</a> »</div></div> <h1>Virtual Host Security</h1><h2 id="top">Table of Contents</h2><section class="toc"><section class="toc-row"><header><a href="#VHlsrecaptcha">reCAPTCHA Protection</a></header><p> <a href="#enableRecaptcha">Enable reCAPTCHA</a> \| <a href="#recaptchaSiteKey">Site Key</a> \| <a href="#recaptchaSecretKey">Secret Key</a> \| <a href="#recaptchaType">reCAPTCHA Type</a> \| <a href="#recaptchaMaxTries">Max Tries</a> \| <a href="#recaptchaVhReqLimit">Concurrent Request Limit</a></p></section> <section class="toc-row"><header>Containers</header><p> <a href="#bubbleWrap">Bubblewrap Container</a> \| <a href="#namespace">Namespace Container</a> \| <a href="#namespaceConfVhAdd">Additional Namespace Template File</a></p></section> <section class="toc-row"><header><a href="#accessControl">Access Control</a></header><p> <a href="#accessControl_allow">Allowed List</a> \| <a href="#accessControl_deny">Denied List</a></p></section> <section class="toc-row"><header><a href="#realms">Authorization Realms</a></header><p> <a href="#realmName">Realm Name</a> \| <a href="#userDBLocation">User DB Location</a> \| <a href="#userDBMaxCacheSize">User DB Max Cache Size</a> \| <a href="#userDBCacheTimeout">User DB Cache Timeout (secs)</a> \| <a href="#GroupDBLocation">Group DB Location</a> \| <a href="#groupDBMaxCacheSize">Group DB Max Cache Size</a> \| <a href="#groupDBCacheTimeout">Group DB Cache Timeout (secs)</a></p></section> </section> <section><div class="helpitem"><article class="ls-helpitem"><div><header id="VHlsrecaptcha"><h3>reCAPTCHA Protection<span class="ls-permlink"><a href="#VHlsrecaptcha"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>reCAPTCHA Protection is a service provided as a way to mitigate heavy server load. reCAPTCHA Protection will activate after one of the below situations is hit. Once active, all requests by NON TRUSTED(as configured) clients will be redirected to a reCAPTCHA validation page. After validation, the client will be redirected to their desired page.<br/><br/> The following situations will activate reCAPTCHA Protection:<br/> 1. The server or vhost concurrent requests count passes the configured connection limit.<br/> 2. Anti-DDoS is enabled and a client is hitting a url in a suspicious manner. The client will redirect to reCAPTCHA first instead of getting denied when triggered.<br/> 3. A new rewrite rule environment is provided to activate reCAPTCHA via RewriteRules. 'verifycaptcha' can be set to redirect clients to reCAPTCHA. A special value ': deny' can be set to deny the client if it failed too many times. For example, [E=verifycaptcha] will always redirect to reCAPTCHA until verified. [E=verifycaptcha: deny] will redirect to reCAPTCHA until Max Tries is hit, after which the client will be denied.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="enableRecaptcha"><h3>Enable reCAPTCHA<span class="ls-permlink"><a href="#enableRecaptcha"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Enable the reCAPTCHA Protection feature at the current level. This setting must be set to <span class="val">Yes</span> at the Server level before the reCAPTCHA Protection feature can be used.<br/><br/> Default values:<br/> <b>Server-level:</b> <span class="val">Yes</span><br/> <b>VH-Level:</b> Inherit Server level setting</p> <h4>Syntax</h4><p>Select from radio box</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaSiteKey"><h3>Site Key<span class="ls-permlink"><a href="#recaptchaSiteKey"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The site key is the public key provided by Google via its reCAPTCHA service. A default Site Key will be used if not set.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaSecretKey"><h3>Secret Key<span class="ls-permlink"><a href="#recaptchaSecretKey"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The secret key is the private key provided by Google via its reCAPTCHA service. A default Secret Key will be used if not set.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaType"><h3>reCAPTCHA Type<span class="ls-permlink"><a href="#recaptchaType"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specify the reCAPTCHA type to use with the key pairs.<br/> If a key pair has not been provided and this setting is set to <span class="val">Not Set</span>, a default key pair of type <span class="val">Invisible</span> will be used.<br/><br/> <span class="val">Checkbox</span> will display a checkbox reCAPTCHA for the visitor to validate.<br/><br/> <span class="val">Invisible</span> will attempt to validate the reCAPTCHA automatically and if successful, will redirect to the desired page.<br/><br/> <span class="val">hCaptcha</span> can be used to support reCAPTCHA provider <a href="https://www.hcaptcha.com" target="_blank" rel="noopener noreferrer">hCaptcha</a>.<br/><br/> Default value is <span class="val">Invisible</span>.</p> <h4>Syntax</h4><p>Select from drop down list</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaMaxTries"><h3>Max Tries<span class="ls-permlink"><a href="#recaptchaMaxTries"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Max Tries specifies the maximum number of reCAPTCHA attempts permitted before denying the visitor.<br/><br/> Default value is <span class="val">3</span>.</p> <h4>Syntax</h4><p>Integer number</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaVhReqLimit"><h3>Concurrent Request Limit<span class="ls-permlink"><a href="#recaptchaVhReqLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The number of concurrent requests needed to activate reCAPTCHA. reCAPTCHA will be used until concurrent requests drop below this number.<br/><br/> Default value is <span class="val">15000</span>.</p> <h4>Syntax</h4><p>Integer number</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="bubbleWrap"><h3>Bubblewrap Container<span class="ls-permlink"><a href="#bubbleWrap"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Set to <span class="val">Enabled</span> if you wish to start CGI processes (including PHP programs) in a bubblewrap sandbox. See <a href=" https://wiki.archlinux.org/title/Bubblewrap " target="_blank" rel="noopener noreferrer"> https://wiki.archlinux.org/title/Bubblewrap </a> for details on using bubblewrap. Bubblewrap must be installed on your system prior to using this setting.<br/><br/> This setting cannot be turned on at the Virtual Host level if set to "Disabled" at the Server level.<br/><br/> Default values:<br/> <b>Server level:</b> Disabled<br/> <b>VH level:</b> Inherit Server level setting</p> <h4>Syntax</h4><p>Select from drop down list</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="namespace"><h3>Namespace Container<span class="ls-permlink"><a href="#namespace"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Set to <span class="val">Enabled</span> if you wish to start CGI processes (including PHP programs) in a namespace container sandbox. Only used when <span class="tagl"><a href="ServSecurity_Help.html#bubbleWrap">Bubblewrap Container</a></span> is set to <span class="val">Disabled</span>.<br/><br/> When not <span class="val">Disabled</span> at the Server level, this settings value can be overridden at the Virtual Host level.<br/><br/> Default values:<br/> <b>Server level:</b> <span class="val">Disabled</span><br/> <b>Virtual Host Level:</b> Inherit Server level setting</p> <h4>Syntax</h4><p>Select from drop down list</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="namespaceConfVhAdd"><h3>Additional Namespace Template File<span class="ls-permlink"><a href="#namespaceConfVhAdd"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Path to an existing configuration file containing a list of directories to be mounted along with the methods used to mount them. If <span class="tagl"><a href="ServSecurity_Help.html#namespaceConf">Namespace Template File</a></span> is also set at the Server level, both files will be used.</p> <h4>Syntax</h4><p>A path which can be absolute, relative to $SERVER_ROOT, or relative to $VH_ROOT.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="accessControl"><h3>Access Control<span class="ls-permlink"><a href="#accessControl"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies what sub networks and/or IP addresses can access the server. At the server level, this setting will affect all virtual hosts. You can also set up access control unique to each virtual host at the virtual host level. Virtual host level settings will NOT override server level settings.<br/><br/> Blocking/Allowing an IP is determined by the combination of the allowed list and the denied list. If you want to block only certain IPs or sub-networks, put <span class="val"></span> or <span class="val">ALL</span> in the <span class="tagl"><a href="#accessControl_allow">Allowed List</a></span> and list the blocked IPs or sub-networks in the <span class="tagl"><a href="#accessControl_deny">Denied List</a></span>. If you want to allow only certain IPs or sub-networks, put <span class="val"></span> or <span class="val">ALL</span> in the <span class="tagl"><a href="#accessControl_deny">Denied List</a></span> and list the allowed IPs or sub-networks in the <span class="tagl"><a href="#accessControl_allow">Allowed List</a></span>. The setting of the smallest scope that fits for an IP will be used to determine access.<br/><br/> <b>Server Level:</b> Trusted IPs or sub-networks must be specified in the <span class="tagl"><a href="#accessControl_allow">Allowed List</a></span> by adding a trailing "T". Trusted IPs or sub-networks are not affected by connection/throttling limits. Only server level access control can set up trusted IPs/sub-networks.</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Use this at the server level for general restrictions that apply to all virtual hosts.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="accessControl_allow"><h3>Allowed List<span class="ls-permlink"><a href="#accessControl_allow"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the list of IPs or sub-networks allowed. <span class="val"></span> or <span class="val">ALL</span> are accepted.</p> <h4>Syntax</h4><p>Comma delimited list of IP addresses or sub-networks. A trailing "T" can be used to indicate a trusted IP or sub-network, such as <span class="val">192.168.1.T</span>.</p> <h4>Example</h4><div class="ls-example"><b>Sub-networks:</b> 192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1, or 192.168.1.<br/> <b>IPv6 addresses:</b> ::1 or [::1]<br/> <b>IPv6 subnets:</b> 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64</div><h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Trusted IPs or sub-networks set at the server level access control will be excluded from connection/throttling limits.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="accessControl_deny"><h3>Denied List<span class="ls-permlink"><a href="#accessControl_deny"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the list of IPs or sub-networks disallowed.</p> <h4>Syntax</h4><p>Comma delimited list of IP addresses or sub-networks. <span class="val"></span> or <span class="val">ALL</span> are accepted.</p> <h4>Example</h4><div class="ls-example"><b>Sub-networks:</b> 192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1, or 192.168.1.*<br/> <b>IPv6 addresses:</b> ::1 or [::1]<br/> <b>IPv6 subnets:</b> 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64</div></article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="realms"><h3>Authorization Realms<span class="ls-permlink"><a href="#realms"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Lists all authorization realms for this virtual host. Authorization realms are used to block unauthorized users from accessing protected web pages. A realm is a user directory containing usernames and passwords with optional group classifications. Authorization is performed at context level. Since different contexts can share the same realm (user database), so realms are defined separately from the contexts that use them. You can refer to a realm by these names in context configuration.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="realmName"><h3>Realm Name<span class="ls-permlink"><a href="#realmName"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies a unique name for the authorization realm.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="userDBLocation"><h3>User DB Location<span class="ls-permlink"><a href="#userDBLocation"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the location of the user database. It is recommended that the database be stored under the $SERVER_ROOT/conf/vhosts/$VH_NAME/ directory.<br/><br/> For DB type <span class="val">Password File</span>, it is the path to the flat file containing user/password definitions. You can edit this file through the WebAdmin console by clicking on the filename.<br/><br/> Each line of the user file contains a username followed by a colon, followed by a crypt() encrypted password, optionally followed by a colon and group names that user belongs to. Group names are delimitated by commas. If group information is specified in the user database, then the group database will not be checked.<br/><br/> Example:<blockquote><code>john:HZ.U8kgjnMOHo:admin,user</code></blockquote></p> <h4>Syntax</h4><p>Path to user DB file.</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#GroupDBLocation">Group DB Location</a></span>, <span class="tagl"><a href="#userDB_attrPasswd">Password Attribute</a></span>, <span class="tagl"><a href="#userDB_attrMemberOf">Member-of Attribute</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="userDBMaxCacheSize"><h3>User DB Max Cache Size<span class="ls-permlink"><a href="#userDBMaxCacheSize"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the maximum cache size of the user database. Recently accessed user authentication data will be cached in memory to provide maximum performance.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Performance" class="ls-icon-performance"></span> As a larger cache will consume more memory, a higher value may or may not provide better performance. Set it to an appropriate size according to your user database size and site usage.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="userDBCacheTimeout"><h3>User DB Cache Timeout (secs)<span class="ls-permlink"><a href="#userDBCacheTimeout"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies how often the backend user database will be checked for changes. Every entry in the cache has a timestamp. When cached data is older than the specified timeout, the backend database will be checked for changes. If there is no change, the timestamp will be reset to the current time, otherwise the new data will be loaded. Sevrer reload and graceful restart will clear the cache immediately.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Performance" class="ls-icon-performance"></span> If the backend database does not change very often, set a longer timeout for better performance.</p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="GroupDBLocation"><h3>Group DB Location<span class="ls-permlink"><a href="#GroupDBLocation"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the location of the group database. It is recommended that the database be stored under the $SERVER_ROOT/conf/vhosts/$VH_NAME/ directory.<br/><br/> Group information can be set either in the user database or in this standalone group DB. For user authentication, the user DB will be checked first. If the user DB also contains group information, then the group DB will not be checked.<br/><br/> For the DB type <span class="val">Password File</span>, the group DB location should be the path to the flat file containing group definitions. You can edit this file through the WebAdmin console by clicking on the filename.<br/><br/> Each line of a group file should contain a groupname followed by a colon, followed by space delimited group of usernames. Example:<br/> <blockquote><code>testgroup: user1 user2 user3</code></blockquote></p> <h4>Syntax</h4><p>Filename which can be an absolute path or a relative path to $SERVER_ROOT, $VH_ROOT.</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#userDBLocation">User DB Location</a></span>, Context <span class="tagl"><a href="Context_Help.html#required">Require (Authorized Users/Groups)</a></span>, <span class="tagl"><a href="#groupDB_attrGroupMember">Group Member Attribute</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="groupDBMaxCacheSize"><h3>Group DB Max Cache Size<span class="ls-permlink"><a href="#groupDBMaxCacheSize"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the maximum cache size of the group database.</p> <h4>Syntax</h4><p>Integer number</p> <h4>Tips</h4><p><span title="Performance" class="ls-icon-performance"></span> As a larger cache will consume more memory, a higher value may or may not provide better performance. Set it to an appropriate size according to your user database size and site usage.</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#userDBMaxCacheSize">User DB Max Cache Size</a></span></p> </article> </div> <div class="helpitem"><article class="ls-helpitem"><div><header id="groupDBCacheTimeout"><h3>Group DB Cache Timeout (secs)<span class="ls-permlink"><a href="#groupDBCacheTimeout"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies how often the backend group database will be checked for changes. For more detail please refer to <span class="tagl"><a href="#userDBCacheTimeout">User DB Cache Timeout (secs)</a></span>.</p> <h4>Syntax</h4><p>Integer number</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#userDBCacheTimeout">User DB Cache Timeout (secs)</a></span></p> </article> </div> </section> </article><div class="ls-col-1-1"><footer class="copyright">Copyright © 2013-2020. <a href="https://www.litespeedtech.com">LiteSpeed Technologies Inc.</a> All rights reserved.</footer> </div></div> </body> </html>

| ver. 1.4 | Github | . | PHP 8.2.28 | Generation time: 0.02 | proxy | phpinfo | Settings