security

Dani

Well-Known Member
#1
Hi,

great job with the server. My friend recommended me to change and oh did it perform as the benchmarks say. The load is about 60% lower if not more some times. The speed has increased with about 50% of before 'havent had time to play with the tuning yet'.

But have a question for the default 404, 403 etc files..

the line "Powered By LiteSpeed Web Server
Lite Speed Technologies is not responsible for administration and contents of this web site!" gets added to the bottom. Is there a way to hide the server info for security reasons? "except using cutom 404 error pages which seem to have a bug when using it on the 401 error...
 

Dani

Well-Known Member
#3
sorry for confusing you =) 401 gives error. for example I had a realm check on a statis link but it never reached it. I only got to the custom 401 error instead of being asked for the password. When I removed the 401 it worked without any problems.

but is it possible to hide the servername like in apache or is this embedded somehow?
 

mistwang

LiteSpeed Staff
#4
OK, I see.

That's due to how custom error pages was handled. The information about authentication realm was lost.

We can't fix it right now, however, there is a work around though, set the customized error page to a URL under your protected context.
 
#5
Cust Redirect still displays Powered By LiteSpeed Web Server

For security reasons I would like to hide the name of the Server. I have customized 404 and 503 pages, to no avail; it still displays "Powered By LiteSpeed Web Server Lite Speed Technologies is not responsible for administration and contents of this web site!". Is there any way to hide all this ?

Many thanks !
 

mistwang

LiteSpeed Staff
#9
Doesn't:
Configuration > Server > General > General Settings > Server Signature > Hide Full Header

do it?
That hide the server signature in the response header.

jnrey want to use a custom error page for 404, 503 errors. It should work even with earlier release of LSWS.


Is LSWS used together with Apache configuration file? or everything configured via LSWS web console? Are you sure the file for the custom error pages exist? try access those pages directly, see what do you get.
 
#10
Have set "Hide Full Header", however it doesn't take, using the default message instead . I am only using LSWS web console - no Apache config files - but it doesn't find the VHOST custom error pages (e.g. error404.html under "Default/html" directory - $VH_ROOT/html/).

Again, many thanks for your help.
 
#14
Hi Mistwang. When addressing it manually, I do get the standard 404 page (Request Page Not Found, This is a customized error page for missing pages.) - but this time without the "Powered By" Footer. Also, it is not my own customized 404 page. When the server displays / forwards to error messages 404, 503 etc., the Footer still does appear.
 
#17
My custom error pages for the VH are showing up now when I enter them manually (e.g. http://www.mydomain.com/<myerror404.html>), as I adapted and simplified the context and made sure they were under (static: URI "/"). I also have set absolute paths pointing to these urls.

However, when entering a http://www.mydomain.com/<non-exiting.html>, the server still doesn't forward to http://www.mydomain.com/<myerror404.html> as set under corresponding rule 404, but instead still goes to the standard (404 Not Found ... Powered By LiteSpeed Web Server etc.). I am using neither script nor rewrite rules. Am not using .htaccess, and setting is set to "Hide Full Header".
 

mistwang

LiteSpeed Staff
#18
What is URL for the 404 error page? is that <myerror404.html>? Does <myerror404.html> exist under the document root? You do not need to add a <myerror404.html> context.
 
#19
Many thanks Mistwang ! An explicit context like URI "/error404.html" under Doc Root was not even necessary, although this works as well. Rather, one could use the URI "/" under a location like "directory1/", e.g. for a group of static urls like the error ones. What was essential - besides including the context andtesting the manual display or the urls - was to declare urls relative to Doc Root under Customized Error Pages, NOT absolute paths.
 
Top