Support

sysadm · #1 09-30-2010, 04:20 AM

How can I disable CGI, RubyOnRails, Python, ServerSideIncludes, mod_frontpage and Perl? I want to do it because of security reasons, but I haven't found it in options.

I want to disable it permanently, user should not be able to enable these functions in .htaccess.

mistwang · #2 09-30-2010, 06:50 PM

do what you usually do with Apache if you are using LiteSpeed with hosting control panel.

sysadm · #3 10-01-2010, 04:47 AM

From LS webpage or forum (I don't remember)
Will SSI support be included in beta 4?
reply: Yes, just assign MIME "application/x-httpd-shtml" to suffix
"shtml"

How can I deny set this by users in .htaccess files?

mistwang · #4 10-01-2010, 08:30 AM

disable MIME assignment in .htaccess with "AllowOverride"

sysadm · #5 10-01-2010, 09:10 AM

When I disable it my users will not be able to add parsing html and htm files with PHP.

How can I disable only SSI? It will be applicable in server configuration (via WebConsole). Is it possible to add this feature in next version of LiteSpeed?

sysadm · #6 10-06-2010, 02:11 AM

Using Apache we have total mastery over what it loads.

For example mod_include is active ONLY IN CASE OF we type this in our httpd.conf:
LoadModule include_module modules/mod_include.so

As I understand, Litepeed loads it's mod_include ALWAYS and we haven't any control over it. The same poblem we have with other modules. We don't really need ANY control panel in Litespeed. We can edit raw config files, but we want to decide what features should be loaded or not. That is general security rule: don't need it? Don't install it. Don't risk potential security holes.

My question is: how to disable mod_include and other unnecessary modules in Litespeed?
Are there any undocumented configuration directives to achieve this? In Apache it's enough to NOT type 'LoadModule' and this is my reply to question "what you usually do with Apache".

sysadm · #7 10-09-2010, 04:48 PM

any hints?

mistwang · #8 10-09-2010, 06:21 PM

For example:

Options -Includes -ExecCGI

to stop mod_include and CGI.

sysadm · #9 10-11-2010, 07:19 AM

Quote:

Originally Posted by mistwang

For example:

Options -Includes -ExecCGI

to stop mod_include and CGI.

Any user are able to override the above typing in his .htaccess this:
Options +Includes +ExecCGI

So my question is:
How to (permanently!) disable mod_cgi, mod_includes and others without disallowing user to change "options" directive himself (eg: Options +/-Indexes, Options +/-FollowSymlinks, Options +/-SymLinksIfOwnerMatch).

I'd prefer solution like additional checkbox/radio button (as for frontpage extension) in LS WebConsole.

mistwang · #10 10-11-2010, 10:02 AM

It is not possible with LiteSpeed while using Apache httpd.conf. you have to disallow Options override.