Current File : //usr/local/lsws/docs/security.html
<!DOCTYPE html>
<head>
  <meta charset="utf-8" />
  <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
  <title>LiteSpeed Web Server Users' Manual - Security</title>
  <meta name="description" content="LiteSpeed Web Server Users' Manual - Security." />
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  <meta name="robots" content="noindex">
  <link rel="shortcut icon" href="img/favicon.ico" />
  <link rel="stylesheet" type="text/css" href="css/hdoc.css">
</head>
<body>
<div class="pagewrapper clearfix"><aside class="sidetree ls-col-1-5">
  <figure>
    <img src="img/lsws_logo.svg" alt="lightspeed web server logo"
         width="100px"/>
  </figure>
  <h2 class="ls-text-thin">
    LiteSpeed Web Server
    <br />
    <span class="current"><a href="index.html">Users' Manual</a></span>
  </h2>
  <h3 class="ls-text-muted">Version 6.3 &nbsp;&#8212;&nbsp;Rev. 0</h3>
  <hr/>
  <div>
    <ul>
      <li><a href="license.html">License Enterprise</a></li>
      <li><a href="intro.html">Introduction</a></li>
      <li><a href="install.html">Installation</a></li>
      <li>
        <a href="admin.html">Administration</a>
        <ul class="menu level2">
          <li><a href="ServerStat_Help.html">Service Manager</a></li>
          <li><a href="Real_Time_Stats_Help.html">Real-Time Stats</a></li>
        </ul>
      </li>
      <li><span class="current"><a href="security.html">Security</a></span></li>
      <li>
        <a href="config.html">Configuration</a>
	    <ul class="level2">
	      <li><a href="ServGeneral_Help.html">Server General</a></li>
          <li><a href="ServLog_Help.html">Server Log</a></li>
	      <li><a href="ServTuning_Help.html">Server Tuning</a></li>
	      <li><a href="ServSecurity_Help.html">Server Security</a></li>
          <li><a href="Cache_Help.html">Page Cache</a></li>
          <li><a href="PageSpeed_Config.html">PageSpeed Config</a></li>
          <li><a href="ExtApp_Help.html">External Apps</a></li>
          <ul class="level3">
            <li><a href="External_FCGI.html">Fast CGI App</a></li>
            <li><a href="External_FCGI_Auth.html">Fast CGI Authorizer</a></li>
            <li><a href="External_LSAPI.html">LSAPI App</a></li>
            <li><a href="External_Servlet.html">Servlet Engine</a></li>
            <li><a href="External_WS.html">Web Server</a></li>
            <li><a href="External_PL.html">Piped logger</a></li>
            <li><a href="External_LB.html">Load Balancer</a></li>
          </ul>
          <li><a href="ScriptHandler_Help.html">Script Handler</a></li>
          <li><a href="PHP_Help.html">PHP</a></li>
          <li><a href="App_Server_Help.html">App Server Settings</a></li>
          <li><a href="Listeners_General_Help.html">Listener General</a></li>
          <li><a href="Listeners_SSL_Help.html">Listener SSL</a></li>
          <li><a href="Templates_Help.html">Virtual Host Templates</a></li>
          <li><a href="VirtualHosts_Help.html">Virtual Host Basic</a></li>
          <li><a href="VHGeneral_Help.html">Virtual Host General</a></li>
          <li><a href="VHSecurity_Help.html">Virtual Host Security</a></li>
          <li><a href="VHSSL_Help.html">Virtual Host SSL</a></li>
          <li>
            <a href="VHPageSpeed_Config.html">Virtual Host PageSpeed Config</a>
          </li>
          <li><a href="Rewrite_Help.html">Rewrite</a></li>
          <li><a href="Context_Help.html">Context</a></li>
          <ul class="level3">
            <li><a href="Static_Context.html">Static Context</a></li>
            <li>
              <a href="Java_Web_App_Context.html">Java Web App Context</a>
            </li>
            <li><a href="Servlet_Context.html">Servlet Context</a></li>
            <li><a href="FCGI_Context.html">Fast CGI Context</a></li>
            <li><a href="LSAPI_Context.html">LSAPI Context</a></li>
            <li><a href="Proxy_Context.html">Proxy Context</a></li>
            <li><a href="CGI_Context.html">CGI Context</a></li>
            <li><a href="LB_Context.html">Load Balancer Context</a></li>
            <li><a href="Redirect_Context.html">Redirect Context</a></li>
            <li><a href="App_Server_Context.html">App Server Context</a></li>
            <li><a href="Rails_Context.html">Rack/Rails Context</a></li>
          </ul>
          <li><a href="VHAddOns_Help.html">Add-ons</a></li>
        </ul>
      </li>
      <li>
        <a href="webconsole.html">Web Console</a>
        <ul class="level2">
          <li><a href="AdminGeneral_Help.html">Admin Console General</a></li>
          <li><a href="AdminSecurity_Help.html">Admin Console Security</a></li>
          <li>
            <a href="AdminListeners_General_Help.html">
              Admin Listener General
            </a>
          </li>
          <li>
            <a href="AdminListeners_SSL_Help.html">Admin Listener SSL</a>
          </li>
        </ul>
      </li>
    </ul>
  </div>
</aside>
<article class="contentwrapper ls-col-3-5 clearfix"><div class="nav-bar ls-spacer-micro-top"><div class="prev">&#171 <a href="admin.html">Administration</a></div><div class="center"><a href="index.html">Home</a></div><div class="next"><a href="config.html">Configuration</a> &#187;</div></div>
<h1>Security</h1>

<p>LiteSpeed Web Server is designed with security as a top consideration. 
LSWS supports SSL, has access control at server and virtual host levels, 
and context-specific realm protection. Besides these standard features, 
LSWS also has the following special security features: </p>

<ol>
	<li><h3>Connection level limits:</h3>
	  <ul>
	    <li> IP-level throttling limits network bandwidth to and from a single IP 
	      address regardless of the number of connections. </li>
	    <li> IP-level connection accounting limits the number of concurrent connections 
	      from a single IP address. You can controll this with the connection 
	      soft limit, connection hard limit, grace 
	      period, and banned period settings in the WebAdmin console. </li>
	  </ul>
	</li>
	<li><h3>Request checking:</h3>
	  	<p> Every HTTP request is vetted by LiteSpeed Web Server. "/." is not allowed in
	    a decoded URL, thus denying accessing hidden files and parent directories.</p>
	    <p>Request size is limited by LiteSpeed Web Server's max request URL length, 
	    max request header length, and max request body length settings. </p>
    </li>
    
    <li><h3>Web Application Firewall:</h3>
  		<p>Request Filtering can be performed on the request header/body to check against possible attack signatures. 
  		This helps defend against XSS attacks and SQL injection attacks, blocking 
     those requests right from the start. </p>
  	</li>
    
	<li><h3>Static file checking:</h3>
  		<p>LiteSpeed Web Server will serve a static file only if the following conditions 
    are satisfied: </p>
	  <ul>
	    <li>The file is readable by everyone.</li>
	    <li>The file is not executable.</li>
	    <li>The file is not in the access denied directory list.</li>
	    <li>The file does not contain symbolic link if symbolic links are not allowed. </li>
	    <li>By default, LiteSpeed Web Server does not index a directory by listing its
	        files, it has to be enabled explicitly.</li>
	  </ul>
	</li>
	<li><h3>External application firewall:</h3>
		<p>LiteSpeed Web Server forwards requests to external applications to process/generate 
dynamic content. Those applications can use a lot of system resources. The performance of the 
whole system will be severely degraded when system resource consumption reaches a certain point 
-- when swapping space has to be used, for example. One way to conduct a DoS attack is to flood 
the web server with concurrent requests to a cumbersome external application.</p>

<p>LiteSpeed Web Server can pipeline requests and control the concurrent level of external 
application use to prevent overconsumption of system resources. LSWS caches requests and only 
forwards completed requests to the external application. This means the external application 
will not be held waiting while the server is receiving the request. LSWS also caches the 
external application's response so that the external application can be released as soon as 
the response is completed and does not have to wait for the client to receive the complete response. 
This way the server can utilize fewer external application instances to serve more concurrent 
requests and achieve higher performance and scalability. LiteSpeed Web Server also uses its 
own virtual memory to cache the request and response body to minimize the usage of system 
memory without sacrificing performance. </p></li>
  <li><h3>CGI resources consumption limit:</h3>
<p>LiteSpeed Web Server restricts the amount of system resources that can be consumed by
 CGI applications. For each request to a CGI script, the web server needs to
 start a standalone CGI process to handle it. On a Unix system, the number of concurrent 
 processes is limited. With the CGI resources consumption limit, you can configure 
 the maximum number of concurrent CGI instances that the web server can launch.  
Excessive concurrent processes will degrade the performance 
of the whole system. (CGI processes are a common weapon for DoS attacks.)
A system process limit can be specified per user in order to control the number
of processes that can be spawned by a CGI application. Each process is further confined by CPU and memory limits.</p>
</li>
  <li><h3>Enhanced CGI/FastCGI security with suEXEC:</h3>
<p>In order to reduce the security risks of a CGI or Fast CGI script, LiteSpeed Web Server can restrict the system resources the CGI script can access by running it in 
"suEXEC" or "chroot jail" mode. "suEXEC" starts the CGI or Fast CGI script with a different user ID from that of the web server. This greatly improves security in
shared hosting environment by preventing one user's CGI script from accessing other users' files.</p>
<p>"chroot jail" starts the CGI script under an assigned alternative
     root directory. The script can not access files beyond this new root directory. 
     With this, you no longer need to worry about confidential system files being 
     exposed by vulnerable scripts.</p>
</li>

<li><h3>Run LSWS in chroot jail [Enterprise Edition Only]:</h3>
  <p> LiteSpeed Web Server can run in a chroot environment (known as a chroot jail). 
    In the chroot environment, the web server and its child processes cannot access 
    files outside of the chroot jail. This protects the system from attacks 
    by malicious code. </p>
</li>
</ol>
</article><div  class="ls-col-1-1"><footer class="copyright">Copyright &copy; 2003-2020. <a href="https://www.litespeedtech.com">LiteSpeed Technologies Inc.</a> All rights reserved.</footer>
</div></div>
</body>
</html>