Spade
Mini Shell
<!DOCTYPE html>
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible"
content="IE=edge,chrome=1" />
<title>LiteSpeed Web Server Users' Manual - Server
Security</title>
<meta name="description" content="LiteSpeed Web Server
Users' Manual - Server Security." />
<meta name="viewport" content="width=device-width,
initial-scale=1.0" />
<meta name="robots" content="noindex">
<link rel="shortcut icon" href="img/favicon.ico"
/>
<link rel="stylesheet" type="text/css"
href="css/hdoc.css">
</head>
<body>
<div class="pagewrapper clearfix"><aside
class="sidetree ls-col-1-5">
<figure>
<img src="img/lsws_logo.svg" alt="lightspeed web
server logo"
width="100px"/>
</figure>
<h2 class="ls-text-thin">
LiteSpeed Web Server
<br />
<span class="current"><a
href="index.html">Users' Manual</a></span>
</h2>
<h3 class="ls-text-muted">Version 6.3
— Rev. 0</h3>
<hr/>
<div>
<ul>
<li><a href="license.html">License
Enterprise</a></li>
<li><a
href="intro.html">Introduction</a></li>
<li><a
href="install.html">Installation</a></li>
<li>
<a href="admin.html">Administration</a>
<ul class="menu level2">
<li><a href="ServerStat_Help.html">Service
Manager</a></li>
<li><a
href="Real_Time_Stats_Help.html">Real-Time
Stats</a></li>
</ul>
</li>
<li><a
href="security.html">Security</a></li>
<li>
<a href="config.html">Configuration</a>
<ul class="level2">
<li><a href="ServGeneral_Help.html">Server
General</a></li>
<li><a href="ServLog_Help.html">Server
Log</a></li>
<li><a href="ServTuning_Help.html">Server
Tuning</a></li>
<li><span class="current"><a
href="ServSecurity_Help.html">Server
Security</a></span></li>
<li><a href="Cache_Help.html">Page
Cache</a></li>
<li><a
href="PageSpeed_Config.html">PageSpeed
Config</a></li>
<li><a href="ExtApp_Help.html">External
Apps</a></li>
<ul class="level3">
<li><a href="External_FCGI.html">Fast CGI
App</a></li>
<li><a
href="External_FCGI_Auth.html">Fast CGI
Authorizer</a></li>
<li><a href="External_LSAPI.html">LSAPI
App</a></li>
<li><a
href="External_Servlet.html">Servlet
Engine</a></li>
<li><a href="External_WS.html">Web
Server</a></li>
<li><a href="External_PL.html">Piped
logger</a></li>
<li><a href="External_LB.html">Load
Balancer</a></li>
</ul>
<li><a
href="ScriptHandler_Help.html">Script
Handler</a></li>
<li><a
href="PHP_Help.html">PHP</a></li>
<li><a href="App_Server_Help.html">App
Server Settings</a></li>
<li><a
href="Listeners_General_Help.html">Listener
General</a></li>
<li><a
href="Listeners_SSL_Help.html">Listener
SSL</a></li>
<li><a href="Templates_Help.html">Virtual
Host Templates</a></li>
<li><a
href="VirtualHosts_Help.html">Virtual Host
Basic</a></li>
<li><a href="VHGeneral_Help.html">Virtual
Host General</a></li>
<li><a href="VHSecurity_Help.html">Virtual
Host Security</a></li>
<li><a href="VHSSL_Help.html">Virtual Host
SSL</a></li>
<li>
<a href="VHPageSpeed_Config.html">Virtual Host
PageSpeed Config</a>
</li>
<li><a
href="Rewrite_Help.html">Rewrite</a></li>
<li><a
href="Context_Help.html">Context</a></li>
<ul class="level3">
<li><a href="Static_Context.html">Static
Context</a></li>
<li>
<a href="Java_Web_App_Context.html">Java Web
App Context</a>
</li>
<li><a
href="Servlet_Context.html">Servlet
Context</a></li>
<li><a href="FCGI_Context.html">Fast CGI
Context</a></li>
<li><a href="LSAPI_Context.html">LSAPI
Context</a></li>
<li><a href="Proxy_Context.html">Proxy
Context</a></li>
<li><a href="CGI_Context.html">CGI
Context</a></li>
<li><a href="LB_Context.html">Load
Balancer Context</a></li>
<li><a
href="Redirect_Context.html">Redirect
Context</a></li>
<li><a href="App_Server_Context.html">App
Server Context</a></li>
<li><a
href="Rails_Context.html">Rack/Rails
Context</a></li>
</ul>
<li><a
href="VHAddOns_Help.html">Add-ons</a></li>
</ul>
</li>
<li>
<a href="webconsole.html">Web Console</a>
<ul class="level2">
<li><a href="AdminGeneral_Help.html">Admin
Console General</a></li>
<li><a href="AdminSecurity_Help.html">Admin
Console Security</a></li>
<li>
<a href="AdminListeners_General_Help.html">
Admin Listener General
</a>
</li>
<li>
<a href="AdminListeners_SSL_Help.html">Admin
Listener SSL</a>
</li>
</ul>
</li>
</ul>
</div>
</aside>
<article class="contentwrapper ls-col-3-5 clearfix"><div
class="nav-bar ls-spacer-micro-top"><div
class="prev">« <a
href="ServTuning_Help.html">Server
Tuning</a></div><div class="center"><a
href="config.html">Configuration</a></div><div
class="next"><a href="Cache_Help.html">Page
Cache Settings</a> »</div></div>
<h1>Server Security</h1><h2 id="top">Table of
Contents</h2><section class="toc"><section
class="toc-row"><header>Anti-DDoS
Protection</header><p>
<a href="#enableAntiddos">Enable Anti-DDoS
Protection</a> | <a href="#firewallEnable">Enable
Firewall Modifications</a></p></section>
<section class="toc-row"><header>WordPress Brute
Force Attack Protection</header><p>
<a href="#wpProtectAction">Protection Mode</a> |
<a href="#wpProtectLimit">Allowed Login
Attempts</a></p></section>
<section class="toc-row"><header>Web Application
Firewall (WAF)</header><p>
<a href="#enableCensorship">Enable WAF</a> | <a
href="#censorLogLevel">Log Level</a> | <a
href="#defaultAction">Default Action</a> | <a
href="#scanPOST">Scan Request Body</a> | <a
href="#uploadTmpDir">Temporary File Path</a> | <a
href="#uploadTmpFilePermission">Temporary File
Permissions</a> | <a
href="#disableSecHtaccess">Disable .htaccess
Override</a> | <a href="#secAuditLogEngine">Enable
Security Audit Log</a> | <a
href="#secAuditLog">Security Audit Log</a> | <a
href="#useRe2">Use RE2 regex
engine</a></p></section>
<section class="toc-row"><header><a
href="#reqCensorshipRule">Web Application Firewall (WAF) Rule
Set</a></header><p>
<a href="#censorRuleSetName">Name</a> | <a
href="#ruleSetAction">Rule Set Action</a> | <a
href="#censorRuleSetEnabled">Enabled</a> | <a
href="#censorRuleSet">Rules
Definition</a></p></section>
<section class="toc-row"><header><a
href="#perClientConnLimit">Per Client
Throttling</a></header><p>
<a href="#staticReqPerSec">Static Requests/Second</a>
| <a href="#dynReqPerSec">Dynamic Requests/Second</a>
| <a href="#outBandwidth">Outbound Bandwidth
(bytes/sec)</a> | <a href="#inBandwidth">Inbound
Bandwidth (bytes/sec)</a> | <a
href="#softLimit">Connection Soft Limit</a> | <a
href="#hardLimit">Connection Hard Limit</a> | <a
href="#blockBadReq">Block Bad Request</a> | <a
href="#gracePeriod">Grace Period (sec)</a> | <a
href="#banPeriod">Banned Period
(sec)</a></p></section>
<section class="toc-row"><header>File
Access</header><p>
<a href="#followSymbolLink">Follow Symbolic Link</a>
| <a href="#checkSymbolLink">Check Symbolic Link</a>
| <a href="#forceStrictOwnership">Force Strict Ownership
Checking</a> | <a
href="#requiredPermissionMask">Required Permission
Mask</a> | <a
href="#restrictedPermissionMask">Restricted Permission
Mask</a> | <a
href="#restrictedScriptPermissionMask">Script Restricted
Permission Mask</a> | <a
href="#restrictedDirPermissionMask">Script Directory
Restricted Permission Mask</a></p></section>
<section class="toc-row"><header><a
href="#cgiResource">CGI
Settings</a></header><p>
<a href="#cgidSock">CGI Daemon Socket</a> | <a
href="#maxCGIInstances">Max CGI Instances</a> | <a
href="#minUID">Minimum UID</a> | <a
href="#minGID">Minimum GID</a> | <a
href="#forceGID">Force GID</a> | <a
href="#umask">umask</a> | <a
href="#CGIPriority">CGI Priority</a> | <a
href="#CPUSoftLimit">CPU Soft Limit (sec)</a> | <a
href="#CPUHardLimit">CPU Hard Limit</a> | <a
href="#memSoftLimit">Memory Soft Limit (bytes)</a> |
<a href="#memHardLimit">Memory Hard Limit (bytes)</a>
| <a href="#procSoftLimit">Process Soft Limit</a> |
<a href="#procHardLimit">Process Hard Limit</a> |
<a
href="#cgroups">cgroups</a></p></section>
<section class="toc-row"><header><a
href="#lsrecaptcha">reCAPTCHA
Protection</a></header><p>
<a href="#enableRecaptcha">Enable reCAPTCHA</a> |
<a href="#recaptchaSiteKey">Site Key</a> | <a
href="#recaptchaSecretKey">Secret Key</a> | <a
href="#recaptchaType">reCAPTCHA Type</a> | <a
href="#recaptchaSensitivity">Trigger Sensitivity</a> |
<a href="#recaptchaMaxTries">Max Tries</a> | <a
href="#verifyExpires">Verification Expires (secs)</a> |
<a href="#recaptchaAllowedRobotHits">Allowed Robot
Hits</a> | <a href="#recaptchaBotWhiteList">Bot White
List</a></p></section>
<section
class="toc-row"><header>Containers</header><p>
<a href="#bubbleWrap">Bubblewrap Container</a> |
<a href="#bubbleWrapCmd">Bubblewrap Command</a> |
<a href="#namespace">Namespace Container</a> | <a
href="#namespaceConf">Namespace Template
File</a></p></section>
<section class="toc-row"><header>Access Denied
Directories</header><p>
<a href="#accessDenyDir">Access Denied
Directories</a></p></section>
<section class="toc-row"><header><a
href="#accessControl">Access
Control</a></header><p>
<a href="#accessControl_allow">Allowed List</a> |
<a href="#accessControl_deny">Denied
List</a></p></section>
</section>
<section><div class="helpitem"><article
class="ls-helpitem"><div><header
id="enableAntiddos"><h3>Enable Anti-DDoS
Protection<span class="ls-permlink"><a
href="#enableAntiddos"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>This
will enable bot detection and address them by denying or redirecting the
client to reCAPTCHA. If firewall is enabled, the client IP will be denied
at the firewall level.<br/><br/> Default value is <span
class="val">Yes</span>.</p>
<h4>Syntax</h4><p>Select from radio box</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="firewallEnable"><h3>Enable Firewall
Modifications<span class="ls-permlink"><a
href="#firewallEnable"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Enable
firewall modifications via iptables. iptables must be enabled on this
system for this setting to take effect.<br/><br/> If ipset is
also installed and enabled on this system, it will be used to more
efficiently manage firewall rulesets for iptables.<br/><br/>
Default value is <span
class="val">Yes</span>.</p>
<h4>Syntax</h4><p>Select from radio box</p>
<h4>Tips</h4><p><span title="Performance"
class="ls-icon-performance"></span> ipset should be
installed and enabled on the system to more efficiently manage firewall
rulesets for iptables.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="wpProtectAction"><h3>Protection Mode<span
class="ls-permlink"><a
href="#wpProtectAction"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the action to be taken when the specified Allowed Login Attempts limit is
reached within 5 minutes.<br/><br/> <span
class="val">Throttle</span> gradually slows down the
speed of the server response, <span
class="val">Drop</span> severs the connection without
any reply, <span class="val">Deny</span> returns a
403 response, and <span class="val">CAPTCHA or
Drop</span> redirects to a CAPTCHA if reCAPTCHA Protection is enabled
and drops otherwise.<br/><br/> <span
class="val">WP Login CAPTCHA Full Protection</span> can
also be selected. This setting will redirect to a CAPTCHA if ReCAPTCHA
Protection is enabled regardless of Allowed Login Attempts limit and falls
back to use <span class="val">Throttle</span>
otherwise.<br/><br/> Default values:<br/> <b>Server
level:</b> <span
class="val">Throttle</span><br/> <b>VH
level:</b> Inherit Server level setting. If Server level is set to
<span class="val">Disable</span>, <span
class="val">Throttle</span> will be used.</p>
<h4>Syntax</h4><p>Select from drop down list</p>
<h4>Tips</h4><p><span title="Security"
class="ls-icon-security"></span> Trusted IPs or
sub-networks are not affected.<br/> <span
title="Information"
class="ls-icon-info"></span> This feature is enabled by
default (Throttle) and does not need any further configuration in the
WebAdmin GUI or in Apache configurations.<br/> <span
title="Information"
class="ls-icon-info"></span> This setting will override
Apache conf <span class="val">WordPressProtect</span>
setting for LSWS only. Apache will be unaffected.<br/><br/>
<span title="Information"
class="ls-icon-info"></span> This can be set at the
Server level and overwritten at the Virtual Host level. If not overridden
at the Virtual Host level, this setting can also be overridden in a
user's docroot .htaccess file using Apache configuration directive
<span class="val">WordPressProtect</span> with value
<span class="val">0</span> (disabled), <span
class="val">1</span> (use server level setting),
<span class="val">throttle</span>, <span
class="val">deny</span>, or <span
class="val">drop</span>.</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="wpProtectLimit"><h3>Allowed Login Attempts<span
class="ls-permlink"><a
href="#wpProtectLimit"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the maximum number of wp-login.php and xmlrpc.php POST attempts allowed by
an IP within 5 minutes before the action specified in <span
class="tagl"><a
href="#wpProtectAction">Protection Mode</a></span>
is taken.<br/><br/> This limit is handled using a quota system
where remaining attempts = limit. Each POST attempt will decrease the
number of remaining attempts by 1, with the number of remaining attempts
increasing back to the set limit over time. An IP will be throttled once
the number of remaining attempts for that IP falls to 1/2 the set limit,
throttling more as the remaining attempts drops further below the 1/2 mark.
When remaining attempts reaches 0, the specified action is taken toward the
IP.<br/><br/> In addition to this, if <span
class="tagl"><a href="#enableRecaptcha">Enable
reCAPTCHA</a></span> is also enabled, an additional per worker
protection will be added. If wp-login.php and xmlrpc.php are visited by the
same worker at a rate of 4x the set limit in a 30 second time frame, those
URLs will be put into reCAPTCHA mode until the number of visits to these
files decreases.<br/><br/> Resetting the server will clear
blocked IPs.<br/><br/> Default values:<br/>
<b>Server-level:</b> <span
class="val">10</span><br/>
<b>VH-Level:</b> Inherit Server level setting</p>
<h4>Syntax</h4><p>Valid Range: 3 - 1000.</p>
<h4>Example</h4><div class="ls-example">With an
Attempt limit of 10, and a Mode of drop:<br/><br/> After the
first POST attempt, the quota is decreased to 9.<br/><br/>
Quota decreases by 1 for each POST attempt.<br/><br/> After
Quota reaches half of the limit (5), the IP will be
throttled.<br/><br/> Throttling will get worse with each POST
attempt.<br/><br/> Once the quota reaches 0, the connection
will be dropped.</div><h4>Tips</h4><p><span
title="Security"
class="ls-icon-security"></span> Trusted IPs or
sub-networks are not affected.<br/><br/> <span
title="Information"
class="ls-icon-info"></span> This setting will override
Apache conf <span class="val">WordPressProtect</span>
setting for LSWS only. Apache will be unaffected.<br/><br/>
<span title="Information"
class="ls-icon-info"></span> This can be set at the
Server level and overwritten at the Virtual Host level. If not overridden
at the Virtual Host level, this setting can also be overridden in a
user's docroot .htaccess file using Apache configuration directive
<span class="val">WordPressProtect</span> with
integer value between 3 and 1000.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="enableCensorship"><h3>Enable WAF<span
class="ls-permlink"><a
href="#enableCensorship"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
whether to enable request content deep inspection. This feature is
equivalent to Apache's mod_security, which can be used to detect and
block requests with ill intention by matching them to known
signatures.</p> <h4>Syntax</h4><p>Select from radio
box</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="censorLogLevel"><h3>Log Level<span
class="ls-permlink"><a
href="#censorLogLevel"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the level of detail of the Web Application Firewall engine's debug
output. This value ranges from <span
class="val">0</span> - <span
class="val">9</span>. <span
class="val">0</span> disables logging. <span
class="val">9</span> produces the most detailed log. The
the server and virtual host's error log <span
class="tagl"><a
href="ServGeneral_Help.html#log_logLevel">Log
Level</a></span> must be set to at least <span
class="val">INFO</span> for this option to take effect.
This is useful when testing request filtering rules.</p>
<h4>Syntax</h4><p>Integer number</p> <h4>See
Also</h4><p class="ls-text-small">Server <span
class="tagl"><a
href="ServGeneral_Help.html#log_logLevel">Log
Level</a></span>, Virtual Host <span
class="tagl"><a
href="VHGeneral_Help.html#vhlog_logLevel">Log
Level</a></span></p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="defaultAction"><h3>Default Action<span
class="ls-permlink"><a
href="#defaultAction"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the default actions that should be taken when a censoring rule is met.
Default value is <span
class="val">deny,log,status:403</span>, which means to
deny access with status code 403 and log the incident in the error
log.</p> <h4>See Also</h4><p
class="ls-text-small"><span class="tagl"><a
href="#ruleSetAction">Rule Set
Action</a></span></p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="scanPOST"><h3>Scan Request Body<span
class="ls-permlink"><a
href="#scanPOST"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
whether to check the body of an HTTP POST request. Default is
"No".</p> <h4>Syntax</h4><p>Select from
radio box</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="uploadTmpDir"><h3>Temporary File Path<span
class="ls-permlink"><a
href="#uploadTmpDir"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Temporary
directory where files being uploaded to server will be stored while
request body parser is working. Default value is <span
class="val">/tmp</span>.</p>
<h4>Syntax</h4><p>Absolute path or path starting with
$SERVER_ROOT (for Server and VHost levels).</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="uploadTmpFilePermission"><h3>Temporary File
Permissions<span class="ls-permlink"><a
href="#uploadTmpFilePermission"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Global
setting determining file permissions used for files stored in the
<b>Temporary File Path</b> directory.</p>
<h4>Syntax</h4><p>3 digits octet number. Default value is
666.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="disableSecHtaccess"><h3>Disable .htaccess
Override<span class="ls-permlink"><a
href="#disableSecHtaccess"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Disable
turning off mod_security engine in .htaccess. This is a global setting only
available at the server level. Default is "No".</p>
<h4>Syntax</h4><p>Select from radio box</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="secAuditLogEngine"><h3>Enable Security Audit
Log<span class="ls-permlink"><a
href="#secAuditLogEngine"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
whether to enable audit logging and in what format (Native, JSON, or Pretty
JSON). This feature is equivalent to Apache's mod_security audit
engine.<br/><br/> If this setting is enabled and the <span
class="tagl"><a href="#secAuditLog">Security
Audit Log</a></span> setting is set, detailed request
information will be saved.</p>
<h4>Syntax</h4><p>Select from drop down list</p>
<h4>See Also</h4><p
class="ls-text-small"><span class="tagl"><a
href="#secAuditLog">Security Audit
Log</a></span></p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="secAuditLog"><h3>Security Audit Log<span
class="ls-permlink"><a
href="#secAuditLog"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the path of the security audit log, which gives more detailed information.
This extra information can be useful if, for example, you wish to track
the actions of a particular user. Use <span
class="tagl"><a
href="#secAuditLogEngine">Enable Security Audit
Log</a></span> to turn on the logging.</p>
<h4>Syntax</h4><p>Filename which can be an absolute path
or a relative path to $SERVER_ROOT.</p> <h4>See
Also</h4><p class="ls-text-small"><span
class="tagl"><a
href="#secAuditLogEngine">Enable Security Audit
Log</a></span></p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="useRe2"><h3>Use RE2 regex engine<span
class="ls-permlink"><a
href="#useRe2"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Use
RE2 when evaluating regular expressions instead of
PCRE.<br/><br/> Default value: <span
class="val">No</span></p>
<h4>Syntax</h4><p>Select from radio box</p>
<h4>Tips</h4><p><span title="Information"
class="ls-icon-info"></span> While PCRE provides more
features than RE2, RE2 allows for a defined maximum memory usage and has a
more predictable runtime than PCRE making it more suited for use in server
applications.<br/> <span title="Performance"
class="ls-icon-performance"></span> Unlike PCRE, RE2
uses a fixed stack and guarantees that run-time increases linearly (not
exponentially) with the size of the input.</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="reqCensorshipRule"><h3>Web Application Firewall
(WAF) Rule Set<span class="ls-permlink"><a
href="#reqCensorshipRule"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Rules
configured here only work for virtual hosts configured with a native LSWS
configuration, not for virtual hosts using Apache httpd.conf.</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="censorRuleSetName"><h3>Name<span
class="ls-permlink"><a
href="#censorRuleSetName"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Give
a group of censorship rules a name. For display only.</p>
<h4>Syntax</h4><p>String</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="ruleSetAction"><h3>Rule Set Action<span
class="ls-permlink"><a
href="#ruleSetAction"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the actions that should be taken when a censoring rule in current ruleset
is met. If not set, <span class="tagl"><a
href="#defaultAction">Default Action</a></span>
will be used.</p> <h4>Syntax</h4><p>String. This
action string uses the same syntax as Apache's <a href="
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecDefaultAction
" target="_blank" rel="noopener noreferrer">
mod_security SecDefaultAction directive </a> .</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="censorRuleSetEnabled"><h3>Enabled<span
class="ls-permlink"><a
href="#censorRuleSetEnabled"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
whether to enable this rule set. With this option, a rule set can be
quickly turned on and off without adding or removing the rule set. Default
is "Yes".</p> <h4>Syntax</h4><p>Select
from radio box</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="censorRuleSet"><h3>Rules Definition<span
class="ls-permlink"><a
href="#censorRuleSet"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
a list of censorship rules.<br/><br/> If you are using an
Apache config file, you have to set up rules in httpd.conf. Rules defined
here will have no effect.</p>
<h4>Syntax</h4><p>String. Syntax of censoring rules
follows that of Apache's mod_security directives.
"SecFilter", "SecFilterSelective", and
"SecRule" can be used here. You can copy and paste security
rules from an Apache configuration file.<br/><br/> For more
details about rule syntax, please refer to the <a
href="http://www.modsecurity.org/documentation/index.html"
target="_blank" rel="noopener noreferrer">Mod
Security documentation</a>.</p>
<h4>Tips</h4><p><span title="Information"
class="ls-icon-info"></span> Rules configured here only
work for vhosts configured in native LSWS configuration, not for vhosts
from Apache httpd.conf.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="perClientConnLimit"><h3>Per Client
Throttling<span class="ls-permlink"><a
href="#perClientConnLimit"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>These
are connection control settings are based on client IP. These settings help
to mitigate DoS (Denial of Service) and DDoS (Distributed Denial of
Service) attacks.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="staticReqPerSec"><h3>Static Requests/Second<span
class="ls-permlink"><a
href="#staticReqPerSec"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the maximum number of requests to static content coming from a single IP
address that can be processed in a single second regardless of the number
of connections established.<br/><br/> When this limit is
reached, all future requests are tar-pitted until the next second. Request
limits for dynamically generated content are independent of this limit.
Per-client request limits can be set at server- or virtual host-level.
Virtual host-level settings override server-level settings.</p>
<h4>Syntax</h4><p>Integer number</p>
<h4>Tips</h4><p><span title="Security"
class="ls-icon-security"></span> Trusted IPs or
sub-networks are not affected.</p> <h4>See Also</h4><p
class="ls-text-small"><span class="tagl"><a
href="#dynReqPerSec">Dynamic
Requests/Second</a></span></p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="dynReqPerSec"><h3>Dynamic Requests/Second<span
class="ls-permlink"><a
href="#dynReqPerSec"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the maximum number of requests to dynamically generated content coming from
a single IP address that can be processed in each second regardless of the
number of connections established. When this limit is reached, all future
requests to dynamic content are tar-pitted until the next
second.<br/><br/> The request limit for static content is
independent of this limit. This per client request limit can be set at
server or virtual host level. Virtual host-level settings override
server-level settings.</p>
<h4>Syntax</h4><p>Integer number</p>
<h4>Tips</h4><p><span title="Security"
class="ls-icon-security"></span> Trusted IPs or
sub-networks are not restrained by this limit.</p> <h4>See
Also</h4><p class="ls-text-small"><span
class="tagl"><a href="#staticReqPerSec">Static
Requests/Second</a></span></p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="outBandwidth"><h3>Outbound Bandwidth
(bytes/sec)<span class="ls-permlink"><a
href="#outBandwidth"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The
maximum allowed outgoing throughput to a single IP address, regardless of
the number of connections established. The real bandwidth may end up being
slightly higher than this setting for efficiency reasons. Bandwidth is
allocated in 4KB units. Set to <span
class="val">0</span> to disable throttling. Per-client
bandwidth limits (bytes/sec) can be set at the server or virtual host level
where virtual host level settings override server level settings.</p>
<h4>Syntax</h4><p>Integer number</p>
<h4>Tips</h4><p><span title="Performance"
class="ls-icon-performance"></span> Set the bandwidth in
8KB units for better performance.<br/><br/> <span
title="Security"
class="ls-icon-security"></span> Trusted IPs or
sub-networks are not affected.</p> <h4>See Also</h4><p
class="ls-text-small"><span class="tagl"><a
href="#inBandwidth">Inbound Bandwidth
(bytes/sec)</a></span></p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="inBandwidth"><h3>Inbound Bandwidth
(bytes/sec)<span class="ls-permlink"><a
href="#inBandwidth"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The
maximum allowed incoming throughput from a single IP address, regardless of
the number of connections established. The real bandwidth may end up being
slightly higher than this setting for efficiency reasons. Bandwidth is
allocated in 1KB units. Set to <span
class="val">0</span> to disable throttling. Per-client
bandwidth limits (bytes/sec) can be set at the server or virtual host level
where virtual host level settings override server level settings.</p>
<h4>Syntax</h4><p>Integer number</p>
<h4>Tips</h4><p><span title="Security"
class="ls-icon-security"></span> Trusted IPs or
sub-networks are not affected.</p> <h4>See Also</h4><p
class="ls-text-small"><span class="tagl"><a
href="#outBandwidth">Outbound Bandwidth
(bytes/sec)</a></span></p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="softLimit"><h3>Connection Soft Limit<span
class="ls-permlink"><a
href="#softLimit"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the soft limit of concurrent connections allowed from one IP. This soft
limit can be exceeded temporarily during <span
class="tagl"><a href="#gracePeriod">Grace
Period (sec)</a></span> as long as the number is below the
<span class="tagl"><a
href="#hardLimit">Connection Hard
Limit</a></span>, but Keep-Alive connections will be closed as
soon as possible until the number of connections is lower than the limit.
If number of connections is still over the limit after the <span
class="tagl"><a href="#gracePeriod">Grace
Period (sec)</a></span>, that IP will be blocked for the
<span class="tagl"><a
href="#banPeriod">Banned Period
(sec)</a></span>.<br/><br/> For example, if a page
contains many small graphs, the browser may try to set up many connections
at same time, especially for HTTP/1.0 clients. You would want to allow
those connections for a short period.<br/><br/> HTTP/1.1
clients may also set up multiple connections to speed up downloading and
SSL requires separate connections from non-SSL connections. Make sure the
limit is set properly, as not to adversely affect normal service. The
recommended limit is between <span
class="val">5</span> and <span
class="val">10</span>.</p>
<h4>Syntax</h4><p>Integer number</p>
<h4>Tips</h4><p><span title="Security"
class="ls-icon-security"></span> A lower number will
enable serving more distinct clients.<br/> <span
title="Security"
class="ls-icon-security"></span> Trusted IPs or
sub-networks are not affected.<br/> <span
title="Performance"
class="ls-icon-performance"></span> Set to a high value
when you are performing benchmark tests with a large number of concurrent
client machines.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="hardLimit"><h3>Connection Hard Limit<span
class="ls-permlink"><a
href="#hardLimit"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the maximum number of allowed concurrent connections from a single IP
address. This limit is always enforced and a client will never be able to
exceed this limit. HTTP/1.0 clients usually try to set up as many
connections as they need to download embedded content at the same time.
This limit should be set high enough so that HTTP/1.0 clients can still
access the site. Use <span class="tagl"><a
href="#softLimit">Connection Soft Limit</a></span>
to set the desired connection limit.<br/><br/> The recommended
limit is between <span class="val">20</span> and
<span class="val">50</span> depending on the content
of your web page and your traffic load.</p>
<h4>Syntax</h4><p>Integer number</p>
<h4>Tips</h4><p><span title="Security"
class="ls-icon-security"></span> A lower number will
enable serving more distinct clients.<br/> <span
title="Security"
class="ls-icon-security"></span> Trusted IPs or
sub-networks are not affected.<br/> <span
title="Performance"
class="ls-icon-performance"></span> Set to a high value
when you are performing benchmark tests with a large number of concurrent
client machines.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="blockBadReq"><h3>Block Bad Request<span
class="ls-permlink"><a
href="#blockBadReq"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Block
IPs that keep sending badly-formatted HTTP requests for the <span
class="tagl"><a href="#banPeriod">Banned
Period (sec)</a></span>. Default is <span
class="val">Yes</span>. This helps to block botnet
attacks that repeatedly sending junk requests.</p>
<h4>Syntax</h4><p>Select from radio box</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="gracePeriod"><h3>Grace Period (sec)<span
class="ls-permlink"><a
href="#gracePeriod"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
how long new connections can be accepted after the number of connections
established from one IP is over the <span
class="tagl"><a href="#softLimit">Connection
Soft Limit</a></span>. Within this period, new connections will
be accepted if the total connections is still below the <span
class="tagl"><a href="#hardLimit">Connection
Hard Limit</a></span>. After this period has elapsed, if the
number of connections still higher than the <span
class="tagl"><a href="#softLimit">Connection
Soft Limit</a></span>, then the offending IP will be blocked
for the <span class="tagl"><a
href="#banPeriod">Banned Period
(sec)</a></span>.</p>
<h4>Syntax</h4><p>Integer number</p>
<h4>Tips</h4><p><span title="Performance"
class="ls-icon-performance"></span><span
title="Security"
class="ls-icon-security"></span> Set to a proper number
big enough for downloading a complete page but low enough to prevent
deliberate attacks.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="banPeriod"><h3>Banned Period (sec)<span
class="ls-permlink"><a
href="#banPeriod"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
how long new connections will be rejected from an IP if, after the <span
class="tagl"><a href="#gracePeriod">Grace
Period (sec)</a></span> has elapsed, the number of connections
is still more than the <span class="tagl"><a
href="#softLimit">Connection Soft
Limit</a></span>. If IPs are getting banned repeatedly, we
suggest that you increase your banned period to stiffen the penalty for
abuse.</p> <h4>Syntax</h4><p>Integer
number</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="followSymbolLink"><h3>Follow Symbolic Link<span
class="ls-permlink"><a
href="#followSymbolLink"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the server-level default setting of following symbolic links when serving
static files.<br/><br/> Choices are <span
class="val">Yes</span>, <span
class="val">If Owner Match</span> and <span
class="val">No</span>.<br/><br/> <span
class="val">Yes</span> sets the server to always follow
symbolic links. <span class="val">If Owner
Match</span> sets the server to follow a symbolic link only if the
owner of the link and of the target are same. <span
class="val">No</span> means the server will never follow
a symbolic link. This setting can be overridden in the virtual host
configurations but cannot be overridden from an .htaccess file.</p>
<h4>Syntax</h4><p>Select from drop down list</p>
<h4>Tips</h4><p><span title="Performance"
class="ls-icon-performance"></span><span
title="Security"
class="ls-icon-security"></span> For best security
select <span class="val">No</span> or <span
class="val">If Owner Match</span>. For best performance,
select <span class="val">Yes</span>.</p>
<h4>See Also</h4><p
class="ls-text-small"><span class="tagl"><a
href="#checkSymbolLink">Check Symbolic
Link</a></span>.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="checkSymbolLink"><h3>Check Symbolic Link<span
class="ls-permlink"><a
href="#checkSymbolLink"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
whether to check symbolic links against <span
class="tagl"><a href="#accessDenyDir">Access
Denied Directories</a></span> when <span
class="tagl"><a
href="#followSymbolLink">Follow Symbolic
Link</a></span> is turned on. If enabled, the canonical real
path of the resource referred by a URL will be checked against the
configurable access denied directories. Access will be denied if it falls
inside an access denied directory.</p>
<h4>Syntax</h4><p>Select from radio box</p>
<h4>Tips</h4><p><span title="Performance"
class="ls-icon-performance"></span><span
title="Security"
class="ls-icon-security"></span> For best security,
enable this option. For best performance, disable it.</p>
<h4>See Also</h4><p
class="ls-text-small"><span class="tagl"><a
href="#followSymbolLink">Follow Symbolic
Link</a></span>, <span class="tagl"><a
href="#accessDenyDir">Access Denied
Directories</a></span></p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="forceStrictOwnership"><h3>Force Strict Ownership
Checking<span class="ls-permlink"><a
href="#forceStrictOwnership"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
whether to enforce strict file ownership checking. If it is enabled, the
web server will check if the owner of the file being served is the same as
the owner of the virtual host. If it is different, a 403 Access Denied
Error will be returned. This is turned off by default.</p>
<h4>Syntax</h4><p>Select from radio box</p>
<h4>Tips</h4><p><span title="Security"
class="ls-icon-security"></span> For shared hosting,
enable this check for better security.</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="requiredPermissionMask"><h3>Required Permission
Mask<span class="ls-permlink"><a
href="#requiredPermissionMask"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the required permission mask for static files that the server will serve.
For example, if only files that are readable by everyone can be served, set
the value to <span class="val">0004</span>. See
<span class="cmd">man 2 stat</span> for all
values.</p> <h4>Syntax</h4><p>octal
numbers</p> <h4>See Also</h4><p
class="ls-text-small"><span class="tagl"><a
href="#restrictedPermissionMask">Restricted Permission
Mask</a></span>.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="restrictedPermissionMask"><h3>Restricted Permission
Mask<span class="ls-permlink"><a
href="#restrictedPermissionMask"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the restricted permission mask for static files that the server will not
serve. For example, to prohibit serving files that are executable, set the
mask to <span
class="val">0111</span>.<br/><br/> See
<span class="cmd">man 2 stat</span> for all
values.</p> <h4>Syntax</h4><p>octal
numbers</p> <h4>See Also</h4><p
class="ls-text-small"><span class="tagl"><a
href="#requiredPermissionMask">Required Permission
Mask</a></span>.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="restrictedScriptPermissionMask"><h3>Script
Restricted Permission Mask<span class="ls-permlink"><a
href="#restrictedScriptPermissionMask"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the restricted permission mask for script files that the server will not
serve. For example, to prohibit serving PHP scripts that are group and
world writable, set the mask to <span
class="val">022</span>. Default value is <span
class="val">000</span>.<br/><br/> See
<span class="cmd">man 2 stat</span> for all
values.</p> <h4>Syntax</h4><p>octal
numbers</p> <h4>See Also</h4><p
class="ls-text-small"><span class="tagl"><a
href="#restrictedDirPermissionMask">Script Directory
Restricted Permission Mask</a></span>.</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="restrictedDirPermissionMask"><h3>Script Directory
Restricted Permission Mask<span class="ls-permlink"><a
href="#restrictedDirPermissionMask"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the restricted permission mask of parent directories of script files that
the server will not serve. For example, to prohibit serving PHP scripts in
a directory that is group and world writable, set the mask to <span
class="val">022</span>. Default value is <span
class="val">000</span>. This option can be used to
prevent serving scripts under a directory of uploaded
files.<br/><br/> See <span class="cmd">man 2
stat</span> for all values.</p>
<h4>Syntax</h4><p>octal numbers</p> <h4>See
Also</h4><p class="ls-text-small"><span
class="tagl"><a
href="#restrictedScriptPermissionMask">Script Restricted
Permission Mask</a></span>.</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="cgiResource"><h3>CGI Settings<span
class="ls-permlink"><a
href="#cgiResource"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The
following settings control CGI processes. Memory and process limits also
serve as the default for other external applications if limits have not
been set explicitly for those applications.</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="cgidSock"><h3>CGI Daemon Socket<span
class="ls-permlink"><a
href="#cgidSock"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>A
unique socket address used to communicate with the CGI daemon. LiteSpeed
server uses a standalone CGI daemon to spawn CGI scripts for best
performance and security. If you need to change this location, specify a
Unix domain socket here.<br/><br/> Default value: <span
class="val">uds://$SERVER_ROOT/admin/lscgid/.cgid.sock</span></p>
<h4>Syntax</h4><p>UDS://path</p>
<h4>Example</h4><div
class="ls-example">UDS://tmp/lshttpd/cgid.sock</div></article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="maxCGIInstances"><h3>Max CGI Instances<span
class="ls-permlink"><a
href="#maxCGIInstances"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the maximum number of concurrent CGI processes the server can start. For
each request to a CGI script, the server needs to start a standalone CGI
process. On a Unix system, the number of concurrent processes is limited.
Excessive concurrent processes will degrade the performance of the whole
system and are one way to perform a DoS attack. LiteSpeed server pipelines
requests to CGI scripts and limits concurrent CGI processes to ensure the
optimal performance and reliability. The hard limit is <span
class="val">2000</span>.</p>
<h4>Syntax</h4><p>Integer number</p>
<h4>Tips</h4><p><span title="Security"
class="ls-icon-security"></span><span
title="Performance"
class="ls-icon-performance"></span> A higher limit does
not necessarily translate to faster performance. In most cases, a lower
limit gives better performance and security. A higher limit will only help
when I/O latency is excessive during CGI processing.</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="minUID"><h3>Minimum UID<span
class="ls-permlink"><a
href="#minUID"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the minimum user ID allowed to run external applications when running as a
specified user. Execution of an external script with a user ID lower than
the value specified here will be denied.</p>
<h4>Syntax</h4><p>Integer number</p>
<h4>Tips</h4><p><span title="Security"
class="ls-icon-security"></span> Set it high enough to
exclude all system/privileged users.</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="minGID"><h3>Minimum GID<span
class="ls-permlink"><a
href="#minGID"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the minimum group ID allowed to run external applications when running as a
specified group. Execution of an external script with a group ID lower than
the value specified here will be denied.</p>
<h4>Syntax</h4><p>Integer number</p>
<h4>Tips</h4><p><span title="Security"
class="ls-icon-security"></span> Set it high enough to
exclude all groups used by system users.</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="forceGID"><h3>Force GID<span
class="ls-permlink"><a
href="#forceGID"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
a group ID to be used for all external applications started in suEXEC mode.
When set to non-zero value, all suEXEC external applications
(CGI/FastCGI/LSAPI) will use this group ID. This can be used to prevent an
external application from accessing files owned by other
users.<br/><br/> For example, in a shared hosting environment,
LiteSpeed runs as user "www-data", group "www-data".
Each docroot is owned by a user account, with a group of
"www-data" and permission mode 0750. If Force GID is set to
"nogroup" (or any group other than 'www-data'), all
suEXEC external applications will run as a particular user but in the group
"nogroup". These external application processes will still be
able to access files owned by that particular user (because of their user
ID), but will not have group permission to access anyone else's files.
The server, on the other hand, still can serve files under any user's
docroot directory (because of its group ID).</p>
<h4>Syntax</h4><p>Integer number</p>
<h4>Tips</h4><p><span title="Security"
class="ls-icon-security"></span> Set it high enough to
exclude all groups used by system users.</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="umask"><h3>umask<span
class="ls-permlink"><a
href="#umask"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Sets
default umask for CGI processes. See <span class="cmd"> man
2 umask </span> for details. This also serves as the default value
for external applications <span class="tagl"><a
href="ExtApp_Help.html#extUmask">umask</a></span>.</p>
<h4>Syntax</h4><p>value valid range
[000]-[777].</p> <h4>See Also</h4><p
class="ls-text-small">ExtApp <span
class="tagl"><a
href="ExtApp_Help.html#extUmask">umask</a></span></p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="CGIPriority"><h3>CGI Priority<span
class="ls-permlink"><a
href="#CGIPriority"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
priority of the external application process. Value ranges from <span
class="val">-20</span> to <span
class="val">20</span>. A lower number means a higher
priority.<br/><br/> A CGI process cannot have a higher priority
than the web server. If this priority is set to a lower number than the
server's, the server's priority will be used for this
value.</p> <h4>Syntax</h4><p>int</p>
<h4>See Also</h4><p
class="ls-text-small">Server <span
class="tagl"><a
href="ServGeneral_Help.html#serverPriority">Priority</a></span></p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="CPUSoftLimit"><h3>CPU Soft Limit (sec)<span
class="ls-permlink"><a
href="#CPUSoftLimit"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
CPU consumption time limit in seconds for a CGI process. When the process
reaches the soft limit, it will be notified by a signal. The operating
system's default setting will be used if the value is absent or set to
<span class="val">0</span>.</p>
<h4>Syntax</h4><p>Integer number</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="CPUHardLimit"><h3>CPU Hard Limit<span
class="ls-permlink"><a
href="#CPUHardLimit"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
maximum CPU consumption time limit in seconds for a CGI process. If the
process continues to consume CPU time and reach the hard limit, the process
will be force killed. The operating system's default setting will be
used if the value is absent or set to <span
class="val">0</span>.</p>
<h4>Syntax</h4><p>Integer number</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="memSoftLimit"><h3>Memory Soft Limit (bytes)<span
class="ls-permlink"><a
href="#memSoftLimit"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the memory consumption limit in bytes for an external application process
or an external application started by the server.<br/><br/> The
main purpose of this limit is to prevent excessive memory usage because of
software bugs or intentional attacks, not to impose a limit on normal
usage. Make sure to leave enough head room, otherwise your application may
fail and 503 error may be returned. It can be set at the server- level or
at an individual external application level. The server-level limit will be
used if it is not set at the individual application
level.<br/><br/> The operating system's default setting
will be used if the value is absent at both levels or set to <span
class="val">0</span>.</p>
<h4>Syntax</h4><p>Integer number</p>
<h4>Tips</h4><p><span title="Attention"
class="ls-icon-attention"></span> Do not over adjust
this limit. This may result in 503 errors if your application needs more
memory.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="memHardLimit"><h3>Memory Hard Limit (bytes)<span
class="ls-permlink"><a
href="#memHardLimit"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Much
the same as <span class="tagl"><a
href="#memSoftLimit">Memory Soft Limit
(bytes)</a></span>, except the soft limit can be raised up to
the hard limit from within a user process. The hard limit can be set at
server level or at an individual external application level. The
server-level limit will be used if it is not set at an individual
application level.<br/><br/> The operating system's
default will be used if the value is absent at both levels or set to
<span class="val">0</span>.</p>
<h4>Syntax</h4><p>Integer number</p>
<h4>Tips</h4><p><span title="Attention"
class="ls-icon-attention"></span> Do not over adjust
this limit. This may result in 503 errors if your application need more
memory.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="procSoftLimit"><h3>Process Soft Limit<span
class="ls-permlink"><a
href="#procSoftLimit"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Limits
the total number of processes that can be created on behalf of a user. All
existing processes will be counted against this limit, not just new
processes to be started.<br/><br/> The limit can be set at the
server level or at an individual external application level. The
server-level limit will be used if it is not set at an individual
application level. The operating system's default setting will be used
if this value is 0 or absent at both levels.</p>
<h4>Syntax</h4><p>Integer number</p>
<h4>Tips</h4><p><span title="Information"
class="ls-icon-info"></span> To control how many
processes LSWS will make for users in mod_suEXEC mode, use the suEXEC Max
Conn setting. PHP scripts can call for forking processes and the number of
processes needed for normal functioning can be above the suEXEC Max Conn
setting. The main purpose of this limit is as a last line of defense to
prevent fork bombs and other attacks caused by PHP processes creating other
processes.<br/><br/> Setting this setting too low can severely
hurt functionality. The setting will thus be ignored below certain
levels.<br/><br/> When <b>Run On Start Up</b> is
set to "Yes (Daemon mode)", the actual process limit will be
higher than this setting to make sure parent processes are not
limited.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="procHardLimit"><h3>Process Hard Limit<span
class="ls-permlink"><a
href="#procHardLimit"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Much
the same as <span class="tagl"><a
href="#procSoftLimit">Process Soft
Limit</a></span>, except the soft limit can be raised up to the
hard limit from within a user process. The hard limit can be set at the
server level or at an individual external application level. The
server-level limit will be used if it is not set at an individual
application level. The operating system's default value will be used
if the value is absent at both levels or set to <span
class="val">0</span>.</p>
<h4>Syntax</h4><p>Integer number</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="cgroups"><h3>cgroups<span
class="ls-permlink"><a
href="#cgroups"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>A
Linux kernel feature that limits, accounts for, and isolates the resource
usage (CPU, memory, disk I/O, network, etc.) of a collection of processes.
You must be running cgroups v2 which is determined by the existence of the
file <span
class="val">/sys/fs/cgroup/cgroup.controllers</span>.<br/><br/>
Setting this to <span class="val">Disabled</span> at
the Server level will disable this setting server-wide. In all other cases,
the Server level setting can be overridden at the Virtual Host
level.<br/><br/> Default values:<br/> <b>Server
level:</b> Off<br/> <b>VH level:</b> Inherit Server
level setting</p> <h4>Syntax</h4><p>Select from
drop down list</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="lsrecaptcha"><h3>reCAPTCHA Protection<span
class="ls-permlink"><a
href="#lsrecaptcha"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>reCAPTCHA
Protection is a service provided as a way to mitigate heavy server load.
reCAPTCHA Protection will activate after one of the below situations is
hit. Once active, all requests by NON TRUSTED(as configured) clients will
be redirected to a reCAPTCHA validation page. After validation, the client
will be redirected to their desired page.<br/><br/> The
following situations will activate reCAPTCHA Protection:<br/> 1. The
server or vhost concurrent requests count passes the configured connection
limit.<br/> 2. Anti-DDoS is enabled and a client is hitting a url in
a suspicious manner. The client will redirect to reCAPTCHA first instead of
getting denied when triggered.<br/> 3. WordPress Brute Force Attack
Protection is enabled and action is set to 'CAPTCHA or Drop’. When a
brute force attack is detected, the client will redirect to reCAPTCHA
first. After max tries is reached, the connection will be dropped, as per
the ‘drop’ option.<br/> 4. WordPress Brute Force Attack
Protection is enabled and action is set to 'WP Login CAPTCHA Full
Protection'. The client will always redirect to reCAPTCHA
first.<br/> 5. A new rewrite rule environment is provided to activate
reCAPTCHA via RewriteRules. 'verifycaptcha' can be set to
redirect clients to reCAPTCHA. A special value ': deny' can be
set to deny the client if it failed too many times. For example,
[E=verifycaptcha] will always redirect to reCAPTCHA until verified.
[E=verifycaptcha: deny] will redirect to reCAPTCHA until Max Tries is hit,
after which the client will be denied.</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="enableRecaptcha"><h3>Enable reCAPTCHA<span
class="ls-permlink"><a
href="#enableRecaptcha"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Enable
the reCAPTCHA Protection feature at the current level. This setting must be
set to <span class="val">Yes</span> at the Server
level before the reCAPTCHA Protection feature can be
used.<br/><br/> Default values:<br/>
<b>Server-level:</b> <span
class="val">No</span><br/>
<b>VH-Level:</b> Inherit Server level setting</p>
<h4>Syntax</h4><p>Select from radio box</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="recaptchaSiteKey"><h3>Site Key<span
class="ls-permlink"><a
href="#recaptchaSiteKey"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The
site key is the public key provided by Google via its reCAPTCHA service. A
default Site Key will be used if not set.</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="recaptchaSecretKey"><h3>Secret Key<span
class="ls-permlink"><a
href="#recaptchaSecretKey"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The
secret key is the private key provided by Google via its reCAPTCHA service.
A default Secret Key will be used if not set.</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="recaptchaType"><h3>reCAPTCHA Type<span
class="ls-permlink"><a
href="#recaptchaType"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specify
the reCAPTCHA type to use with the key pairs.<br/> If a key pair has
not been provided and this setting is set to <span
class="val">Not Set</span>, a default key pair of type
<span class="val">Invisible</span> will be
used.<br/><br/> <span
class="val">Checkbox</span> will display a checkbox
reCAPTCHA for the visitor to validate.<br/><br/> <span
class="val">Invisible</span> will attempt to validate
the reCAPTCHA automatically and if successful, will redirect to the desired
page.<br/><br/> <span
class="val">hCaptcha</span> can be used to support
reCAPTCHA provider <a href="https://www.hcaptcha.com"
target="_blank" rel="noopener
noreferrer">hCaptcha</a>.<br/><br/> Default value
is <span class="val">Invisible</span>.</p>
<h4>Syntax</h4><p>Select from drop down list</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="recaptchaSensitivity"><h3>Trigger
Sensitivity<span class="ls-permlink"><a
href="#recaptchaSensitivity"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Automatic
reCAPTCHA sensitivity. The higher the value, the more likely reCAPTCHA
Protection will be used. A value of <span
class="val">0</span> is equivalent to "Off"
while a value of <span class="val">100</span> is
equivalent to "Always On".<br/><br/> Default
values:<br/> <b>Server level:</b> 0<br/>
<b>Virtual Host level:</b> Inherit Server level
setting</p> <h4>Syntax</h4><p>Integer value between
0 and 100.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="recaptchaMaxTries"><h3>Max Tries<span
class="ls-permlink"><a
href="#recaptchaMaxTries"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Max
Tries specifies the maximum number of reCAPTCHA attempts permitted before
denying the visitor.<br/><br/> Default value is <span
class="val">3</span>.</p>
<h4>Syntax</h4><p>Integer number</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="verifyExpires"><h3>Verification Expires
(secs)<span class="ls-permlink"><a
href="#verifyExpires"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Sets
the expire time of a successful reCAPTCHA submission, after which reCAPTCHA
protection will re-trigger for that visitor.<br/><br/> Default
value: <span class="val">86,400</span> (1
day).</p> <h4>Syntax</h4><p>Integer value between
30 and 31,536,000 (1 year).</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="recaptchaAllowedRobotHits"><h3>Allowed Robot
Hits<span class="ls-permlink"><a
href="#recaptchaAllowedRobotHits"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Number
of hits per 10 seconds to allow ‘good bots’ to pass. Bots will still be
throttled when the server is under load.<br/><br/> Default
value is <span class="val">3</span>.</p>
<h4>Syntax</h4><p>Integer number</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="recaptchaBotWhiteList"><h3>Bot White List<span
class="ls-permlink"><a
href="#recaptchaBotWhiteList"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>List
of custom user agents to allow access. Will be subject to the ‘good
bots’ limitations, including allowedRobotHits.</p>
<h4>Syntax</h4><p>List of user agents, one per line.
Regex is supported.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="bubbleWrap"><h3>Bubblewrap Container<span
class="ls-permlink"><a
href="#bubbleWrap"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Set
to <span class="val">Enabled</span> if you wish to
start CGI processes (including PHP programs) in a bubblewrap sandbox. See
<a href=" https://wiki.archlinux.org/title/Bubblewrap "
target="_blank" rel="noopener noreferrer">
https://wiki.archlinux.org/title/Bubblewrap </a> for details on using
bubblewrap. Bubblewrap must be installed on your system prior to using this
setting.<br/><br/> This setting cannot be turned on at the
Virtual Host level if set to "Disabled" at the Server
level.<br/><br/> Default values:<br/> <b>Server
level:</b> Disabled<br/> <b>VH level:</b> Inherit
Server level setting</p> <h4>Syntax</h4><p>Select
from drop down list</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="bubbleWrapCmd"><h3>Bubblewrap Command<span
class="ls-permlink"><a
href="#bubbleWrapCmd"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The
full bubblewrap use command, including the bubblewrap program itself. More
on configuring this command can be found here: <a href="
https://docs.litespeedtech.com/products/lsws/bubblewrap "
target="_blank" rel="noopener noreferrer">
https://docs.litespeedtech.com/products/lsws/bubblewrap </a>. If not
specified, the default command listed below will be
used.<br/><br/> Default value: <span
class="cmd">/bin/bwrap --ro-bind /usr /usr --ro-bind /lib /lib
--ro-bind-try /lib64 /lib64 --ro-bind /bin /bin --ro-bind /sbin /sbin --dir
/var --dir /tmp --proc /proc --symlink ../tmp var/tmp --dev /dev
--ro-bind-try /etc/localtime /etc/localtime --ro-bind-try /etc/ld.so.cache
/etc/ld.so.cache --ro-bind-try /etc/resolv.conf /etc/resolv.conf
--ro-bind-try /etc/ssl /etc/ssl --ro-bind-try /etc/pki /etc/pki
--ro-bind-try /etc/man_db.conf /etc/man_db.conf --ro-bind-try /home/$USER
/home/$USER --bind-try /var/lib/mysql/mysql.sock /var/lib/mysql/mysql.sock
--bind-try /home/mysql/mysql.sock /home/mysql/mysql.sock --bind-try
/tmp/mysql.sock /tmp/mysql.sock --unshare-all --share-net
--die-with-parent --dir /run/user/$UID ‘$PASSWD 65534’ ‘$GROUP
65534’</span></p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="namespace"><h3>Namespace Container<span
class="ls-permlink"><a
href="#namespace"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Set
to <span class="val">Enabled</span> if you wish to
start CGI processes (including PHP programs) in a namespace container
sandbox. Only used when <span class="tagl"><a
href="ServSecurity_Help.html#bubbleWrap">Bubblewrap
Container</a></span> is set to <span
class="val">Disabled</span>.<br/><br/> When
not <span class="val">Disabled</span> at the Server
level, this settings value can be overridden at the Virtual Host
level.<br/><br/> Default values:<br/> <b>Server
level:</b> <span
class="val">Disabled</span><br/> <b>Virtual
Host Level:</b> Inherit Server level setting</p>
<h4>Syntax</h4><p>Select from drop down list</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="namespaceConf"><h3>Namespace Template File<span
class="ls-permlink"><a
href="#namespaceConf"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Path
to an existing configuration file containing a list of directories to be
mounted along with the methods used to mount them. When <span
class="tagl"><a
href="ServSecurity_Help.html#namespace">Namespace
Container</a></span> is set to <span
class="val">Enabled</span> and this value is not set,
the following secure default configuration settings will be
used:<br/><br/> <span class="val">
/tmp,tmp<br/> /usr,ro-bind<br/> /lib,ro-bind<br/>
/lib64,ro-bind-try<br/> /bin,ro-bind<br/>
/sbin,ro-bind<br/> /var,dir<br/>
/var/www,ro-bind-try<br/> /proc,proc<br/> ../tmp
var/tmp,symlink<br/> /dev,dev<br/>
/etc/localtime,ro-bind-try<br/>
/etc/ld.so.cache,ro-bind-try<br/>
/etc/resolv.conf,ro-bind-try<br/> /etc/ssl,ro-bind-try<br/>
/etc/pki,ro-bind-try<br/> /etc/man_db.conf,ro-bind-try<br/>
/usr/local/bin/msmtp /etc/alternatives/mta,ro-bind-try<br/>
/usr/local/bin/msmtp /usr/sbin/exim,ro-bind-try<br/>
$HOMEDIR,bind-try<br/> /var/lib/mysql/mysql.sock,bind-try<br/>
/home/mysql/mysql.sock,bind-try<br/>
/tmp/mysql.sock,bind-try<br/>
/run/mysqld/mysqld.sock,bind-try<br/>
/var/run/mysqld.sock,bind-try<br/> /run/user/$UID,dir<br/>
$PASSWD<br/> $GROUP<br/> /etc/exim.jail/$USER.conf
$HOMEDIR/.msmtprc,copy-try<br/> /etc/php.ini,ro-bind-try<br/>
/etc/php-fpm.conf,ro-bind-try<br/>
/etc/php-fpm.d,ro-bind-try<br/> /var/run,ro-bind-try<br/>
/var/lib,ro-bind-try </span></p>
<h4>Syntax</h4><p>An absolute path or a relative path to
$SERVER_ROOT.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="accessDenyDir"><h3>Access Denied Directories<span
class="ls-permlink"><a
href="#accessDenyDir"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
directories that should be blocked from access. Add directories that
contain sensitive data to this list to prevent accidentally exposing
sensitive files to clients. Append a "*" to the path to include
all sub-directories. If both <span class="tagl"><a
href="#followSymbolLink">Follow Symbolic
Link</a></span> and <span class="tagl"><a
href="#checkSymbolLink">Check Symbolic
Link</a></span> are enabled, symbolic links will be checked
against the denied directories.</p>
<h4>Syntax</h4><p>Comma-delimited list of
directories</p> <h4>Tips</h4><p><span
title="Security"
class="ls-icon-security"></span> Of critical importance:
This setting only prevents serving static files from these directories.
This does not prevent exposure by external scripts such as
PHP/Ruby/CGI.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="accessControl"><h3>Access Control<span
class="ls-permlink"><a
href="#accessControl"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
what sub networks and/or IP addresses can access the server. At the server
level, this setting will affect all virtual hosts. You can also set up
access control unique to each virtual host at the virtual host level.
Virtual host level settings will NOT override server level
settings.<br/><br/> Blocking/Allowing an IP is determined by
the combination of the allowed list and the denied list. If you want to
block only certain IPs or sub-networks, put <span
class="val">*</span> or <span
class="val">ALL</span> in the <span
class="tagl"><a
href="#accessControl_allow">Allowed
List</a></span> and list the blocked IPs or sub-networks in the
<span class="tagl"><a
href="#accessControl_deny">Denied List</a></span>.
If you want to allow only certain IPs or sub-networks, put <span
class="val">*</span> or <span
class="val">ALL</span> in the <span
class="tagl"><a
href="#accessControl_deny">Denied List</a></span>
and list the allowed IPs or sub-networks in the <span
class="tagl"><a
href="#accessControl_allow">Allowed
List</a></span>. The setting of the smallest scope that fits
for an IP will be used to determine access.<br/><br/>
<b>Server Level:</b> Trusted IPs or sub-networks must be
specified in the <span class="tagl"><a
href="#accessControl_allow">Allowed
List</a></span> by adding a trailing "T". Trusted IPs
or sub-networks are not affected by connection/throttling limits. Only
server level access control can set up trusted IPs/sub-networks.</p>
<h4>Tips</h4><p><span title="Security"
class="ls-icon-security"></span> Use this at the server
level for general restrictions that apply to all virtual hosts.</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="accessControl_allow"><h3>Allowed List<span
class="ls-permlink"><a
href="#accessControl_allow"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the list of IPs or sub-networks allowed. <span
class="val">*</span> or <span
class="val">ALL</span> are accepted.</p>
<h4>Syntax</h4><p>Comma delimited list of IP addresses or
sub-networks. A trailing "T" can be used to indicate a trusted IP
or sub-network, such as <span
class="val">192.168.1.*T</span>.</p>
<h4>Example</h4><div
class="ls-example"><b>Sub-networks:</b>
192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1, or
192.168.1.*<br/> <b>IPv6 addresses:</b> ::1 or
[::1]<br/> <b>IPv6 subnets:</b>
3ffe:302:11:2:20f:1fff:fe29:717c/64 or
[3ffe:302:11:2:20f:1fff:fe29:717c]/64</div><h4>Tips</h4><p><span
title="Security"
class="ls-icon-security"></span> Trusted IPs or
sub-networks set at the server level access control will be excluded from
connection/throttling limits.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="accessControl_deny"><h3>Denied List<span
class="ls-permlink"><a
href="#accessControl_deny"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the list of IPs or sub-networks disallowed.</p>
<h4>Syntax</h4><p>Comma delimited list of IP addresses or
sub-networks. <span class="val">*</span> or <span
class="val">ALL</span> are accepted.</p>
<h4>Example</h4><div
class="ls-example"><b>Sub-networks:</b>
192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1, or
192.168.1.*<br/> <b>IPv6 addresses:</b> ::1 or
[::1]<br/> <b>IPv6 subnets:</b>
3ffe:302:11:2:20f:1fff:fe29:717c/64 or
[3ffe:302:11:2:20f:1fff:fe29:717c]/64</div></article>
</div>
</section>
</article><div class="ls-col-1-1"><footer
class="copyright">Copyright © 2003-2020. <a
href="https://www.litespeedtech.com">LiteSpeed Technologies
Inc.</a> All rights reserved.</footer>
</div></div>
</body>
</html>