How to setup Litespeed LSWS for a shared environment?

Discussion in 'General' started by grniyce, Mar 27, 2009.

  1. grniyce

    grniyce New Member

    Here is php.ini showing functions disabled:
    [​IMG]

    Here is suhosin section added in php.ini:
    [​IMG]

    ...and here is the /usr/local/lsws/conf/httpd_config.xml:
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <httpServerConfig>
      <serverName>server.legithost.net</serverName>
      <user>nobody</user>
      <group>nobody</group>
      <priority>-19</priority>
      <chrootPath>/</chrootPath>
      <enableChroot>0</enableChroot>
      <inMemBufSize>60M</inMemBufSize>
      <swappingDir>/tmp/lshttpd/swap</swappingDir>
      <autoRestart>1</autoRestart>
      <autoFix503>1</autoFix503>
      <loadApacheConf>1</loadApacheConf>
      <autoReloadApacheConf>2</autoReloadApacheConf>
      <apacheBinPath>/usr/local/apache/bin/httpd</apacheBinPath>
      <apacheConfFile>/usr/local/apache/conf/httpd.conf</apacheConfFile>
      <apachePortOffset>0</apachePortOffset>
      <apacheIpOffset>0</apacheIpOffset>
      <apacheHandledContent></apacheHandledContent>
      <phpSuExec>1</phpSuExec>
      <phpSuExecMaxConn>10</phpSuExecMaxConn>
      <apacheEnableFP>1</apacheEnableFP>
      <mime>$SERVER_ROOT/conf/mime.properties</mime>
      <disableInitLogRotation>1</disableInitLogRotation>
      <showVersionNumber>0</showVersionNumber>
      <enableIpGeo></enableIpGeo>
      <useIpInProxyHeader></useIpInProxyHeader>
      <autoUpdateInterval>86400</autoUpdateInterval>
      <autoUpdateDownloadPkg>1</autoUpdateDownloadPkg>
      <adminEmails>grniyce@gmail.com</adminEmails>
      <adminRoot>$SERVER_ROOT/admin/</adminRoot>
      <logging>
        <log>
          <fileName>/usr/local/apache/logs/error_log</fileName>
          <logLevel>DEBUG</logLevel>
          <debugLevel>0</debugLevel>
          <rollingSize>2000M</rollingSize>
          <enableStderrLog>0</enableStderrLog>
        </log>
        <accessLog>
          <fileName>$SERVER_ROOT/logs/access.log</fileName>
          <rollingSize>2000M</rollingSize>
          <keepDays>30</keepDays>
          <compressArchive>0</compressArchive>
        </accessLog>
      </logging>
      <indexFiles>index.html, index.php, index.php5, index.htm</indexFiles>
      <autoIndex></autoIndex>
      <autoIndexURI></autoIndexURI>
      <htAccess>
        <allowOverride>31</allowOverride>
        <accessFileName>.htaccess</accessFileName>
      </htAccess>
      <expires>
        <enableExpires>1</enableExpires>
        <expiresByType>image/*=A604800, text/css=A604800, application/x-javascript=A604800</expiresByType>
      </expires>
      <tuning>
        <maxConnections>650</maxConnections>
        <maxSSLConnections>50</maxSSLConnections>
        <connTimeout>60</connTimeout>
        <maxKeepAliveReq>90</maxKeepAliveReq>
        <smartKeepAlive>1</smartKeepAlive>
        <keepAliveTimeout>3</keepAliveTimeout>
        <sndBufSize>0</sndBufSize>
        <rcvBufSize>0</rcvBufSize>
        <eventDispatcher>best</eventDispatcher>
        <maxCachedFileSize>4096</maxCachedFileSize>
        <totalInMemCacheSize>20M</totalInMemCacheSize>
        <maxMMapFileSize>256K</maxMMapFileSize>
        <totalMMapCacheSize>40M</totalMMapCacheSize>
        <useSendfile>1</useSendfile>
        <etagNoInode>1</etagNoInode>
        <SSLCryptoDevice>null</SSLCryptoDevice>
        <maxReqURLLen>8192</maxReqURLLen>
        <maxReqHeaderSize>16380</maxReqHeaderSize>
        <maxReqBodySize>10M</maxReqBodySize>
        <maxDynRespHeaderSize>4K</maxDynRespHeaderSize>
        <maxDynRespSize>10M</maxDynRespSize>
        <enableGzipCompress>1</enableGzipCompress>
        <enableDynGzipCompress>1</enableDynGzipCompress>
        <gzipCompressLevel>1</gzipCompressLevel>
        <compressibleTypes>text/*, application/x-javascript, application/xml</compressibleTypes>
        <gzipAutoUpdateStatic>1</gzipAutoUpdateStatic>
        <gzipCacheDir></gzipCacheDir>
        <gzipStaticCompressLevel>1</gzipStaticCompressLevel>
        <gzipMaxFileSize>1M</gzipMaxFileSize>
        <gzipMinFileSize>300</gzipMinFileSize>
      </tuning>
      <security>
        <fileAccessControl>
          <followSymbolLink>1</followSymbolLink>
          <checkSymbolLink>0</checkSymbolLink>
          <requiredPermissionMask>000</requiredPermissionMask>
          <restrictedPermissionMask>000</restrictedPermissionMask>
        </fileAccessControl>
        <perClientConnLimit>
          <staticReqPerSec>25</staticReqPerSec>
          <dynReqPerSec>10</dynReqPerSec>
          <outBandwidth>0</outBandwidth>
          <inBandwidth>0</inBandwidth>
          <softLimit>400</softLimit>
          <hardLimit>500</hardLimit>
          <gracePeriod>15</gracePeriod>
          <banPeriod>300</banPeriod>
        </perClientConnLimit>
        <CGIRLimit>
          <maxCGIInstances>20</maxCGIInstances>
          <minUID>11</minUID>
          <minGID>10</minGID>
          <priority>0</priority>
          <CPUSoftLimit>60</CPUSoftLimit>
          <CPUHardLimit>120</CPUHardLimit>
          <memSoftLimit>250M</memSoftLimit>
          <memHardLimit>300M</memHardLimit>
          <procSoftLimit>400</procSoftLimit>
          <procHardLimit>450</procHardLimit>
        </CGIRLimit>
        <censorshipControl>
          <enableCensorship>1</enableCensorship>
          <logLevel>1</logLevel>
          <defaultAction>deny,log,status:403</defaultAction>
          <scanPOST>1</scanPOST>
        </censorshipControl>
        <accessDenyDir>
          <dir>/</dir>
          <dir>/etc/*</dir>
          <dir>/dev/*</dir>
          <dir>$SERVER_ROOT/conf/*</dir>
          <dir>$SERVER_ROOT/admin/conf/*</dir>
        </accessDenyDir>
        <accessControl>
          <allow>ALL</allow>
          <deny></deny>
        </accessControl>
      </security>
      <extProcessorList>
        <extProcessor>
          <type>lsapi</type>
          <name>lsphp5</name>
          <address>uds://tmp/lshttpd/lsphp5.sock</address>
          <note></note>
          <maxConns>35</maxConns>
          <env>PHP_LSAPI_MAX_REQUESTS=500</env>
          <env>PHP_LSAPI_CHILDREN=35</env>
          <initTimeout>60</initTimeout>
          <retryTimeout>0</retryTimeout>
          <persistConn>1</persistConn>
          <pcKeepAliveTimeout></pcKeepAliveTimeout>
          <respBuffer>0</respBuffer>
          <autoStart>1</autoStart>
          <path>$SERVER_ROOT/fcgi-bin/lsphp5</path>
          <backlog>100</backlog>
          <instances>1</instances>
          <runOnStartUp></runOnStartUp>
          <extMaxIdleTime></extMaxIdleTime>
          <priority>0</priority>
          <memSoftLimit>450M</memSoftLimit>
          <memHardLimit>500M</memHardLimit>
          <procSoftLimit>200</procSoftLimit>
          <procHardLimit>200</procHardLimit>
        </extProcessor>
        <extProcessor>
          <type>lsapi</type>
          <name>lsphp4</name>
          <address>uds://tmp/lshttpd/lsphp4.sock</address>
          <note></note>
          <maxConns>35</maxConns>
          <env>PHP_LSAPI_MAX_REQUESTS=500</env>
          <env>PHP_LSAPI_CHILDREN=35</env>
          <initTimeout>60</initTimeout>
          <retryTimeout>0</retryTimeout>
          <persistConn>1</persistConn>
          <pcKeepAliveTimeout></pcKeepAliveTimeout>
          <respBuffer>0</respBuffer>
          <autoStart>1</autoStart>
          <path>$SERVER_ROOT/fcgi-bin/lsphp4</path>
          <backlog>100</backlog>
          <instances>1</instances>
          <runOnStartUp></runOnStartUp>
          <extMaxIdleTime></extMaxIdleTime>
          <priority>0</priority>
          <memSoftLimit>450M</memSoftLimit>
          <memHardLimit>500M</memHardLimit>
          <procSoftLimit>200</procSoftLimit>
          <procHardLimit>200</procHardLimit>
        </extProcessor>
        <extProcessor>
          <type>proxy</type>
          <name>127.0.0.1:2082</name>
          <address>127.0.0.1:2082</address>
          <note>for cPanel backend</note>
          <maxConns>100</maxConns>
          <pcKeepAliveTimeout>0</pcKeepAliveTimeout>
          <initTimeout>60</initTimeout>
          <retryTimeout>0</retryTimeout>
          <respBuffer>0</respBuffer>
        </extProcessor>
        <extProcessor>
          <type>proxy</type>
          <name>127.0.0.1:2095</name>
          <address>127.0.0.1:2095</address>
          <note>for webmail backend</note>
          <maxConns>100</maxConns>
          <pcKeepAliveTimeout>0</pcKeepAliveTimeout>
          <initTimeout>60</initTimeout>
          <retryTimeout>0</retryTimeout>
          <respBuffer>0</respBuffer>
        </extProcessor>
        <extProcessor>
          <type>proxy</type>
          <name>127.0.0.1:2086</name>
          <address>127.0.0.1:2086</address>
          <note>for WHM backend</note>
          <maxConns>100</maxConns>
          <pcKeepAliveTimeout>0</pcKeepAliveTimeout>
          <initTimeout>60</initTimeout>
          <retryTimeout>0</retryTimeout>
          <respBuffer>0</respBuffer>
        </extProcessor>
        <extProcessor>
          <type>proxy</type>
          <name>127.0.0.1:2077</name>
          <address>127.0.0.1:2077</address>
          <note>for webdisk backend</note>
          <maxConns>100</maxConns>
          <pcKeepAliveTimeout>0</pcKeepAliveTimeout>
          <initTimeout>60</initTimeout>
          <retryTimeout>0</retryTimeout>
          <respBuffer>0</respBuffer>
        </extProcessor>
      </extProcessorList>
      <scriptHandlerList>
        <scriptHandler>
          <suffix>php</suffix>
          <type>lsapi</type>
          <handler>lsphp5</handler>
        </scriptHandler>
        <scriptHandler>
          <suffix>php4</suffix>
          <type>lsapi</type>
          <handler>lsphp4</handler>
        </scriptHandler>
        <scriptHandler>
          <suffix>php5</suffix>
          <type>lsapi</type>
          <handler>lsphp5</handler>
          <note></note>
        </scriptHandler>
      </scriptHandlerList>
      <railsDefaults>
        <rubyBin></rubyBin>
        <railsEnv>1</railsEnv>
        <maxConns>5</maxConns>
        <env>LSAPI_MAX_REQS=1000</env>
        <env>LSAPI_MAX_IDLE=60</env>
        <initTimeout>60</initTimeout>
        <retryTimeout>0</retryTimeout>
        <pcKeepAliveTimeout>60</pcKeepAliveTimeout>
        <respBuffer>0</respBuffer>
        <backlog>50</backlog>
        <runOnStartUp>1</runOnStartUp>
        <extMaxIdleTime>300</extMaxIdleTime>
        <priority>3</priority>
        <memSoftLimit>450M</memSoftLimit>
        <memHardLimit>500M</memHardLimit>
        <procSoftLimit>200</procSoftLimit>
        <procHardLimit>300</procHardLimit>
      </railsDefaults>
    </httpServerConfig>
    
    Last edited: Apr 25, 2009
  2. DraCoola

    DraCoola Member

    Perhaps you should add the mod_sec rules first? Or it have been missing?
    The path for mode_sec was on /usr/local/apache/conf/

    Btw some of C99 has succesfully made them self "disappear" from ClamAV.
    ClamAV cannot recognize that special C99 as a trojan/virus.
    So ClamAV will be unused on that case.

    Mod_Sec is just only as the first gate with their rules.
    If, sometimes, php shells can get through over it, so the last defend is phpSuexec (Suphp is better) and php disable_functions.
    And ofcourse suhosin.

    The most important thing is how to prevent that script to read/write all files and directories on our servers.
    It can be made by php_disable functions and php priveledge as per user.
    Are you sure that php.ini that being used (disable_functions edited) is the right php.ini for all web users?
  3. grniyce

    grniyce New Member

    Both the php.ini's are identical, so I am positive all the disable functions are effective now.
    Last edited: Jun 23, 2009
  4. grniyce

    grniyce New Member

    As an update, everything is working beautifully and I thank everyone that has contributed to this thread!
    Last edited: Jun 23, 2009
  5. auser

    auser Super Moderator

    I'd like to download 1 of the scripts, to try on my local box, see if LSWS can stop it, or how to stop it. Can you tell the location of the scripts site, and point out 1 which looks most troublesome? This will break down big issues into smaller ones, and help resolve them finally.
  6. grniyce

    grniyce New Member

    NOTE: VERY IMPORTANT THAT THE BELOW SITE IS TO BE USED BY INDIVIDUALS WHOM KNOW EXACTLY WHAT THEY ARE DOING IN EFFORT(S) TO TEST THE SECURITY OF YOUR SERVER. REALIZE THAT LEAVING -ANY- OF THESE SHELLS CAN PLACE YOUR SERVER AT SEVERE RISK IF YOU DO NOT KNOW WHAT YOU ARE DOING!

    common phpshells are available here: www.shellci.biz
  7. nixell

    nixell New Member

    If php function disable, is whmcs or other script still can't run?
  8. grniyce

    grniyce New Member

    Yes WHMCS works fine with the php functions mentioned disabled. Most if not 99% of the time you will run into ini_set errors (not on whmcs but on various other scripts). If you simply edit out the ini_set from the configuration files or have someone knowledgable do it you won't run into any errors.

    To directly answer your question, "you will have no issues running whmcs and most other scripts with all of the above recommendations".

    My server runs vBulletin, IPB, PHPbb, WHMSonic, WHMCS, Shoutcast, and many other scripts without any flaws.
  9. Nokki

    Nokki New Member

    thanks for the guide
  10. onisoc

    onisoc New Member

    I'm using cPanel and apache for server shared hosting. I'm planning transfer to use LSWS + cPanel, but i have some question:
    1. .htaccess : is LSWS compatible with cPanel users ?
    2. I have some configs in httpd.conf like:
    for anti phpshell, cgishell effect symlink.
    May i use it with LSWS ?

    I hope you can advise me smt.
  11. NiteWave

    NiteWave Administrator

    1.LSWS is compatible with apache .htaccess

    2.the example directives are from apache too. Yes, LSWS compatible with them.

    since you're running trial LSWS, it should be easier for you to verify these directives one by one, to see if it works fine as expected as apache. if not, please report us.
  12. prandah

    prandah Member

    hello,
    i have several question
    as far as i know cPanel use nobody group
    but kloxo use apache default group
    so can i install lsws under apache group ?
  13. jamdwade

    jamdwade New Member

    Thanks for this information. I appreciate it a lot.
  14. mrbiki

    mrbiki New Member

    go support team
  15. grniyce

    grniyce New Member

    Wow, just checking in. I'm excited to load up LiteSpeed on a new cluster I'm having implemented for my site worldtruth.org. Right now I'm running the 15 day enterprise trial until the setup is ready in a couple days, then I'm purchasing the whole shabang. I know people keep saying to run nginx + php-fpm and apc, but I'm here to testify that LiteSpeed + APC ---> DESTROYS nginx. I don't care what their benchmarks are.

    I don't know how they're testing it, or what they're running, but if you want an all around super fast, secure, compatible webserver with easy interface, and exceptional customization options even for the novice user; LITESPEED is the ""ONLY CHOICE""

    Viva LiteSpeed 2013!
  16. remas100

    remas100 New Member

    ut still curious on how to enable the pure phpsuexec to this LS-Cpanel.
    Because I think the security of LS will totally null if any user still can walk around to other users teritories.

    It is just as the same as php-DSO (nobody), which username means nothing to php security.

Share This Page