disabling features

Discussion in 'Install/Configuration' started by sysadm, Sep 30, 2010.

  1. sysadm

    sysadm Active Member

    How can I disable CGI, RubyOnRails, Python, ServerSideIncludes, mod_frontpage and Perl? I want to do it because of security reasons, but I haven't found it in options.

    I want to disable it permanently, user should not be able to enable these functions in .htaccess.
    Last edited: Sep 30, 2010
  2. mistwang

    mistwang LiteSpeed Staff

    do what you usually do with Apache if you are using LiteSpeed with hosting control panel.
  3. sysadm

    sysadm Active Member

    From LS webpage or forum (I don't remember)
    Will SSI support be included in beta 4?
    reply: Yes, just assign MIME "application/x-httpd-shtml" to suffix

    How can I deny set this by users in .htaccess files?
    Last edited: Oct 1, 2010
  4. mistwang

    mistwang LiteSpeed Staff

    disable MIME assignment in .htaccess with "AllowOverride"
  5. sysadm

    sysadm Active Member

    When I disable it my users will not be able to add parsing html and htm files with PHP.

    How can I disable only SSI? It will be applicable in server configuration (via WebConsole). Is it possible to add this feature in next version of LiteSpeed?
  6. sysadm

    sysadm Active Member

    Using Apache we have total mastery over what it loads.

    For example mod_include is active ONLY IN CASE OF we type this in our httpd.conf:
    LoadModule include_module modules/mod_include.so

    As I understand, Litepeed loads it's mod_include ALWAYS and we haven't any control over it. The same poblem we have with other modules. We don't really need ANY control panel in Litespeed. We can edit raw config files, but we want to decide what features should be loaded or not. That is general security rule: don't need it? Don't install it. Don't risk potential security holes.

    My question is: how to disable mod_include and other unnecessary modules in Litespeed?
    Are there any undocumented configuration directives to achieve this? In Apache it's enough to NOT type 'LoadModule' and this is my reply to question "what you usually do with Apache".
    Last edited: Oct 6, 2010
  7. sysadm

    sysadm Active Member

    any hints?
  8. mistwang

    mistwang LiteSpeed Staff

    For example:

    Options -Includes -ExecCGI

    to stop mod_include and CGI.
  9. sysadm

    sysadm Active Member

    Any user are able to override the above typing in his .htaccess this:
    Options +Includes +ExecCGI

    So my question is:

    How to (permanently!) disable mod_cgi, mod_includes and others without disallowing user to change "options" directive himself (eg: Options +/-Indexes, Options +/-FollowSymlinks, Options +/-SymLinksIfOwnerMatch).

    I'd prefer solution like additional checkbox/radio button (as for frontpage extension) in LS WebConsole.
    Last edited: Oct 11, 2010
  10. mistwang

    mistwang LiteSpeed Staff

    It is not possible with LiteSpeed while using Apache httpd.conf. you have to disallow Options override.
  11. TarkanVeKurdu

    TarkanVeKurdu Member

    Hello Mistwang,

    This is really big security problem for all shared web hosting providers and I think its a missing feature for Apache web servers. If you could provide us an option to nevermind the .htaccess directives for enabling any cgi and put a disable cgi scripts from all web pages option on the litespeed you will make a huge favor for us.

Share This Page