disabling features

sysadm

Active Member
#1
How can I disable CGI, RubyOnRails, Python, ServerSideIncludes, mod_frontpage and Perl? I want to do it because of security reasons, but I haven't found it in options.

I want to disable it permanently, user should not be able to enable these functions in .htaccess.
 
Last edited:

sysadm

Active Member
#3
From LS webpage or forum (I don't remember)
Will SSI support be included in beta 4?
reply: Yes, just assign MIME "application/x-httpd-shtml" to suffix
"shtml"

How can I deny set this by users in .htaccess files?
 
Last edited:

sysadm

Active Member
#5
When I disable it my users will not be able to add parsing html and htm files with PHP.

How can I disable only SSI? It will be applicable in server configuration (via WebConsole). Is it possible to add this feature in next version of LiteSpeed?
 

sysadm

Active Member
#6
Using Apache we have total mastery over what it loads.

For example mod_include is active ONLY IN CASE OF we type this in our httpd.conf:
LoadModule include_module modules/mod_include.so

As I understand, Litepeed loads it's mod_include ALWAYS and we haven't any control over it. The same poblem we have with other modules. We don't really need ANY control panel in Litespeed. We can edit raw config files, but we want to decide what features should be loaded or not. That is general security rule: don't need it? Don't install it. Don't risk potential security holes.

My question is: how to disable mod_include and other unnecessary modules in Litespeed?
Are there any undocumented configuration directives to achieve this? In Apache it's enough to NOT type 'LoadModule' and this is my reply to question "what you usually do with Apache".
 
Last edited:

sysadm

Active Member
#9
For example:

Options -Includes -ExecCGI

to stop mod_include and CGI.
Any user are able to override the above typing in his .htaccess this:
Options +Includes +ExecCGI


So my question is:

How to (permanently!) disable mod_cgi, mod_includes and others without disallowing user to change "options" directive himself (eg: Options +/-Indexes, Options +/-FollowSymlinks, Options +/-SymLinksIfOwnerMatch).

I'd prefer solution like additional checkbox/radio button (as for frontpage extension) in LS WebConsole.
 
Last edited:
#11
Hello Mistwang,

This is really big security problem for all shared web hosting providers and I think its a missing feature for Apache web servers. If you could provide us an option to nevermind the .htaccess directives for enabling any cgi and put a disable cgi scripts from all web pages option on the litespeed you will make a huge favor for us.
 
Top