LiteSpeed Web Server Users' Manual

Version 5.1 Rev. 1

Virtual Host Security

Table of Contents

Hotlink Protection

Enable Hotlink Protection | Suffix | Redirect URL | Allow Direct Access | Only Self Reference | Allowed Domains | REGEX Matched Domains | 

Access Control

Allowed List | Denied List | 

Authorization Realms

Realm Name | DB Type | User DB Location | Password Attribute | Member-of Attribute | User DB Max Cache Size | User DB Cache Timeout (secs) | Group DB Location | Group Member Attribute | Group DB Max Cache Size | Group DB Cache Timeout (secs) | LDAP Bind DN | LDAP Bind Password | 

Hotlink ProtectionGo to top
Description: Hotlinks are requests made from an external website to files on your own website often referred to as "leeching". This practice introduces additional bandwidth usage that you should not be responsible for.

LiteSpeed web server can prevent others from hotlinking to content on your web site by checking the Referer header within a HTTP request. If the Referer header does not match your website, the request will be denied.
Enable Hotlink ProtectionGo to top
Description: Specifies whether to activate hotlink protection.
Syntax: Select from radio box
SuffixGo to top
Description: Specifies what kinds of files will be protected from hotlinking by listing file suffixes.
Syntax: Comma delimited list. "." is prohibited
Redirect URLGo to top
Description: Specifies a URL that a user will be redirected to when a hotlinking action is detected. You can redirect users to an image or page saying hotlinking is not allowed. If it is not specified, 403 Forbidden will be returned.
Syntax: Absolute URL
Allow Direct AccessGo to top
Description: Specifies whether to allow direct access without a referer. A referer header identifies the webpage that linked to the current page. There is no "referer" header in HTTP requests when a user types in an address directly in the address box or uses a feature like "save target link as".
Syntax: Select from radio box
Only Self ReferenceGo to top
Description: Specifies whether to only allow references from the current web site itself. When set to Yes, Allowed Domains has no effect and no other web site can link to protected files. This can be convenient if you wish to park multiple domain names on the current web site.
Syntax: Select from radio box
Allowed DomainsGo to top
Description: Specifies which web sites can link to protected content.
Syntax: Comma delimited list of domain names.
REGEX Matched DomainsGo to top
Description: Specifies web sites that can link to protected content in regular expressions. The regular expression will match the domain name only and not the full URL.
Syntax: Regular expressions
Example: ^.*\.mydomain\.com$
Access ControlGo to top
Description: Specifies what sub networks and/or IP addresses can access the server. At the server-level, this setting will affect all virtual hosts. You can also set up access control unique to each virtual host at the virtual host-level. Virtual host settings will NOT override server settings.

Whether to block/allow an IP is determined by the combination of the allowed list and the denied list. If you want to block only certain IPs or sub-networks, put * or ALL in the Allowed List and list the blocked IPs or sub-networks in the Denied List. If you want to only allow certain IPs or sub-networks, put * or ALL in the Denied List and list the allowed IPs or sub-networks in the Allowed List. The setting of the smallest scope that fits for an IP will be used to determine whether to block or allow that IP.

Server-level: Trusted IPs or sub-networks must be specified in the Allowed List by adding a trailing "T". Trusted IPs or sub-networks are not affected by connection/throttling limits. Only server-level access control can set up trusted IPs/sub-networks.
Tips: [Security] Use this at the server-level for general restrictions that apply to all virtual hosts.
Allowed ListGo to top
Description: Specifies the list of IPs or sub-networks allowed. * or ALL are accepted.
Syntax: Comma delimited list of IP addresses or sub-networks. A trailing "T" can be used to indicate a trusted IP or sub-network, such as 192.168.1.*T.
Example: Sub-networks: 192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1 or 192.168.1.*.
IPv6 addresses: ::1 or [::1]
IPv6 subnets: 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64.
Tips: [Security] Trusted IPs or sub-networks set at the server-level access control will be excluded from connection/throttling limits.
Denied ListGo to top
Description: Specifies the list of IPs or sub-networks disallowed.
Syntax: Comma delimited list of IP addresses or sub-networks. * or ALL are accepted.
Example: Sub-networks: 192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1 or 192.168.1.*.
IPv6 addresses: ::1 or [::1]
IPv6 subnets: 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64.
Authorization RealmsGo to top
Description: Lists all authorization realms for this virtual host. Authorization realms are used to block unauthorized users from accessing protected web pages. A realm is a user directory containing usernames and passwords with optional group classifications. Authorization is performed at context level. Since different contexts can share the same realm (user database), so realms are defined separately from the contexts that use them. You can refer to a realm by these names in context configuration.
Realm NameGo to top
Description: Specifies a unique name for the authorization realm.
DB TypeGo to top
Description: Specifies how user/group data is stored for an authorization realm. Currently, user/group data can be stored in flat files or on a LDAP server.
Syntax: Select from drop down list
User DB LocationGo to top
Description: Specifies the location of the user database. For DB type Password File, it is the path to the flat file containing user/password definitions. You can edit this file through the WebAdmin console by clicking on the file name.

Each line of the user file contains a username followed by a colon, followed by a crypt() encrypted password, optionally followed by a colon and group names that user belongs to. Group names are delimitated by commas. If group information is specified in the user database, then the group database will not be checked.

Example:
john:HZ.U8kgjnMOHo:admin,user


For DB type LDAP, it is the LDAP URL to query for the user information. For each valid user, the authentication data stored in the LDAP server should contain at least the user id and user password. One and only one record should be returned in the LDAP search request based on the this URL and username received in the HTTP Authentication header. "$k" must be specified in the filter part of the URL and it will be replaced with the username. The user password attribute must be returned in the query result. The attribute name of the user password is specified by Password Attribute. Group information can be optionally specified by Member-of Attribute.

Example: At minimum, a user can be defined in LDAP with object classes: uidObject, simpleSecurityObject and organizationalRole. The following URL could be used:

ldap://localhost/ou=UserDB,dc=example,dc=com???(&(objectClass=*)(uid=$k))
Syntax: Path to the user DB file or LDAP URL (RFC 2255).
Tips: [Security] It is recommended to store user password files outside of the document tree. If a user password file has to be placed inside document tree, simply name it with a leading ".ht" like .htuser to prevent it being served as a static file. LiteSpeed Web Server does not serve files prefixed with ".ht".
See Also: Group DB Location, Password Attribute, Member-of Attribute
Password AttributeGo to top
Description: Specifies the name of the password attribute for a user record stored in an LDAP server. The default value is userPassword.
Syntax: string
Member-of AttributeGo to top
Description: Specifies the name of the "Member-of" attribute for a user record stored in an LDAP server. The default value is memberOf. The "Member-of" attribute can be used to specify the group name that the user belongs to.
Syntax: string
User DB Max Cache SizeGo to top
Description: Specifies the maximum cache size of the user database. Recently accessed user authentication data will be cached in memory to provide maximum performance.
Syntax: Integer number
Tips: [Performance] As a larger cache will consume more memory, a higher value may or may not provide better performance. Set it to an appropriate size according to your user database size and site usage.
User DB Cache Timeout (secs)Go to top
Description: Specifies how often the backend user database will be checked for changes. Every entry in the cache has a timestamp. When cached data is older than the specified timeout, the backend database will be checked for changes. If there is no change, the timestamp will be reset to the current time, otherwise the new data will be loaded. Sevrer reload and graceful restart will clear the cache immediately.
Syntax: Integer number
Tips: [Performance] If the backend database does not change very often, set a longer timeout for better performance.
Group DB LocationGo to top
Description: Specifies the location of the group database.
Group information can be set either in the user database or in this standalone group DB. For user authentication, the user DB will be checked first. If the user DB also contains group information, then the group DB will not be checked.

For the DB type Password File, the group DB location should be the path to the flat file containing group definitions. You can edit this file through the WebAdmin console by clicking on the file name.

Each line of a group file should contain a groupname followed by a colon, followed by space delimited group of usernames. Example:
testgroup: user1 user2 user3


For the DB type LDAP, the group DB location should be the LDAP URL to query for group information. For each valid group, one and only one record should be returned in the LDAP search request based on this URL and the group name specified in Require (Authorized Users/Groups). "$k" must be specified in the filter part of the URL and it will be replaced with the group name. The name of the attribute that specifies members in this group is specified by Group Member Attribute.

Example: If objectClass posixGroup is being used to store group information. The following URL could be used:
ldap://localhost/ou=GroupDB,dc=example,dc=com???(&(objectClass=*)(cn=$k))
Syntax: File name which can be absolute, relative to $SERVER_ROOT, or relative to $VH_ROOT.
Tips: [Security] It is recommended to store a group file outside the document tree. If it has to be placed inside document tree, simply name it with a leading ".ht" like .htgroup, to prevent the file being served as a static file. LiteSpeed Web Server does not serve files prefixed with ".ht".
See Also: User DB Location, Context Require (Authorized Users/Groups), Group Member Attribute
Group Member AttributeGo to top
Description: Specifies the name of the "Member" attribute for a group record stored in an LDAP server. The default value is memberUid.
Syntax: string
Group DB Max Cache SizeGo to top
Description: Specifies the maximum cache size of the group database.
Syntax: Integer number
Tips: [Performance] As a larger cache will consume more memory, a higher value may or may not provide better performance. Set it to an appropriate size according to your user database size and site usage.
See Also: User DB Max Cache Size
Group DB Cache Timeout (secs)Go to top
Description: Specifies how often the backend group database will be checked for changes. For more detail please refer to User DB Cache Timeout (secs).
Syntax: Integer number
See Also: User DB Cache Timeout (secs)
LDAP Bind DNGo to top
Description: Specifies a DN used to bind to the server. If the LDAP server requires authentication, a bind DN and password must be specified. If not specified, anonymous bind will be used.
Syntax: string
See Also: LDAP Bind Password
LDAP Bind PasswordGo to top
Description: Specifies a password used to bind to the server. If the LDAP Server requires authentication, a bind DN and password must be specified.
Syntax: string
See Also: LDAP Bind DN