LiteSpeed Web server is designed with security as top consideration in mind.
It supports SSL
; has Access Control
at server and virtual host level; has Realm
protection for context. Besides those standard features, it also has the following special security features.
- Connection level limits:
- IP level throttling: Limits network bandwidth to and from a single IP
address regardless of the number of connections.
- IP level connection accounting: Limits the number of concurrent connections
from a single IP address. It is controlled by Connection
Soft Limit, Connection Hard Limit, Grace
Period and Banned Period.
Every HTTP request is strictly checked by LiteSpeed web server.
"/." is not allowed in a decoded URL, this will deny accessing hidden files
and parent directories.
Request size is limited by Max Request URL Length,
Max Request Header Length and Max
Request Body Length.
Request header and body can be checked against signatures of possible attacks
like XSS attack or SQL injection attackes, and block those requests in the first place.
Static file checking:
LiteSpeed web server will serve a static file only if the following conditions
External application firewall:
- the file is readable by everyone.
- the file is not executable.
- The file is not in the Access Denied Directory
- does not contain symbolic link if symbolic link is not allowed.
- By default, LiteSpeed web server does not index a directory by listing its files, it has to be enabled explicitly.
LiteSpeed Web server forwards requests to external applications such as
CGI, Fast CGI and Servlet engine to process/generate dynamic content. Usually
each request requires one instance of the external application. Those applications
may use a lot of system resources, and the performance of the whole system
will be severely degraded when system resource consumption reaches certain
point, for example, when swapping space has to be used. DoS attack can be
conducted by flooding the web server with concurrent requests to an external
application that consumes a lot of system resources.
LiteSpeed web server can pipeline requests and control the concurrent level
of external applications to prevent over consumption of system resources.
It only forwards completed request to external application and caches the
response. Thus external application will be immediately available to process
next request without waiting for the response completely received by the client.
In this way, the server can utilize fewer instances of external applications
to serve more concurrent requests and will achieve higher performance and
scalability as well. LiteSpeed web server uses its own virtual memory to cache
the request and response body to minimize the usage of system memory without
CGI Resources Consumption Limit
LiteSpeed web server restricts system resources that can be consumed by
CGI applications. For each request to a CGI script, the web server needs to
start a standalone CGI process to handle it. On a Unix system number of concurrent
processes is limited, excessive concurrent processes will degrade the performance
of the whole system and it could become a target of DoS attack. Maximum number
of concurrent CGI instances that the web server can launch can be configured.
In order to control the number of processes that can be spawned by CGI application
itself, system process limit can be specified per user. Each process is further
confined by CPU and memory limits.
Enhanced CGI/FastCGI security with suEXEC and chroot
In order to reduce security risks of a CGI or Fast CGI script, LiteSpeed web server
can restrict the system resources the CGI script can access by running it in "suEXEC" and
"chroot jail" mode. "suEXEC" is to have a CGI or Fast CGI script started with a different
user ID from that of web server, which greatly improves security of shared hosting environment
by preventing one user's CGI script from accessing other users' files.
Chroot [Enterprise Edition Only]:
"chroot jail" is to have a CGI script started under an assigned alternative
root directory, the script can not access files beyond the new root directory.
With it, you no longer need to worry about confidential system files being
exposed by vulnerable scripts.
LiteSpeed web server can run in chroot environment (known as a chroot jail).
In chroot environment, the web server and its children processes cannot access
file system outside of the chroot jail. This protects system from attacks
of malicious code.