Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
litespeed_wiki:config:understanding_403 [2019/06/13 14:07] Lisa Clarke [Incorrect file ownership after migration] Copyediting |
litespeed_wiki:config:understanding_403 [2019/06/13 15:42] (current) Jackson Zhang [Throttling] |
||
|---|---|---|---|
| Line 46: | Line 46: | ||
| To resolve it you need to lower the value. | To resolve it you need to lower the value. | ||
| - | ===== Incorrect file ownership after migration ===== | + | ===== Incorrect File Ownership After Migration ===== |
| - | When migrating or uploading files to a cPanel account, some image files might incorrectly be assigned to ''nobody:nobody'', when they should be ''user:user''. | + | When migrating or uploading files to a cPanel account, some image files might incorrectly be assigned to ''nobody:nobody'', when they should be user:user. |
| - | /home/user1/public_html>ls -ald images/detailed/130/Untitled-1-Recovered_urba-uz.jpg | + | /home/jsmith/public_html>ls -ald images/detailed/130/Untitled-1-Recovered_urba-uz.jpg |
| -rw-rw-rw- 1 nobody nobody 103609 Apr 12 11:21 images/detailed/130/Untitled-1-Recovered_urba-uz.jpg | -rw-rw-rw- 1 nobody nobody 103609 Apr 12 11:21 images/detailed/130/Untitled-1-Recovered_urba-uz.jpg | ||
| - | /home/user1/public_html>ls -ald images/detailed/130 | + | /home/jsmith/public_html>ls -ald images/detailed/130 |
| drwxrwxrwx 2 nobody nobody 36864 Apr 14 15:12 images/detailed/130 | drwxrwxrwx 2 nobody nobody 36864 Apr 14 15:12 images/detailed/130 | ||
| - | /home/user1/public_html>ls -ald images/detailed | + | /home/jsmith/public_html>ls -ald images/detailed |
| - | drwxrwxrwx 51 user1 user1 4096 Apr 11 13:16 images/detailed | + | drwxrwxrwx 51 jsmith jsmith 4096 Apr 11 13:16 images/detailed |
| - | /home/user1/public_html>ls -ald images | + | /home/jsmith/public_html>ls -ald images |
| - | drwxrwxrwx 48 user1 user1 4096 Mar 31 16:30 images | + | drwxrwxrwx 48 jsmith jsmith 4096 Mar 31 16:30 images |
| The **Force Strict Ownership** setting in LSWS Admin specifies whether to enforce strict file ownership checking. If it is enabled, the web server will check if the owner of the file being served is the same as the owner of the virtual host. If it is different, a ''403 Access Denied'' error will be returned. | The **Force Strict Ownership** setting in LSWS Admin specifies whether to enforce strict file ownership checking. If it is enabled, the web server will check if the owner of the file being served is the same as the owner of the virtual host. If it is different, a ''403 Access Denied'' error will be returned. | ||
| - | To fix the problem, either change all files user:group to ''user1:user1'', or disable **Force Strict Ownership** in LSWS Admin. | + | To fix the problem, either change all files user:group to user:user ( in the above example, that would be ''jsmith:jsmith''), or disable **Force Strict Ownership** in LSWS Admin. |
| ===== Mod Security/WAF/fail2ban/CPHulk ===== | ===== Mod Security/WAF/fail2ban/CPHulk ===== | ||
| Depending on what and how many requests you are doing for a particular website, the firewall can block you. In most cases your IP address will be denied in the system firewall (iptables, firewalld etc) and you need to remove your IP address in order to avoid the error. | Depending on what and how many requests you are doing for a particular website, the firewall can block you. In most cases your IP address will be denied in the system firewall (iptables, firewalld etc) and you need to remove your IP address in order to avoid the error. | ||
| Line 66: | Line 66: | ||
| If mod_security rules enabled, it may be triggerred for 403 error. For example: | If mod_security rules enabled, it may be triggerred for 403 error. For example: | ||
| [modsecurity] [Fri Apr 26 10:07:36 2019] [error] [client 111.111.111.111] ModSecurity: Access denied with code 403, [Rule: 'TX:ANOMALY_SCORE' '@ge %{tx.in_example_score_threshold}'] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"][tag "platform-multi"] [tag "attack-generic"] | [modsecurity] [Fri Apr 26 10:07:36 2019] [error] [client 111.111.111.111] ModSecurity: Access denied with code 403, [Rule: 'TX:ANOMALY_SCORE' '@ge %{tx.in_example_score_threshold}'] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"][tag "platform-multi"] [tag "attack-generic"] | ||
| - | ===== Throttling ===== | + | ===== Hit LiteSpeed Per Client Throttling connection limit ===== |
| Similar to the previous case - if you have strict throttling rules and you make too many connections, that can trigger error 403. | Similar to the previous case - if you have strict throttling rules and you make too many connections, that can trigger error 403. | ||
| + | For example, you may use LiteSpeed ''per client throttling'' throttling feature and set ''Connection Soft Limit'' and ''Connection Hard Limit''. If any visitor's IP goes over that connection limit, it will trigger 403 error and show the following in the logs: | ||
| + | [NOTICE] [x.x.x.x] bot detected for vhost [N/A], reason: OverConnSoftLimit, close connection | ||
| + | or | ||
| + | [NOTICE] [x.x.x.x] bot detected for vhost [N/A], reason: OverConnHardLimit, close connection! | ||
| + | ===== Hit reCAPTCHA security feature ===== | ||
| + | If a visitor fails on reCAPTCHA verification, it may trigger 403 error. | ||
| + | |||
| + | ===== Hit LiteSpeed WordPress Protection feature ===== | ||
| + | If a visitor hit LiteSpeed WordPress Protection feature with over limit connections, it may trigger 403 error. | ||
| ===== GeoIP/IP2Loc or Similar Modules ===== | ===== GeoIP/IP2Loc or Similar Modules ===== | ||
| If GeoIP or IP2Loc is allowed, they can block access to files like ''wp-login'' (wp-admin). In this case you need to allow them access in order to avoid the error. | If GeoIP or IP2Loc is allowed, they can block access to files like ''wp-login'' (wp-admin). In this case you need to allow them access in order to avoid the error. | ||