mod_security Compatibility

We try to keep LSWS compatible with the latest mod_security 2.5(and above) and gotroot rules. LSWS supports most of these rules and attempts not to miss any really important features/rules used in the real world. We also keep updating support based on our user feedback.

However, because of the complexity and always updating nature of these security rules, it is not possible to be 100% compatible with Apache at any one time. This wiki will address the most current compatibility status.

Supported Features List (Not Comprehensive)

  • @rbl - real time block list. (since 5.1)
  • @fileinspect - scan attached files. (since 5.1)
  • Scan request header/body.
  • Scan response header.
  • Audit logging
    • LSWS currently only supports the serial mode for audit logging. Since LiteSpeed is event driven, not like Apache that can have multiple processes and could change UID.

Not Yet Support Features

  • Scan response body.
  • PDF functions.
  • lua.
  • Parsing XML.

Not Yet Support syntax

  • SecRemoteRules

Reasons/Concerns not support them

  • The feature is not often used.
  • The feature may slow down LiteSpeed considerably due to our single-thread event driven architecture.
  • Requests to static files bypass mod_security scanning as they are unlikely to cause any real security issues.
 
litespeed_wiki/config/mod_security-compatibility.txt · Last modified: 2017/07/25 13:32 by Eric Leu