Spade
Mini Shell
<!DOCTYPE html>
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible"
content="IE=edge,chrome=1" />
<title>LiteSpeed Web Server Users' Manual - Virtual Host
Security</title>
<meta name="description" content="LiteSpeed Web Server
Users' Manual - Virtual Host Security." />
<meta name="viewport" content="width=device-width,
initial-scale=1.0" />
<meta name="robots" content="noindex">
<link rel="shortcut icon" href="img/favicon.ico"
/>
<link rel="stylesheet" type="text/css"
href="css/hdoc.css">
</head>
<body>
<div class="pagewrapper clearfix"><aside
class="sidetree ls-col-1-5">
<figure>
<img src="img/lsws_logo.svg" alt="lightspeed web
server logo"
width="100px"/>
</figure>
<h2 class="ls-text-thin">
LiteSpeed Web Server
<br />
<span class="current"><a
href="index.html">Users' Manual</a></span>
</h2>
<h3 class="ls-text-muted">Version 6.3
— Rev. 0</h3>
<hr/>
<div>
<ul>
<li><a href="license.html">License
Enterprise</a></li>
<li><a
href="intro.html">Introduction</a></li>
<li><a
href="install.html">Installation</a></li>
<li>
<a href="admin.html">Administration</a>
<ul class="menu level2">
<li><a href="ServerStat_Help.html">Service
Manager</a></li>
<li><a
href="Real_Time_Stats_Help.html">Real-Time
Stats</a></li>
</ul>
</li>
<li><a
href="security.html">Security</a></li>
<li>
<a href="config.html">Configuration</a>
<ul class="level2">
<li><a href="ServGeneral_Help.html">Server
General</a></li>
<li><a href="ServLog_Help.html">Server
Log</a></li>
<li><a href="ServTuning_Help.html">Server
Tuning</a></li>
<li><a href="ServSecurity_Help.html">Server
Security</a></li>
<li><a href="Cache_Help.html">Page
Cache</a></li>
<li><a
href="PageSpeed_Config.html">PageSpeed
Config</a></li>
<li><a href="ExtApp_Help.html">External
Apps</a></li>
<ul class="level3">
<li><a href="External_FCGI.html">Fast CGI
App</a></li>
<li><a
href="External_FCGI_Auth.html">Fast CGI
Authorizer</a></li>
<li><a href="External_LSAPI.html">LSAPI
App</a></li>
<li><a
href="External_Servlet.html">Servlet
Engine</a></li>
<li><a href="External_WS.html">Web
Server</a></li>
<li><a href="External_PL.html">Piped
logger</a></li>
<li><a href="External_LB.html">Load
Balancer</a></li>
</ul>
<li><a
href="ScriptHandler_Help.html">Script
Handler</a></li>
<li><a
href="PHP_Help.html">PHP</a></li>
<li><a href="App_Server_Help.html">App
Server Settings</a></li>
<li><a
href="Listeners_General_Help.html">Listener
General</a></li>
<li><a
href="Listeners_SSL_Help.html">Listener
SSL</a></li>
<li><a href="Templates_Help.html">Virtual
Host Templates</a></li>
<li><a
href="VirtualHosts_Help.html">Virtual Host
Basic</a></li>
<li><a href="VHGeneral_Help.html">Virtual
Host General</a></li>
<li><span class="current"><a
href="VHSecurity_Help.html">Virtual Host
Security</a></span></li>
<li><a href="VHSSL_Help.html">Virtual Host
SSL</a></li>
<li>
<a href="VHPageSpeed_Config.html">Virtual Host
PageSpeed Config</a>
</li>
<li><a
href="Rewrite_Help.html">Rewrite</a></li>
<li><a
href="Context_Help.html">Context</a></li>
<ul class="level3">
<li><a href="Static_Context.html">Static
Context</a></li>
<li>
<a href="Java_Web_App_Context.html">Java Web
App Context</a>
</li>
<li><a
href="Servlet_Context.html">Servlet
Context</a></li>
<li><a href="FCGI_Context.html">Fast CGI
Context</a></li>
<li><a href="LSAPI_Context.html">LSAPI
Context</a></li>
<li><a href="Proxy_Context.html">Proxy
Context</a></li>
<li><a href="CGI_Context.html">CGI
Context</a></li>
<li><a href="LB_Context.html">Load
Balancer Context</a></li>
<li><a
href="Redirect_Context.html">Redirect
Context</a></li>
<li><a href="App_Server_Context.html">App
Server Context</a></li>
<li><a
href="Rails_Context.html">Rack/Rails
Context</a></li>
</ul>
<li><a
href="VHAddOns_Help.html">Add-ons</a></li>
</ul>
</li>
<li>
<a href="webconsole.html">Web Console</a>
<ul class="level2">
<li><a href="AdminGeneral_Help.html">Admin
Console General</a></li>
<li><a href="AdminSecurity_Help.html">Admin
Console Security</a></li>
<li>
<a href="AdminListeners_General_Help.html">
Admin Listener General
</a>
</li>
<li>
<a href="AdminListeners_SSL_Help.html">Admin
Listener SSL</a>
</li>
</ul>
</li>
</ul>
</div>
</aside>
<article class="contentwrapper ls-col-3-5 clearfix"><div
class="nav-bar ls-spacer-micro-top"><div
class="prev">« <a
href="VHGeneral_Help.html">Virtual Host
General</a></div><div class="center"><a
href="config.html">Configuration</a></div><div
class="next"><a href="VHSSL_Help.html">Virtual
Host SSL</a> »</div></div>
<h1>Virtual Host Security</h1><h2
id="top">Table of Contents</h2><section
class="toc"><section
class="toc-row"><header>WordPress Brute Force Attack
Protection</header><p>
<a href="#wpProtectAction">Protection Mode</a> |
<a href="#wpProtectLimit">Allowed Login
Attempts</a></p></section>
<section class="toc-row"><header>Web Application
Firewall (WAF)</header><p>
<a href="#enableCensorship">Enable WAF</a> | <a
href="#censorLogLevel">Log Level</a> | <a
href="#defaultAction">Default Action</a> | <a
href="#scanPOST">Scan Request
Body</a></p></section>
<section class="toc-row"><header><a
href="#reqCensorshipRule">Web Application Firewall (WAF) Rule
Set</a></header><p>
<a href="#censorRuleSetName">Name</a> | <a
href="#ruleSetAction">Rule Set Action</a> | <a
href="#censorRuleSetEnabled">Enabled</a> | <a
href="#censorRuleSet">Rules
Definition</a></p></section>
<section class="toc-row"><header><a
href="#VHlsrecaptcha">reCAPTCHA
Protection</a></header><p>
<a href="#recaptchaSensitivity">Trigger
Sensitivity</a></p></section>
<section
class="toc-row"><header>Containers</header><p>
<a href="#bubbleWrap">Bubblewrap Container</a> |
<a href="#namespace">Namespace Container</a> | <a
href="#namespaceConfVhAdd">Additional Namespace Template
File</a></p></section>
<section class="toc-row"><header><a
href="#vhHotlink">Hotlink
Protection</a></header><p>
<a href="#enableHotlinkCtrl">Enable Hotlink
Protection</a> | <a href="#suffixes">Suffix</a>
| <a href="#redirectUri">Redirect URL</a> | <a
href="#allowDirectAccess">Allow Direct Access</a> |
<a href="#onlySelf">Only Self Reference</a> | <a
href="#allowedHosts">Allowed Domains</a> | <a
href="#matchedHosts">REGEX Matched
Domains</a></p></section>
<section class="toc-row"><header><a
href="#accessControl">Access
Control</a></header><p>
<a href="#accessControl_allow">Allowed List</a> |
<a href="#accessControl_deny">Denied
List</a></p></section>
<section class="toc-row"><header><a
href="#realms">Authorization
Realms</a></header><p>
<a href="#realmName">Realm Name</a> | <a
href="#realmType">DB Type</a> | <a
href="#userDBLocation">User DB Location</a> | <a
href="#userDB_attrPasswd">Password Attribute</a> | <a
href="#userDB_attrMemberOf">Member-of Attribute</a> |
<a href="#userDBMaxCacheSize">User DB Max Cache
Size</a> | <a href="#userDBCacheTimeout">User DB
Cache Timeout (secs)</a> | <a
href="#GroupDBLocation">Group DB Location</a> | <a
href="#groupDB_attrGroupMember">Group Member
Attribute</a> | <a href="#groupDBMaxCacheSize">Group
DB Max Cache Size</a> | <a
href="#groupDBCacheTimeout">Group DB Cache Timeout
(secs)</a> | <a href="#LDAPBindDN">LDAP Bind
DN</a> | <a href="#LDAPBindPasswd">LDAP Bind
Password</a></p></section>
</section>
<section><div class="helpitem"><article
class="ls-helpitem"><div><header
id="wpProtectAction"><h3>Protection Mode<span
class="ls-permlink"><a
href="#wpProtectAction"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the action to be taken when the specified Allowed Login Attempts limit is
reached within 5 minutes.<br/><br/> <span
class="val">Throttle</span> gradually slows down the
speed of the server response, <span
class="val">Drop</span> severs the connection without
any reply, <span class="val">Deny</span> returns a
403 response, and <span class="val">CAPTCHA or
Drop</span> redirects to a CAPTCHA if reCAPTCHA Protection is enabled
and drops otherwise.<br/><br/> <span
class="val">WP Login CAPTCHA Full Protection</span> can
also be selected. This setting will redirect to a CAPTCHA if ReCAPTCHA
Protection is enabled regardless of Allowed Login Attempts limit and falls
back to use <span class="val">Throttle</span>
otherwise.<br/><br/> Default values:<br/> <b>Server
level:</b> <span
class="val">Throttle</span><br/> <b>VH
level:</b> Inherit Server level setting. If Server level is set to
<span class="val">Disable</span>, <span
class="val">Throttle</span> will be used.</p>
<h4>Syntax</h4><p>Select from drop down list</p>
<h4>Tips</h4><p><span title="Security"
class="ls-icon-security"></span> Trusted IPs or
sub-networks are not affected.<br/> <span
title="Information"
class="ls-icon-info"></span> This feature is enabled by
default (Throttle) and does not need any further configuration in the
WebAdmin GUI or in Apache configurations.<br/> <span
title="Information"
class="ls-icon-info"></span> This setting will override
Apache conf <span class="val">WordPressProtect</span>
setting for LSWS only. Apache will be unaffected.<br/><br/>
<span title="Information"
class="ls-icon-info"></span> This can be set at the
Server level and overwritten at the Virtual Host level. If not overridden
at the Virtual Host level, this setting can also be overridden in a
user's docroot .htaccess file using Apache configuration directive
<span class="val">WordPressProtect</span> with value
<span class="val">0</span> (disabled), <span
class="val">1</span> (use server level setting),
<span class="val">throttle</span>, <span
class="val">deny</span>, or <span
class="val">drop</span>.</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="wpProtectLimit"><h3>Allowed Login Attempts<span
class="ls-permlink"><a
href="#wpProtectLimit"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the maximum number of wp-login.php and xmlrpc.php POST attempts allowed by
an IP within 5 minutes before the action specified in <span
class="tagl"><a
href="#wpProtectAction">Protection Mode</a></span>
is taken.<br/><br/> This limit is handled using a quota system
where remaining attempts = limit. Each POST attempt will decrease the
number of remaining attempts by 1, with the number of remaining attempts
increasing back to the set limit over time. An IP will be throttled once
the number of remaining attempts for that IP falls to 1/2 the set limit,
throttling more as the remaining attempts drops further below the 1/2 mark.
When remaining attempts reaches 0, the specified action is taken toward the
IP.<br/><br/> In addition to this, if <span
class="tagl"><a href="#enableRecaptcha">Enable
reCAPTCHA</a></span> is also enabled, an additional per worker
protection will be added. If wp-login.php and xmlrpc.php are visited by the
same worker at a rate of 4x the set limit in a 30 second time frame, those
URLs will be put into reCAPTCHA mode until the number of visits to these
files decreases.<br/><br/> Resetting the server will clear
blocked IPs.<br/><br/> Default values:<br/>
<b>Server-level:</b> <span
class="val">10</span><br/>
<b>VH-Level:</b> Inherit Server level setting</p>
<h4>Syntax</h4><p>Valid Range: 3 - 1000.</p>
<h4>Example</h4><div class="ls-example">With an
Attempt limit of 10, and a Mode of drop:<br/><br/> After the
first POST attempt, the quota is decreased to 9.<br/><br/>
Quota decreases by 1 for each POST attempt.<br/><br/> After
Quota reaches half of the limit (5), the IP will be
throttled.<br/><br/> Throttling will get worse with each POST
attempt.<br/><br/> Once the quota reaches 0, the connection
will be dropped.</div><h4>Tips</h4><p><span
title="Security"
class="ls-icon-security"></span> Trusted IPs or
sub-networks are not affected.<br/><br/> <span
title="Information"
class="ls-icon-info"></span> This setting will override
Apache conf <span class="val">WordPressProtect</span>
setting for LSWS only. Apache will be unaffected.<br/><br/>
<span title="Information"
class="ls-icon-info"></span> This can be set at the
Server level and overwritten at the Virtual Host level. If not overridden
at the Virtual Host level, this setting can also be overridden in a
user's docroot .htaccess file using Apache configuration directive
<span class="val">WordPressProtect</span> with
integer value between 3 and 1000.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="enableCensorship"><h3>Enable WAF<span
class="ls-permlink"><a
href="#enableCensorship"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
whether to enable request content deep inspection. This feature is
equivalent to Apache's mod_security, which can be used to detect and
block requests with ill intention by matching them to known
signatures.</p> <h4>Syntax</h4><p>Select from radio
box</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="censorLogLevel"><h3>Log Level<span
class="ls-permlink"><a
href="#censorLogLevel"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the level of detail of the Web Application Firewall engine's debug
output. This value ranges from <span
class="val">0</span> - <span
class="val">9</span>. <span
class="val">0</span> disables logging. <span
class="val">9</span> produces the most detailed log. The
the server and virtual host's error log <span
class="tagl"><a
href="ServGeneral_Help.html#log_logLevel">Log
Level</a></span> must be set to at least <span
class="val">INFO</span> for this option to take effect.
This is useful when testing request filtering rules.</p>
<h4>Syntax</h4><p>Integer number</p> <h4>See
Also</h4><p class="ls-text-small">Server <span
class="tagl"><a
href="ServGeneral_Help.html#log_logLevel">Log
Level</a></span>, Virtual Host <span
class="tagl"><a
href="VHGeneral_Help.html#vhlog_logLevel">Log
Level</a></span></p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="defaultAction"><h3>Default Action<span
class="ls-permlink"><a
href="#defaultAction"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the default actions that should be taken when a censoring rule is met.
Default value is <span
class="val">deny,log,status:403</span>, which means to
deny access with status code 403 and log the incident in the error
log.</p> <h4>See Also</h4><p
class="ls-text-small"><span class="tagl"><a
href="#ruleSetAction">Rule Set
Action</a></span></p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="scanPOST"><h3>Scan Request Body<span
class="ls-permlink"><a
href="#scanPOST"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
whether to check the body of an HTTP POST request. Default is
"No".</p> <h4>Syntax</h4><p>Select from
radio box</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="reqCensorshipRule"><h3>Web Application Firewall
(WAF) Rule Set<span class="ls-permlink"><a
href="#reqCensorshipRule"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Rules
configured here only work for virtual hosts configured with a native LSWS
configuration, not for virtual hosts using Apache httpd.conf.</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="censorRuleSetName"><h3>Name<span
class="ls-permlink"><a
href="#censorRuleSetName"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Give
a group of censorship rules a name. For display only.</p>
<h4>Syntax</h4><p>String</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="ruleSetAction"><h3>Rule Set Action<span
class="ls-permlink"><a
href="#ruleSetAction"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the actions that should be taken when a censoring rule in current ruleset
is met. If not set, <span class="tagl"><a
href="#defaultAction">Default Action</a></span>
will be used.</p> <h4>Syntax</h4><p>String. This
action string uses the same syntax as Apache's <a href="
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecDefaultAction
" target="_blank" rel="noopener noreferrer">
mod_security SecDefaultAction directive </a> .</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="censorRuleSetEnabled"><h3>Enabled<span
class="ls-permlink"><a
href="#censorRuleSetEnabled"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
whether to enable this rule set. With this option, a rule set can be
quickly turned on and off without adding or removing the rule set. Default
is "Yes".</p> <h4>Syntax</h4><p>Select
from radio box</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="censorRuleSet"><h3>Rules Definition<span
class="ls-permlink"><a
href="#censorRuleSet"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
a list of censorship rules.<br/><br/> If you are using an
Apache config file, you have to set up rules in httpd.conf. Rules defined
here will have no effect.</p>
<h4>Syntax</h4><p>String. Syntax of censoring rules
follows that of Apache's mod_security directives.
"SecFilter", "SecFilterSelective", and
"SecRule" can be used here. You can copy and paste security
rules from an Apache configuration file.<br/><br/> For more
details about rule syntax, please refer to the <a
href="http://www.modsecurity.org/documentation/index.html"
target="_blank" rel="noopener noreferrer">Mod
Security documentation</a>.</p>
<h4>Tips</h4><p><span title="Information"
class="ls-icon-info"></span> Rules configured here only
work for vhosts configured in native LSWS configuration, not for vhosts
from Apache httpd.conf.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="VHlsrecaptcha"><h3>reCAPTCHA Protection<span
class="ls-permlink"><a
href="#VHlsrecaptcha"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>reCAPTCHA
Protection is a service provided as a way to mitigate heavy server load.
reCAPTCHA Protection will activate after one of the below situations is
hit. Once active, all requests by NON TRUSTED(as configured) clients will
be redirected to a reCAPTCHA validation page. After validation, the client
will be redirected to their desired page.<br/><br/> The
following situations will activate reCAPTCHA Protection:<br/> 1. The
server or vhost concurrent requests count passes the configured connection
limit.<br/> 2. Anti-DDoS is enabled and a client is hitting a url in
a suspicious manner. The client will redirect to reCAPTCHA first instead of
getting denied when triggered.<br/> 3. WordPress Brute Force Attack
Protection is enabled and action is set to 'CAPTCHA or Drop’. When a
brute force attack is detected, the client will redirect to reCAPTCHA
first. After max tries is reached, the connection will be dropped, as per
the ‘drop’ option.<br/> 4. WordPress Brute Force Attack
Protection is enabled and action is set to 'WP Login CAPTCHA Full
Protection'. The client will always redirect to reCAPTCHA
first.<br/> 5. A new rewrite rule environment is provided to activate
reCAPTCHA via RewriteRules. 'verifycaptcha' can be set to
redirect clients to reCAPTCHA. A special value ': deny' can be
set to deny the client if it failed too many times. For example,
[E=verifycaptcha] will always redirect to reCAPTCHA until verified.
[E=verifycaptcha: deny] will redirect to reCAPTCHA until Max Tries is hit,
after which the client will be denied.</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="recaptchaSensitivity"><h3>Trigger
Sensitivity<span class="ls-permlink"><a
href="#recaptchaSensitivity"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Automatic
reCAPTCHA sensitivity. The higher the value, the more likely reCAPTCHA
Protection will be used. A value of <span
class="val">0</span> is equivalent to "Off"
while a value of <span class="val">100</span> is
equivalent to "Always On".<br/><br/> Default
values:<br/> <b>Server level:</b> 0<br/>
<b>Virtual Host level:</b> Inherit Server level
setting</p> <h4>Syntax</h4><p>Integer value between
0 and 100.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="bubbleWrap"><h3>Bubblewrap Container<span
class="ls-permlink"><a
href="#bubbleWrap"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Set
to <span class="val">Enabled</span> if you wish to
start CGI processes (including PHP programs) in a bubblewrap sandbox. See
<a href=" https://wiki.archlinux.org/title/Bubblewrap "
target="_blank" rel="noopener noreferrer">
https://wiki.archlinux.org/title/Bubblewrap </a> for details on using
bubblewrap. Bubblewrap must be installed on your system prior to using this
setting.<br/><br/> This setting cannot be turned on at the
Virtual Host level if set to "Disabled" at the Server
level.<br/><br/> Default values:<br/> <b>Server
level:</b> Disabled<br/> <b>VH level:</b> Inherit
Server level setting</p> <h4>Syntax</h4><p>Select
from drop down list</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="namespace"><h3>Namespace Container<span
class="ls-permlink"><a
href="#namespace"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Set
to <span class="val">Enabled</span> if you wish to
start CGI processes (including PHP programs) in a namespace container
sandbox. Only used when <span class="tagl"><a
href="ServSecurity_Help.html#bubbleWrap">Bubblewrap
Container</a></span> is set to <span
class="val">Disabled</span>.<br/><br/> When
not <span class="val">Disabled</span> at the Server
level, this settings value can be overridden at the Virtual Host
level.<br/><br/> Default values:<br/> <b>Server
level:</b> <span
class="val">Disabled</span><br/> <b>Virtual
Host Level:</b> Inherit Server level setting</p>
<h4>Syntax</h4><p>Select from drop down list</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="namespaceConfVhAdd"><h3>Additional Namespace
Template File<span class="ls-permlink"><a
href="#namespaceConfVhAdd"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Path
to an existing configuration file containing a list of directories to be
mounted along with the methods used to mount them. If <span
class="tagl"><a
href="ServSecurity_Help.html#namespaceConf">Namespace Template
File</a></span> is also set at the Server level, both files
will be used.</p> <h4>Syntax</h4><p>A path which
can be absolute, relative to $SERVER_ROOT, or relative to
$VH_ROOT.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="vhHotlink"><h3>Hotlink Protection<span
class="ls-permlink"><a
href="#vhHotlink"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Hotlinks
are requests made from an external website to files on your own website
often referred to as "leeching". This practice introduces
additional bandwidth usage that you should not be responsible
for.<br/><br/> LiteSpeed web server can prevent others from
hotlinking to content on your web site by checking the Referer header
within an HTTP request. If the Referer header does not match your website,
the request will be denied.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="enableHotlinkCtrl"><h3>Enable Hotlink
Protection<span class="ls-permlink"><a
href="#enableHotlinkCtrl"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
whether to activate hotlink protection.</p>
<h4>Syntax</h4><p>Select from radio box</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="suffixes"><h3>Suffix<span
class="ls-permlink"><a
href="#suffixes"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
what kinds of files will be protected from hotlinking by listing file
suffixes.</p> <h4>Syntax</h4><p>Comma delimited
list. "." is prohibited</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="redirectUri"><h3>Redirect URL<span
class="ls-permlink"><a
href="#redirectUri"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
a URL that a user will be redirected to when a hotlinking action is
detected. You can redirect users to an image or page saying hotlinking is
not allowed. If it is not specified, <span class="val">403
Forbidden</span> will be returned.</p>
<h4>Syntax</h4><p>Absolute URL</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="allowDirectAccess"><h3>Allow Direct Access<span
class="ls-permlink"><a
href="#allowDirectAccess"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
whether to allow direct access without a referrer. A referrer header
identifies the web page that linked to the current page. There is no
"referrer" header in HTTP requests when a user types in an
address directly in the address box or uses a feature like "save
target link as".</p> <h4>Syntax</h4><p>Select
from radio box</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="onlySelf"><h3>Only Self Reference<span
class="ls-permlink"><a
href="#onlySelf"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
whether to only allow references from the current web site itself. When set
to <span class="val">Yes</span>, <span
class="tagl"><a href="#allowedHosts">Allowed
Domains</a></span> has no effect and no other web site can link
to protected files. This can be convenient if you wish to park multiple
domain names on the current web site.</p>
<h4>Syntax</h4><p>Select from radio box</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="allowedHosts"><h3>Allowed Domains<span
class="ls-permlink"><a
href="#allowedHosts"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
which web sites can link to protected content.</p>
<h4>Syntax</h4><p>Comma delimited list of domain
names.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="matchedHosts"><h3>REGEX Matched Domains<span
class="ls-permlink"><a
href="#matchedHosts"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
web sites that can link to protected content in regular expressions. The
regular expression will match the domain name only and not the full
URL.</p> <h4>Syntax</h4><p>Regular
expressions</p> <h4>Example</h4><div
class="ls-example">^.*\.mydomain\.com$</div></article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="accessControl"><h3>Access Control<span
class="ls-permlink"><a
href="#accessControl"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
what sub networks and/or IP addresses can access the server. At the server
level, this setting will affect all virtual hosts. You can also set up
access control unique to each virtual host at the virtual host level.
Virtual host level settings will NOT override server level
settings.<br/><br/> Blocking/Allowing an IP is determined by
the combination of the allowed list and the denied list. If you want to
block only certain IPs or sub-networks, put <span
class="val">*</span> or <span
class="val">ALL</span> in the <span
class="tagl"><a
href="#accessControl_allow">Allowed
List</a></span> and list the blocked IPs or sub-networks in the
<span class="tagl"><a
href="#accessControl_deny">Denied List</a></span>.
If you want to allow only certain IPs or sub-networks, put <span
class="val">*</span> or <span
class="val">ALL</span> in the <span
class="tagl"><a
href="#accessControl_deny">Denied List</a></span>
and list the allowed IPs or sub-networks in the <span
class="tagl"><a
href="#accessControl_allow">Allowed
List</a></span>. The setting of the smallest scope that fits
for an IP will be used to determine access.<br/><br/>
<b>Server Level:</b> Trusted IPs or sub-networks must be
specified in the <span class="tagl"><a
href="#accessControl_allow">Allowed
List</a></span> by adding a trailing "T". Trusted IPs
or sub-networks are not affected by connection/throttling limits. Only
server level access control can set up trusted IPs/sub-networks.</p>
<h4>Tips</h4><p><span title="Security"
class="ls-icon-security"></span> Use this at the server
level for general restrictions that apply to all virtual hosts.</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="accessControl_allow"><h3>Allowed List<span
class="ls-permlink"><a
href="#accessControl_allow"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the list of IPs or sub-networks allowed. <span
class="val">*</span> or <span
class="val">ALL</span> are accepted.</p>
<h4>Syntax</h4><p>Comma delimited list of IP addresses or
sub-networks. A trailing "T" can be used to indicate a trusted IP
or sub-network, such as <span
class="val">192.168.1.*T</span>.</p>
<h4>Example</h4><div
class="ls-example"><b>Sub-networks:</b>
192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1, or
192.168.1.*<br/> <b>IPv6 addresses:</b> ::1 or
[::1]<br/> <b>IPv6 subnets:</b>
3ffe:302:11:2:20f:1fff:fe29:717c/64 or
[3ffe:302:11:2:20f:1fff:fe29:717c]/64</div><h4>Tips</h4><p><span
title="Security"
class="ls-icon-security"></span> Trusted IPs or
sub-networks set at the server level access control will be excluded from
connection/throttling limits.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="accessControl_deny"><h3>Denied List<span
class="ls-permlink"><a
href="#accessControl_deny"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the list of IPs or sub-networks disallowed.</p>
<h4>Syntax</h4><p>Comma delimited list of IP addresses or
sub-networks. <span class="val">*</span> or <span
class="val">ALL</span> are accepted.</p>
<h4>Example</h4><div
class="ls-example"><b>Sub-networks:</b>
192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1, or
192.168.1.*<br/> <b>IPv6 addresses:</b> ::1 or
[::1]<br/> <b>IPv6 subnets:</b>
3ffe:302:11:2:20f:1fff:fe29:717c/64 or
[3ffe:302:11:2:20f:1fff:fe29:717c]/64</div></article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="realms"><h3>Authorization Realms<span
class="ls-permlink"><a
href="#realms"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Lists
all authorization realms for this virtual host. Authorization realms are
used to block unauthorized users from accessing protected web pages. A
realm is a user directory containing usernames and passwords with optional
group classifications. Authorization is performed at the context level.
Because different contexts can share the same realm (user database), realms
are defined separately from the contexts that use them. You can refer to a
realm by these names in a contexts configuration.</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="realmName"><h3>Realm Name<span
class="ls-permlink"><a
href="#realmName"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
a unique name for the authorization realm.</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="realmType"><h3>DB Type<span
class="ls-permlink"><a
href="#realmType"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
how user/group data is stored for an authorization realm. Currently,
user/group data can be stored in flat files or on a LDAP server.</p>
<h4>Syntax</h4><p>Select from drop down list</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="userDBLocation"><h3>User DB Location<span
class="ls-permlink"><a
href="#userDBLocation"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the location of the user database. For DB type <span
class="val">Password File</span>, it is the path to the
flat file containing user/password definitions. You can edit this file
through the WebAdmin console by clicking on the
filename.<br/><br/> Each line of the user file contains a
username followed by a colon, followed by a crypt() encrypted password,
optionally followed by a colon and group names that user belongs to. Group
names are delimitated by commas. If group information is specified in the
user database, then the group database will not be
checked.<br/><br/>
Example:<blockquote><code>john:HZ.U8kgjnMOHo:admin,user</code></blockquote><br/><br/>
For DB type <span class="val">LDAP</span>, it is the
LDAP URL to query for the user information. For each valid user, the
authentication data stored in the LDAP server should contain at least the
user id and user password. One and only one record should be returned in
the LDAP search request based on the URL and username received in the HTTP
Authentication header. "$k" must be specified in the filter part
of the URL and it will be replaced with the username. The user password
attribute must be returned in the query result. The attribute name of the
user password is specified by <span class="tagl"><a
href="#userDB_attrPasswd">Password
Attribute</a></span>. Group information can be optionally
specified by the <span class="tagl"><a
href="#userDB_attrMemberOf">Member-of
Attribute</a></span>.<br/><br/> Example: At
minimum, a user can be defined in LDAP with object classes: uidObject,
simpleSecurityObject and organizationalRole. The following URL could be
used:<br/><br/>
<blockquote><code>ldap://localhost/ou=UserDB,dc=example,dc=com???(&(objectClass=*)(uid=$k))</code></blockquote></p>
<h4>Syntax</h4><p>Path to user DB file or LDAP URL (RFC
2255).</p> <h4>Tips</h4><p><span
title="Security"
class="ls-icon-security"></span> It is recommended to
store user password files outside of the document tree. If a user password
file has to be placed inside document tree, simply name it with a leading
".ht" like <span class="val">.htuser</span>
to prevent it being served as a static file. LiteSpeed Web Server does not
serve files prefixed with ".ht".</p> <h4>See
Also</h4><p class="ls-text-small"><span
class="tagl"><a href="#GroupDBLocation">Group
DB Location</a></span>, <span
class="tagl"><a
href="#userDB_attrPasswd">Password
Attribute</a></span>, <span class="tagl"><a
href="#userDB_attrMemberOf">Member-of
Attribute</a></span></p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="userDB_attrPasswd"><h3>Password Attribute<span
class="ls-permlink"><a
href="#userDB_attrPasswd"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the name of the password attribute for a user record stored in an LDAP
server. The default value is <span
class="val">userPassword</span>.</p>
<h4>Syntax</h4><p>string</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="userDB_attrMemberOf"><h3>Member-of Attribute<span
class="ls-permlink"><a
href="#userDB_attrMemberOf"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the name of the "Member-of" attribute for a user record stored in
an LDAP server. The default value is <span
class="val">memberOf</span>. The "Member-of"
attribute can be used to specify the group name that the user belongs
to.</p> <h4>Syntax</h4><p>string</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="userDBMaxCacheSize"><h3>User DB Max Cache
Size<span class="ls-permlink"><a
href="#userDBMaxCacheSize"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the maximum cache size of the user database. Recently accessed user
authentication data will be cached in memory to provide maximum
performance.</p> <h4>Syntax</h4><p>Integer
number</p> <h4>Tips</h4><p><span
title="Performance"
class="ls-icon-performance"></span> As a larger cache
will consume more memory, a higher value may or may not provide better
performance. Set it to an appropriate size according to your user database
size and site usage.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="userDBCacheTimeout"><h3>User DB Cache Timeout
(secs)<span class="ls-permlink"><a
href="#userDBCacheTimeout"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
how often the backend user database will be checked for changes. Every
entry in the cache has a timestamp. When cached data is older than the
specified timeout, the backend database will be checked for changes. If
there is no change, the timestamp will be reset to the current time,
otherwise the new data will be loaded. Sevrer reload and graceful restart
will clear the cache immediately.</p>
<h4>Syntax</h4><p>Integer number</p>
<h4>Tips</h4><p><span title="Performance"
class="ls-icon-performance"></span> If the backend
database does not change very often, set a longer timeout for better
performance.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="GroupDBLocation"><h3>Group DB Location<span
class="ls-permlink"><a
href="#GroupDBLocation"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the location of the group database.<br/><br/> Group information
can be set either in the user database or in this standalone group DB. For
user authentication, the user DB will be checked first. If the user DB also
contains group information, then the group DB will not be
checked.<br/><br/> For the DB type <span
class="val">Password File</span>, the group DB location
should be the path to the flat file containing group definitions. You can
edit this file through the WebAdmin console by clicking on the
filename.<br/><br/> Each line of a group file should contain a
groupname followed by a colon, followed by space delimited group of
usernames. Example:<br/> <blockquote><code>testgroup:
user1 user2 user3</code></blockquote><br/><br/> For
the DB type <span class="val">LDAP</span>, the group
DB location should be the LDAP URL to query for group information. For each
valid group, one and only one record should be returned in the LDAP search
request based on this URL and the group name specified in <span
class="tagl"><a
href="Redirect_Context.html#required">Require (Authorized
Users/Groups)</a></span>. "$k" must be specified in
the filter part of the URL and it will be replaced with the group name. The
name of the attribute that specifies members in this group is specified by
the <span class="tagl"><a
href="#groupDB_attrGroupMember">Group Member
Attribute</a></span>.<br/><br/> Example: If
objectClass posixGroup is being used to store group information. The
following URL could be used:<br/>
<blockquote><code>ldap://localhost/ou=GroupDB,dc=example,dc=com???(&(objectClass=*)(cn=$k))</code></blockquote></p>
<h4>Syntax</h4><p>Filename which can be an absolute path
or a relative path to $SERVER_ROOT, $VH_ROOT.</p>
<h4>Tips</h4><p><span title="Security"
class="ls-icon-security"></span> It is recommended to
store a group file outside the document tree. If it has to be placed inside
document tree, simply name it with a leading ".ht" like <span
class="val">.htgroup</span>, to prevent the file being
served as a static file. LiteSpeed Web Server does not serve files prefixed
with ".ht".</p> <h4>See Also</h4><p
class="ls-text-small"><span class="tagl"><a
href="#userDBLocation">User DB
Location</a></span>, Context <span
class="tagl"><a
href="Context_Help.html#required">Require (Authorized
Users/Groups)</a></span>, <span
class="tagl"><a
href="#groupDB_attrGroupMember">Group Member
Attribute</a></span></p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="groupDB_attrGroupMember"><h3>Group Member
Attribute<span class="ls-permlink"><a
href="#groupDB_attrGroupMember"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the name of the "Member" attribute for a group record stored in
an LDAP server. The default value is <span
class="val">memberUid</span>.</p>
<h4>Syntax</h4><p>string</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="groupDBMaxCacheSize"><h3>Group DB Max Cache
Size<span class="ls-permlink"><a
href="#groupDBMaxCacheSize"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the maximum cache size of the group database.</p>
<h4>Syntax</h4><p>Integer number</p>
<h4>Tips</h4><p><span title="Performance"
class="ls-icon-performance"></span> As a larger cache
will consume more memory, a higher value may or may not provide better
performance. Set it to an appropriate size according to your user database
size and site usage.</p> <h4>See Also</h4><p
class="ls-text-small"><span class="tagl"><a
href="#userDBMaxCacheSize">User DB Max Cache
Size</a></span></p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="groupDBCacheTimeout"><h3>Group DB Cache Timeout
(secs)<span class="ls-permlink"><a
href="#groupDBCacheTimeout"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
how often the backend group database will be checked for changes. For more
detail please refer to <span class="tagl"><a
href="#userDBCacheTimeout">User DB Cache Timeout
(secs)</a></span>.</p>
<h4>Syntax</h4><p>Integer number</p> <h4>See
Also</h4><p class="ls-text-small"><span
class="tagl"><a
href="#userDBCacheTimeout">User DB Cache Timeout
(secs)</a></span></p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="LDAPBindDN"><h3>LDAP Bind DN<span
class="ls-permlink"><a
href="#LDAPBindDN"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
a DN used to bind to the server. If the LDAP server requires
authentication, a bind DN and password must be specified. If not specified,
anonymous bind will be used.</p>
<h4>Syntax</h4><p>string</p> <h4>See
Also</h4><p class="ls-text-small"><span
class="tagl"><a href="#LDAPBindPasswd">LDAP
Bind Password</a></span></p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="LDAPBindPasswd"><h3>LDAP Bind Password<span
class="ls-permlink"><a
href="#LDAPBindPasswd"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
a password used to bind to the server. If the LDAP Server requires
authentication, a bind DN and password must be specified.</p>
<h4>Syntax</h4><p>string</p> <h4>See
Also</h4><p class="ls-text-small"><span
class="tagl"><a href="#LDAPBindDN">LDAP Bind
DN</a></span></p> </article> </div>
</section>
</article><div class="ls-col-1-1"><footer
class="copyright">Copyright © 2003-2020. <a
href="https://www.litespeedtech.com">LiteSpeed Technologies
Inc.</a> All rights reserved.</footer>
</div></div>
</body>
</html>