Spade
Mini Shell
<!DOCTYPE html>
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible"
content="IE=edge,chrome=1" />
<title>LiteSpeed Web Server Users' Manual -
Security</title>
<meta name="description" content="LiteSpeed Web Server
Users' Manual - Security." />
<meta name="viewport" content="width=device-width,
initial-scale=1.0" />
<meta name="robots" content="noindex">
<link rel="shortcut icon" href="img/favicon.ico"
/>
<link rel="stylesheet" type="text/css"
href="css/hdoc.css">
</head>
<body>
<div class="pagewrapper clearfix"><aside
class="sidetree ls-col-1-5">
<figure>
<img src="img/lsws_logo.svg" alt="lightspeed web
server logo"
width="100px"/>
</figure>
<h2 class="ls-text-thin">
LiteSpeed Web Server
<br />
<span class="current"><a
href="index.html">Users' Manual</a></span>
</h2>
<h3 class="ls-text-muted">Version 6.3
— Rev. 0</h3>
<hr/>
<div>
<ul>
<li><a href="license.html">License
Enterprise</a></li>
<li><a
href="intro.html">Introduction</a></li>
<li><a
href="install.html">Installation</a></li>
<li>
<a href="admin.html">Administration</a>
<ul class="menu level2">
<li><a href="ServerStat_Help.html">Service
Manager</a></li>
<li><a
href="Real_Time_Stats_Help.html">Real-Time
Stats</a></li>
</ul>
</li>
<li><span class="current"><a
href="security.html">Security</a></span></li>
<li>
<a href="config.html">Configuration</a>
<ul class="level2">
<li><a href="ServGeneral_Help.html">Server
General</a></li>
<li><a href="ServLog_Help.html">Server
Log</a></li>
<li><a href="ServTuning_Help.html">Server
Tuning</a></li>
<li><a href="ServSecurity_Help.html">Server
Security</a></li>
<li><a href="Cache_Help.html">Page
Cache</a></li>
<li><a
href="PageSpeed_Config.html">PageSpeed
Config</a></li>
<li><a href="ExtApp_Help.html">External
Apps</a></li>
<ul class="level3">
<li><a href="External_FCGI.html">Fast CGI
App</a></li>
<li><a
href="External_FCGI_Auth.html">Fast CGI
Authorizer</a></li>
<li><a href="External_LSAPI.html">LSAPI
App</a></li>
<li><a
href="External_Servlet.html">Servlet
Engine</a></li>
<li><a href="External_WS.html">Web
Server</a></li>
<li><a href="External_PL.html">Piped
logger</a></li>
<li><a href="External_LB.html">Load
Balancer</a></li>
</ul>
<li><a
href="ScriptHandler_Help.html">Script
Handler</a></li>
<li><a
href="PHP_Help.html">PHP</a></li>
<li><a href="App_Server_Help.html">App
Server Settings</a></li>
<li><a
href="Listeners_General_Help.html">Listener
General</a></li>
<li><a
href="Listeners_SSL_Help.html">Listener
SSL</a></li>
<li><a href="Templates_Help.html">Virtual
Host Templates</a></li>
<li><a
href="VirtualHosts_Help.html">Virtual Host
Basic</a></li>
<li><a href="VHGeneral_Help.html">Virtual
Host General</a></li>
<li><a href="VHSecurity_Help.html">Virtual
Host Security</a></li>
<li><a href="VHSSL_Help.html">Virtual Host
SSL</a></li>
<li>
<a href="VHPageSpeed_Config.html">Virtual Host
PageSpeed Config</a>
</li>
<li><a
href="Rewrite_Help.html">Rewrite</a></li>
<li><a
href="Context_Help.html">Context</a></li>
<ul class="level3">
<li><a href="Static_Context.html">Static
Context</a></li>
<li>
<a href="Java_Web_App_Context.html">Java Web
App Context</a>
</li>
<li><a
href="Servlet_Context.html">Servlet
Context</a></li>
<li><a href="FCGI_Context.html">Fast CGI
Context</a></li>
<li><a href="LSAPI_Context.html">LSAPI
Context</a></li>
<li><a href="Proxy_Context.html">Proxy
Context</a></li>
<li><a href="CGI_Context.html">CGI
Context</a></li>
<li><a href="LB_Context.html">Load
Balancer Context</a></li>
<li><a
href="Redirect_Context.html">Redirect
Context</a></li>
<li><a href="App_Server_Context.html">App
Server Context</a></li>
<li><a
href="Rails_Context.html">Rack/Rails
Context</a></li>
</ul>
<li><a
href="VHAddOns_Help.html">Add-ons</a></li>
</ul>
</li>
<li>
<a href="webconsole.html">Web Console</a>
<ul class="level2">
<li><a href="AdminGeneral_Help.html">Admin
Console General</a></li>
<li><a href="AdminSecurity_Help.html">Admin
Console Security</a></li>
<li>
<a href="AdminListeners_General_Help.html">
Admin Listener General
</a>
</li>
<li>
<a href="AdminListeners_SSL_Help.html">Admin
Listener SSL</a>
</li>
</ul>
</li>
</ul>
</div>
</aside>
<article class="contentwrapper ls-col-3-5 clearfix"><div
class="nav-bar ls-spacer-micro-top"><div
class="prev">« <a
href="admin.html">Administration</a></div><div
class="center"><a
href="index.html">Home</a></div><div
class="next"><a
href="config.html">Configuration</a>
»</div></div>
<h1>Security</h1>
<p>LiteSpeed Web Server is designed with security as a top
consideration.
LSWS supports SSL, has access control at server and virtual host levels,
and context-specific realm protection. Besides these standard features,
LSWS also has the following special security features: </p>
<ol>
<li><h3>Connection level limits:</h3>
<ul>
<li> IP-level throttling limits network bandwidth to and from a
single IP
address regardless of the number of connections. </li>
<li> IP-level connection accounting limits the number of
concurrent connections
from a single IP address. You can controll this with the connection
soft limit, connection hard limit, grace
period, and banned period settings in the WebAdmin console.
</li>
</ul>
</li>
<li><h3>Request checking:</h3>
<p> Every HTTP request is vetted by LiteSpeed Web Server.
"/." is not allowed in
a decoded URL, thus denying accessing hidden files and parent
directories.</p>
<p>Request size is limited by LiteSpeed Web Server's max
request URL length,
max request header length, and max request body length settings.
</p>
</li>
<li><h3>Web Application Firewall:</h3>
<p>Request Filtering can be performed on the request header/body
to check against possible attack signatures.
This helps defend against XSS attacks and SQL injection attacks,
blocking
those requests right from the start. </p>
</li>
<li><h3>Static file checking:</h3>
<p>LiteSpeed Web Server will serve a static file only if the
following conditions
are satisfied: </p>
<ul>
<li>The file is readable by everyone.</li>
<li>The file is not executable.</li>
<li>The file is not in the access denied directory
list.</li>
<li>The file does not contain symbolic link if symbolic links
are not allowed. </li>
<li>By default, LiteSpeed Web Server does not index a directory
by listing its
files, it has to be enabled explicitly.</li>
</ul>
</li>
<li><h3>External application firewall:</h3>
<p>LiteSpeed Web Server forwards requests to external applications
to process/generate
dynamic content. Those applications can use a lot of system resources. The
performance of the
whole system will be severely degraded when system resource consumption
reaches a certain point
-- when swapping space has to be used, for example. One way to conduct a
DoS attack is to flood
the web server with concurrent requests to a cumbersome
external application.</p>
<p>LiteSpeed Web Server can pipeline requests and control the
concurrent level of external
application use to prevent overconsumption of system resources. LSWS
caches requests and only
forwards completed requests to the external application. This means the
external application
will not be held waiting while the server is receiving the request. LSWS
also caches the
external application's response so that the external application can
be released as soon as
the response is completed and does not have to wait for the client to
receive the complete response.
This way the server can utilize fewer external application instances to
serve more concurrent
requests and achieve higher performance and scalability. LiteSpeed Web
Server also uses its
own virtual memory to cache the request and response body to minimize the
usage of system
memory without sacrificing performance. </p></li>
<li><h3>CGI resources consumption limit:</h3>
<p>LiteSpeed Web Server restricts the amount of system resources that
can be consumed by
CGI applications. For each request to a CGI script, the web server needs
to
start a standalone CGI process to handle it. On a Unix system, the number
of concurrent
processes is limited. With the CGI resources consumption limit, you can
configure
the maximum number of concurrent CGI instances that the web server can
launch.
Excessive concurrent processes will degrade the performance
of the whole system. (CGI processes are a common weapon for DoS attacks.)
A system process limit can be specified per user in order to control the
number
of processes that can be spawned by a CGI application. Each process is
further confined by CPU and memory limits.</p>
</li>
<li><h3>Enhanced CGI/FastCGI security with suEXEC:</h3>
<p>In order to reduce the security risks of a CGI or Fast CGI script,
LiteSpeed Web Server can restrict the system resources the CGI script can
access by running it in
"suEXEC" or "chroot jail" mode. "suEXEC"
starts the CGI or Fast CGI script with a different user ID from that of the
web server. This greatly improves security in
shared hosting environment by preventing one user's CGI script from
accessing other users' files.</p>
<p>"chroot jail" starts the CGI script under an assigned
alternative
root directory. The script can not access files beyond this new root
directory.
With this, you no longer need to worry about confidential system files
being
exposed by vulnerable scripts.</p>
</li>
<li><h3>Run LSWS in chroot jail [Enterprise Edition
Only]:</h3>
<p> LiteSpeed Web Server can run in a chroot environment (known as
a chroot jail).
In the chroot environment, the web server and its child processes
cannot access
files outside of the chroot jail. This protects the system from attacks
by malicious code. </p>
</li>
</ol>
</article><div class="ls-col-1-1"><footer
class="copyright">Copyright © 2003-2020. <a
href="https://www.litespeedtech.com">LiteSpeed Technologies
Inc.</a> All rights reserved.</footer>
</div></div>
</body>
</html>