security

Discussion in 'Feedback/Feature Requests' started by Dani, Nov 29, 2005.

  1. Dani

    Dani New Member

    Hi,

    great job with the server. My friend recommended me to change and oh did it perform as the benchmarks say. The load is about 60% lower if not more some times. The speed has increased with about 50% of before 'havent had time to play with the tuning yet'.

    But have a question for the default 404, 403 etc files..

    the line "Powered By LiteSpeed Web Server
    Lite Speed Technologies is not responsible for administration and contents of this web site!" gets added to the bottom. Is there a way to hide the server info for security reasons? "except using cutom 404 error pages which seem to have a bug when using it on the 401 error...
  2. mistwang

    mistwang LiteSpeed Staff

    Thank you for your praise.

    Which error page has problem? 403 or 401?
  3. Dani

    Dani New Member

    sorry for confusing you =) 401 gives error. for example I had a realm check on a statis link but it never reached it. I only got to the custom 401 error instead of being asked for the password. When I removed the 401 it worked without any problems.

    but is it possible to hide the servername like in apache or is this embedded somehow?
  4. mistwang

    mistwang LiteSpeed Staff

    OK, I see.

    That's due to how custom error pages was handled. The information about authentication realm was lost.

    We can't fix it right now, however, there is a work around though, set the customized error page to a URL under your protected context.
  5. jnrey

    jnrey New Member

    Cust Redirect still displays Powered By LiteSpeed Web Server

    For security reasons I would like to hide the name of the Server. I have customized 404 and 503 pages, to no avail; it still displays "Powered By LiteSpeed Web Server Lite Speed Technologies is not responsible for administration and contents of this web site!". Is there any way to hide all this ?

    Many thanks !
  6. brrr

    brrr New Member

    I think the ability to hide the 'Powered by LSWS' etc only comes with the Enterprise version.
  7. jnrey

    jnrey New Member

    Well got the trial enterprise version so far, but did not see it. Can this be confirmed by anyone ?
  8. brrr

    brrr New Member

    Doesn't:
    Configuration > Server > General > General Settings > Server Signature > Hide Full Header

    do it?
  9. mistwang

    mistwang LiteSpeed Staff

    That hide the server signature in the response header.

    jnrey want to use a custom error page for 404, 503 errors. It should work even with earlier release of LSWS.


    Is LSWS used together with Apache configuration file? or everything configured via LSWS web console? Are you sure the file for the custom error pages exist? try access those pages directly, see what do you get.
  10. jnrey

    jnrey New Member

    Have set "Hide Full Header", however it doesn't take, using the default message instead . I am only using LSWS web console - no Apache config files - but it doesn't find the VHOST custom error pages (e.g. error404.html under "Default/html" directory - $VH_ROOT/html/).

    Again, many thanks for your help.
  11. mistwang

    mistwang LiteSpeed Staff

    You need to create the html file for the custom error page first.
  12. jnrey

    jnrey New Member

    That was done.
  13. mistwang

    mistwang LiteSpeed Staff

  14. jnrey

    jnrey New Member

    Hi Mistwang. When addressing it manually, I do get the standard 404 page (Request Page Not Found, This is a customized error page for missing pages.) - but this time without the "Powered By" Footer. Also, it is not my own customized 404 page. When the server displays / forwards to error messages 404, 503 etc., the Footer still does appear.
  15. mistwang

    mistwang LiteSpeed Staff

  16. mistwang

    mistwang LiteSpeed Staff

    Make sure to set the URL like "/my_cusotm_error_page_url" without "http:/".
  17. jnrey

    jnrey New Member

    My custom error pages for the VH are showing up now when I enter them manually (e.g. http://www.mydomain.com/<myerror404.html>), as I adapted and simplified the context and made sure they were under (static: URI "/"). I also have set absolute paths pointing to these urls.

    However, when entering a http://www.mydomain.com/<non-exiting.html>, the server still doesn't forward to http://www.mydomain.com/<myerror404.html> as set under corresponding rule 404, but instead still goes to the standard (404 Not Found ... Powered By LiteSpeed Web Server etc.). I am using neither script nor rewrite rules. Am not using .htaccess, and setting is set to "Hide Full Header".
  18. mistwang

    mistwang LiteSpeed Staff

    What is URL for the 404 error page? is that <myerror404.html>? Does <myerror404.html> exist under the document root? You do not need to add a <myerror404.html> context.
  19. jnrey

    jnrey New Member

    Many thanks Mistwang ! An explicit context like URI "/error404.html" under Doc Root was not even necessary, although this works as well. Rather, one could use the URI "/" under a location like "directory1/", e.g. for a group of static urls like the error ones. What was essential - besides including the context andtesting the manual display or the urls - was to declare urls relative to Doc Root under Customized Error Pages, NOT absolute paths.
  20. trembler

    trembler New Member

    damw dude that is wack :eek:

    [​IMG]

Share This Page