Read More

Server Security

Table of Contents

WordPress Brute Force Attack Protection

Protection Mode | Allowed Login Attempts

Web Application Firewall (WAF)

Enable WAF | Log Level | Default Action | Scan Request Body | Temporary File Path | Temporary File Permissions | Disable .htaccess Override | Enable Security Audit Log | Security Audit Log | Use RE2 regex engine

Web Application Firewall (WAF) Rule Set

Name | Rule Set Action | Enabled | Rules Definition

Per Client Throttling

Static Requests/Second | Dynamic Requests/Second | Outbound Bandwidth (bytes/sec) | Inbound Bandwidth (bytes/sec) | Connection Soft Limit | Connection Hard Limit | Block Bad Request | Grace Period (sec) | Banned Period (sec)

File Access

Follow Symbolic Link | Check Symbolic Link | Force Strict Ownership Checking | Required Permission Mask | Restricted Permission Mask | Script Restricted Permission Mask | Script Directory Restricted Permission Mask

CGI Settings

CGI Daemon Socket | Max CGI Instances | Minimum UID | Minimum GID | Force GID | umask | CGI Priority | CPU Soft Limit (sec) | CPU Hard Limit | Memory Soft Limit (bytes) | Memory Hard Limit (bytes) | Process Soft Limit | Process Hard Limit | cgroups

reCAPTCHA Protection

Enable reCAPTCHA | Site Key | Secret Key | reCAPTCHA Type | Trigger Sensitivity | Max Tries | Verification Expires (secs) | Allowed Robot Hits | Bot White List

Bubblewrap Container

Bubblewrap Container | Bubblewrap Command

Access Denied Directories

Access Denied Directories

Access Control

Allowed List | Denied List

Protection Mode

Description

Specifies the action to be taken when the specified Allowed Login Attempts limit is reached within 5 minutes.

Throttle gradually slows down the speed of the server response, Drop severs the connection without any reply, Deny returns a 403 response, and CAPTCHA or Drop redirects to a CAPTCHA if reCAPTCHA Protection is enabled and drops otherwise.

WP Login CAPTCHA Full Protection can also be selected. This setting will redirect to a CAPTCHA if ReCAPTCHA Protection is enabled regardless of Allowed Login Attempts limit and falls back to use Throttle otherwise.

Default values:
Server level: Throttle
VH level: Inherit Server level setting. If Server level is set to Disable, Throttle will be used.

Syntax

Select from drop down list

Tips

Trusted IPs or sub-networks are not affected.
This feature is enabled by default (Throttle) and does not need any further configuration in the WebAdmin GUI or in Apache configurations.
This setting will override Apache conf WordPressProtect setting for LSWS only. Apache will be unaffected.

This can be set at the Server level and overwritten at the Virtual Host level. If not overridden at the Virtual Host level, this setting can also be overridden in a user's docroot .htaccess file using Apache configuration directive WordPressProtect with value 0 (disabled), 1 (use server level setting), throttle, deny, or drop.

Allowed Login Attempts

Description

Specifies the maximum number of wp-login.php and xmlrpc.php POST attempts allowed by an IP within 5 minutes before the action specified in Protection Mode is taken.

This limit is handled using a quota system where remaining attempts = limit. Each POST attempt will decrease the number of remaining attempts by 1, with the number of remaining attempts increasing back to the set limit over time. An IP will be throttled once the number of remaining attempts for that IP falls to 1/2 the set limit, throttling more as the remaining attempts drops further below the 1/2 mark. When remaining attempts reaches 0, the specified action is taken toward the IP.

In addition to this, if Enable reCAPTCHA is also enabled, an additional per worker protection will be added. If wp-login.php and xmlrpc.php are visited by the same worker at a rate of 4x the set limit in a 30 second time frame, those URLs will be put into reCAPTCHA mode until the number of visits to these files decreases.

Resetting the server will clear blocked IPs.

Default values:
Server-level: 10
VH-Level: Inherit Server level setting

Syntax

Valid Range: 3 - 1000.

Example

With an Attempt limit of 10, and a Mode of drop:

After the first POST attempt, the quota is decreased to 9.

Quota decreases by 1 for each POST attempt.

After Quota reaches half of the limit (5), the IP will be throttled.

Throttling will get worse with each POST attempt.

Once the quota reaches 0, the connection will be dropped.

Tips

Trusted IPs or sub-networks are not affected.

This setting will override Apache conf WordPressProtect setting for LSWS only. Apache will be unaffected.

This can be set at the Server level and overwritten at the Virtual Host level. If not overridden at the Virtual Host level, this setting can also be overridden in a user's docroot .htaccess file using Apache configuration directive WordPressProtect with integer value between 3 and 1000.

Enable WAF

Description

Specifies whether to enable request content deep inspection. This feature is equivalent to Apache's mod_security, which can be used to detect and block requests with ill intention by matching them to known signatures.

Syntax

Select from radio box

Log Level

Description

Specifies the level of detail of the Web Application Firewall engine's debug output. This value ranges from 0 - 9. 0 disables logging. 9 produces the most detailed log. The the server and virtual host's error log Log Level must be set to at least INFO for this option to take effect. This is useful when testing request filtering rules.

Syntax

Integer number

See Also

Server Log Level, Virtual Host Log Level

Default Action

Description

Specifies the default actions that should be taken when a censoring rule is met. Default value is deny,log,status:403, which means to deny access with status code 403 and log the incident in the error log.

See Also

Rule Set Action

Scan Request Body

Description

Specifies whether to check the body of an HTTP POST request. Default is "No".

Syntax

Select from radio box

Temporary File Path

Description

Temporary directory where files being uploaded to server will be stored while request body parser is working. Default value is /tmp.

Syntax

Absolute path or path starting with $SERVER_ROOT (for Server and VHost levels).

Temporary File Permissions

Description

Global setting determining file permissions used for files stored in the Temporary File Path directory.

Syntax

3 digits octet number. Default value is 666.

Disable .htaccess Override

Description

Disable turning off mod_security engine in .htaccess. This is a global setting only available at the server level. Default is "No".

Syntax

Select from radio box

Enable Security Audit Log

Description

Specifies whether to enable audit logging and in what format (Native, JSON, or Pretty JSON). This feature is equivalent to Apache's mod_security audit engine.

If this setting is enabled and the Security Audit Log setting is set, detailed request information will be saved.

Syntax

Select from drop down list

See Also

Security Audit Log

Security Audit Log

Description

Specifies the path of the security audit log, which gives more detailed information. This extra information can be useful if, for example, you wish to track the actions of a particular user. Use Enable Security Audit Log to turn on the logging.

Syntax

Filename which can be an absolute path or a relative path to $SERVER_ROOT.

See Also

Enable Security Audit Log

Use RE2 regex engine

Description

Use RE2 when evaluating regular expressions instead of PCRE.

Default value: No

Syntax

Select from radio box

Tips

While PCRE provides more features than RE2, RE2 allows for a defined maximum memory usage and has a more predictable runtime than PCRE making it more suited for use in server applications.
Unlike PCRE, RE2 uses a fixed stack and guarantees that run-time increases linearly (not exponentially) with the size of the input.

Web Application Firewall (WAF) Rule Set

Description

Rules configured here only work for virtual hosts configured with a native LSWS configuration, not for virtual hosts using Apache httpd.conf.

Name

Description

Give a group of censorship rules a name. For display only.

Syntax

String

Enabled

Description

Specifies whether to enable this rule set. With this option, a rule set can be quickly turned on and off without adding or removing the rule set. Default is "Yes".

Syntax

Select from radio box

Rules Definition

Description

Specifies a list of censorship rules.

If you are using an Apache config file, you have to set up rules in httpd.conf. Rules defined here will have no effect.

Syntax

String. Syntax of censoring rules follows that of Apache's mod_security directives. "SecFilter", "SecFilterSelective", and "SecRule" can be used here. You can copy and paste security rules from an Apache configuration file.

For more details about rule syntax, please refer to the Mod Security documentation.

Tips

Rules configured here only work for vhosts configured in native LSWS configuration, not for vhosts from Apache httpd.conf.

Per Client Throttling

Description

These are connection control settings are based on client IP. These settings help to mitigate DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks.

Static Requests/Second

Description

Specifies the maximum number of requests to static content coming from a single IP address that can be processed in a single second regardless of the number of connections established.

When this limit is reached, all future requests are tar-pitted until the next second. Request limits for dynamically generated content are independent of this limit. Per-client request limits can be set at server- or virtual host-level. Virtual host-level settings override server-level settings.

Syntax

Integer number

Tips

Trusted IPs or sub-networks are not affected.

See Also

Dynamic Requests/Second

Dynamic Requests/Second

Description

Specifies the maximum number of requests to dynamically generated content coming from a single IP address that can be processed in each second regardless of the number of connections established. When this limit is reached, all future requests to dynamic content are tar-pitted until the next second.

The request limit for static content is independent of this limit. This per client request limit can be set at server or virtual host level. Virtual host-level settings override server-level settings.

Syntax

Integer number

Tips

Trusted IPs or sub-networks are not restrained by this limit.

See Also

Static Requests/Second

Outbound Bandwidth (bytes/sec)

Description

The maximum allowed outgoing throughput to a single IP address, regardless of the number of connections established. The real bandwidth may end up being slightly higher than this setting for efficiency reasons. Bandwidth is allocated in 4KB units. Set to 0 to disable throttling. Per-client bandwidth limits (bytes/sec) can be set at the server or virtual host level where virtual host level settings override server level settings.

Syntax

Integer number

Tips

Set the bandwidth in 8KB units for better performance.

Trusted IPs or sub-networks are not affected.

See Also

Inbound Bandwidth (bytes/sec)

Inbound Bandwidth (bytes/sec)

Description

The maximum allowed incoming throughput from a single IP address, regardless of the number of connections established. The real bandwidth may end up being slightly higher than this setting for efficiency reasons. Bandwidth is allocated in 1KB units. Set to 0 to disable throttling. Per-client bandwidth limits (bytes/sec) can be set at the server or virtual host level where virtual host level settings override server level settings.

Syntax

Integer number

Tips

Trusted IPs or sub-networks are not affected.

See Also

Outbound Bandwidth (bytes/sec)

Connection Soft Limit

Description

Specifies the soft limit of concurrent connections allowed from one IP. This soft limit can be exceeded temporarily during Grace Period (sec) as long as the number is below the Connection Hard Limit, but Keep-Alive connections will be closed as soon as possible until the number of connections is lower than the limit. If number of connections is still over the limit after the Grace Period (sec), that IP will be blocked for the Banned Period (sec).

For example, if a page contains many small graphs, the browser may try to set up many connections at same time, especially for HTTP/1.0 clients. You would want to allow those connections for a short period.

HTTP/1.1 clients may also set up multiple connections to speed up downloading and SSL requires separate connections from non-SSL connections. Make sure the limit is set properly, as not to adversely affect normal service. The recommended limit is between 5 and 10.

Syntax

Integer number

Tips

A lower number will enable serving more distinct clients.
Trusted IPs or sub-networks are not affected.
Set to a high value when you are performing benchmark tests with a large number of concurrent client machines.

Connection Hard Limit

Description

Specifies the maximum number of allowed concurrent connections from a single IP address. This limit is always enforced and a client will never be able to exceed this limit. HTTP/1.0 clients usually try to set up as many connections as they need to download embedded content at the same time. This limit should be set high enough so that HTTP/1.0 clients can still access the site. Use Connection Soft Limit to set the desired connection limit.

The recommended limit is between 20 and 50 depending on the content of your web page and your traffic load.

Syntax

Integer number

Tips

A lower number will enable serving more distinct clients.
Trusted IPs or sub-networks are not affected.
Set to a high value when you are performing benchmark tests with a large number of concurrent client machines.

Block Bad Request

Description

Block IPs that keep sending badly-formated HTTP requests for the Banned Period (sec). Default is Yes. This helps to block botnet attacks that repeatedly sending junk requests.

Syntax

Select from radio box

Grace Period (sec)

Description

Specifies how long new connections can be accepted after the number of connections established from one IP is over the Connection Soft Limit. Within this period, new connections will be accepted if the total connections is still below the Connection Hard Limit. After this period has elapsed, if the number of connections still higher than the Connection Soft Limit, then the offending IP will be blocked for the Banned Period (sec).

Syntax

Integer number

Tips

Set to a proper number big enough for downloading a complete page but low enough to prevent deliberate attacks.

Banned Period (sec)

Description

Specifies how long new connections will be rejected from an IP if, after the Grace Period (sec) has elapsed, the number of connections is still more than the Connection Soft Limit. If IPs are getting banned repeatedly, we suggest that you increase your banned period to stiffen the penalty for abuse.

Syntax

Integer number

Description

Specifies the server-level default setting of following symbolic links when serving static files.

Choices are Yes, If Owner Match and No.

Yes sets the server to always follow symbolic links. If Owner Match sets the server to follow a symbolic link only if the owner of the link and of the target are same. No means the server will never follow a symbolic link. This setting can be overridden in the virtual host configurations but cannot be overridden from an .htaccess file.

Syntax

Select from drop down list

Tips

For best security select No or If Owner Match. For best performance, select Yes.

See Also

Check Symbolic Link.

Description

Specifies whether to check symbolic links against Access Denied Directories when Follow Symbolic Link is turned on. If enabled, the canonical real path of the resource referred by a URL will be checked against the configurable access denied directories. Access will be denied if it falls inside an access denied directory.

Syntax

Select from radio box

Tips

For best security, enable this option. For best performance, disable it.

See Also

Follow Symbolic Link, Access Denied Directories

Force Strict Ownership Checking

Description

Specifies whether to enforce strict file ownership checking. If it is enabled, the web server will check if the owner of the file being served is the same as the owner of the virtual host. If it is different, a 403 Access Denied Error will be returned. This is turned off by default.

Syntax

Select from radio box

Tips

For shared hosting, enable this check for better security.

Required Permission Mask

Description

Specifies the required permission mask for static files that the server will serve. For example, if only files that are readable by everyone can be served, set the value to 0004. See man 2 stat for all values.

Syntax

octal numbers

See Also

Restricted Permission Mask.

Restricted Permission Mask

Description

Specifies the restricted permission mask for static files that the server will not serve. For example, to prohibit serving files that are executable, set the mask to 0111.

See man 2 stat for all values.

Syntax

octal numbers

See Also

Required Permission Mask.

Script Restricted Permission Mask

Description

Specifies the restricted permission mask for script files that the server will not serve. For example, to prohibit serving PHP scripts that are group and world writable, set the mask to 022. Default value is 000.

See man 2 stat for all values.

Syntax

octal numbers

See Also

Script Directory Restricted Permission Mask.

Script Directory Restricted Permission Mask

Description

Specifies the restricted permission mask of parent directories of script files that the server will not serve. For example, to prohibit serving PHP scripts in a directory that is group and world writable, set the mask to 022. Default value is 000. This option can be used to prevent serving scripts under a directory of uploaded files.

See man 2 stat for all values.

Syntax

octal numbers

See Also

Script Restricted Permission Mask.

CGI Settings

Description

The following settings control CGI processes. Memory and process limits also serve as the default for other external applications if limits have not been set explicitly for those applications.

CGI Daemon Socket

Description

A unique socket address used to communicate with the CGI daemon. LiteSpeed server uses a standalone CGI daemon to spawn CGI scripts for best performance and security. If you need to change this location, specify a Unix domain socket here.

Default value: uds://$SERVER_ROOT/admin/lscgid/.cgid.sock

Syntax

UDS://path

Example

UDS://tmp/lshttpd/cgid.sock

Max CGI Instances

Description

Specifies the maximum number of concurrent CGI processes the server can start. For each request to a CGI script, the server needs to start a standalone CGI process. On a Unix system, the number of concurrent processes is limited. Excessive concurrent processes will degrade the performance of the whole system and are one way to perform a DoS attack. LiteSpeed server pipelines requests to CGI scripts and limits concurrent CGI processes to ensure the optimal performance and reliability. The hard limit is 2000.

Syntax

Integer number

Tips

A higher limit does not necessarily translate to faster performance. In most cases, a lower limit gives better performance and security. A higher limit will only help when I/O latency is excessive during CGI processing.

Minimum UID

Description

Specifies the minimum user ID allowed to run external applications when running as a specified user. Execution of an external script with a user ID lower than the value specified here will be denied.

Syntax

Integer number

Tips

Set it high enough to exclude all system/privileged users.

Minimum GID

Description

Specifies the minimum group ID allowed to run external applications when running as a specified group. Execution of an external script with a group ID lower than the value specified here will be denied.

Syntax

Integer number

Tips

Set it high enough to exclude all groups used by system users.

Force GID

Description

Specifies a group ID to be used for all external applications started in suEXEC mode. When set to non-zero value, all suEXEC external applications (CGI/FastCGI/LSAPI) will use this group ID. This can be used to prevent an external application from accessing files owned by other users.

For example, in a shared hosting environment, LiteSpeed runs as user "www-data", group "www-data". Each docroot is owned by a user account, with a group of "www-data" and permission mode 0750. If Force GID is set to "nogroup" (or any group other than 'www-data'), all suEXEC external applications will run as a particular user but in the group "nogroup". These external application processes will still be able to access files owned by that particular user (because of their user ID), but will not have group permission to access anyone else's files. The server, on the other hand, still can serve files under any user's docroot directory (because of its group ID).

Syntax

Integer number

Tips

Set it high enough to exclude all groups used by system users.

umask

Description

Sets default umask for CGI processes. See man 2 umask for details. This also serves as the default value for external applications umask.

Syntax

value valid range [000]-[777].

See Also

ExtApp umask

CGI Priority

Description

Specifies priority of the external application process. Value ranges from -20 to 20. A lower number means a higher priority.

A CGI process cannot have a higher priority than the web server. If this priority is set to a lower number than the server's, the server's priority will be used for this value.

Syntax

int

See Also

Server Priority

CPU Soft Limit (sec)

Description

Specifies CPU consumption time limit in seconds for a CGI process. When the process reaches the soft limit, it will be notified by a signal. The operating system's default setting will be used if the value is absent or set to 0.

Syntax

Integer number

CPU Hard Limit

Description

Specifies maximum CPU consumption time limit in seconds for a CGI process. If the process continues to consume CPU time and reach the hard limit, the process will be force killed. The operating system's default setting will be used if the value is absent or set to 0.

Syntax

Integer number

Memory Soft Limit (bytes)

Description

Specifies the memory consumption limit in bytes for an external application process or an external application started by the server.

The main purpose of this limit is to prevent excessive memory usage because of software bugs or intentional attacks, not to impose a limit on normal usage. Make sure to leave enough head room, otherwise your application may fail and 503 error may be returned. It can be set at the server- level or at an individual external application level. The server-level limit will be used if it is not set at the individual application level.

The operating system's default setting will be used if the value is absent at both levels or set to 0.

Syntax

Integer number

Tips

Do not over adjust this limit. This may result in 503 errors if your application needs more memory.

Memory Hard Limit (bytes)

Description

Much the same as Memory Soft Limit (bytes), except the soft limit can be raised up to the hard limit from within a user process. The hard limit can be set at server level or at an individual external application level. The server-level limit will be used if it is not set at an individual application level.

The operating system's default will be used if the value is absent at both levels or set to 0.

Syntax

Integer number

Tips

Do not over adjust this limit. This may result in 503 errors if your application need more memory.

Process Soft Limit

Description

Limits the total number of processes that can be created on behalf of a user. All existing processes will be counted against this limit, not just new processes to be started.

The limit can be set at the server level or at an individual external application level. The server-level limit will be used if it is not set at an individual application level. The operating system's default setting will be used if this value is 0 or absent at both levels.

Syntax

Integer number

Tips

To control how many processes LSWS will make for users in mod_suEXEC mode, use the suEXEC Max Conn setting. PHP scripts can call for forking processes and the number of processes needed for normal functioning can be above the suEXEC Max Conn setting. The main purpose of this limit is as a last line of defense to prevent fork bombs and other attacks caused by PHP processes creating other processes.

Setting this setting too low can severely hurt functionality. The setting will thus be ignored below certain levels.

When Run On Start Up is set to "Yes (Daemon mode)", the actual process limit will be higher than this setting to make sure parent processes are not limited.

Process Hard Limit

Description

Much the same as Process Soft Limit, except the soft limit can be raised up to the hard limit from within a user process. The hard limit can be set at the server level or at an individual external application level. The server-level limit will be used if it is not set at an individual application level. The operating system's default value will be used if the value is absent at both levels or set to 0.

Syntax

Integer number

cgroups

Description

Apply cgroup settings to this CGI process if supported by the current OS. At this time, RedHat/Centos Linux v7.5+ and Ubuntu 18.04+ are supported. The currently executing user will be used to determine which cgroup configuration to apply.

Setting this to Disabled at the Server level will disable this setting server-wide. In all other cases, the Server level setting can be overridden at the Virtual Host level.

Default values:
Server level: Off
VH level: Inherit Server level setting

Syntax

Select from drop down list

reCAPTCHA Protection

Description

reCAPTCHA Protection is a service provided as a way to mitigate heavy server load. reCAPTCHA Protection will activate after one of the below situations is hit. Once active, all requests by NON TRUSTED(as configured) clients will be redirected to a reCAPTCHA validation page. After validation, the client will be redirected to their desired page.

The following situations will activate reCAPTCHA Protection:
1. The server or vhost concurrent requests count passes the configured connection limit.
2. Anti-DDoS is enabled and a client is hitting a url in a suspicious manner. The client will redirect to reCAPTCHA first instead of getting denied when triggered.
3. WordPress Brute Force Attack Protection is enabled and action is set to 'CAPTCHA or Drop’. When a brute force attack is detected, the client will redirect to reCAPTCHA first. After max tries is reached, the connection will be dropped, as per the ‘drop’ option.
4. WordPress Brute Force Attack Protection is enabled and action is set to 'WP Login CAPTCHA Full Protection'. The client will always redirect to reCAPTCHA first.
5. A new rewrite rule environment is provided to activate reCAPTCHA via RewriteRules. 'verifycaptcha' can be set to redirect clients to reCAPTCHA. A special value ': deny' can be set to deny the client if it failed too many times. For example, [E=verifycaptcha] will always redirect to reCAPTCHA until verified. [E=verifycaptcha: deny] will redirect to reCAPTCHA until Max Tries is hit, after which the client will be denied.

Enable reCAPTCHA

Description

Enable the reCAPTCHA Protection feature at the current level. This setting must be set to Yes at the Server level before the reCAPTCHA Protection feature can be used.

Default values:
Server-level: No
VH-Level: Inherit Server level setting

Syntax

Select from radio box

Site Key

Description

The site key is the public key provided by Google via its reCAPTCHA service. A default Site Key will be used if not set.

Secret Key

Description

The secret key is the private key provided by Google via its reCAPTCHA service. A default Secret Key will be used if not set.

reCAPTCHA Type

Description

Specify the reCAPTCHA type to use with the key pairs. If a key pair has not been provided and this setting is set to Not Set, a default key pair of type Invisible will be used.
Checkbox will display a checkbox reCAPTCHA for the visitor to validate.
Invisible will attempt to validate the reCAPTCHA automatically and if successful, will redirect to the desired page.

Default value is Invisible.

Syntax

Select from drop down list

Trigger Sensitivity

Description

Automatic reCAPTCHA sensitivity. The higher the value, the more likely reCAPTCHA Protection will be used. A value of 0 is equivalent to "Off" while a value of 100 is equivalent to "Always On".

Default values:
Server level: 0
Virtual Host level: Inherit Server level setting

Syntax

Integer value between 0 and 100.

Max Tries

Description

Max Tries specifies the maximum number of reCAPTCHA attempts permitted before denying the visitor.

Default value is 3.

Syntax

Integer number

Verification Expires (secs)

Description

Sets the expire time of a successful reCAPTCHA submission, after which reCAPTCHA protection will re-trigger for that visitor.

Default value: 86,400 (1 day).

Syntax

Integer value between 30 and 31,536,000 (1 year).

Allowed Robot Hits

Description

Number of hits per 10 seconds to allow ‘good bots’ to pass. Bots will still be throttled when the server is under load.

Default value is 3.

Syntax

Integer number

Bot White List

Description

List of custom user agents to allow access. Will be subject to the ‘good bots’ limitations, including allowedRobotHits.

Syntax

List of user agents, one per line. Regex is supported.

Bubblewrap Container

Description

Set to On if you wish to start CGI processes (including PHP programs) in a bubblewrap sandbox. See https://wiki.archlinux.org/title/Bubblewrap for details on using bubblewrap. Bubblewrap must be installed on your system prior to using this setting.

This setting cannot be turned on at the Virtual Host level if set to "Disabled" at the Server level.

Default values:
Server level: Disabled
VH level: Inherit Server level setting

Syntax

Select from drop down list

Bubblewrap Command

Description

The full bubblewrap use command, including the bubblewrap program itself. More on configuring this command can be found here: https://docs.litespeedtech.com/products/lsws/bubblewrap . If not specified, the default command listed below will be used.

Default value: /bin/bwrap --ro-bind /usr /usr --ro-bind /lib /lib --ro-bind-try /lib64 /lib64 --ro-bind /bin /bin --ro-bind /sbin /sbin --dir /var --dir /tmp --proc /proc --symlink ../tmp var/tmp --dev /dev --ro-bind-try /etc/localtime /etc/localtime --ro-bind-try /etc/ld.so.cache /etc/ld.so.cache --ro-bind-try /etc/resolv.conf /etc/resolv.conf --ro-bind-try /etc/ssl /etc/ssl --ro-bind-try /etc/pki /etc/pki --ro-bind-try /etc/man_db.conf /etc/man_db.conf --ro-bind-try /home/$USER /home/$USER --bind-try /var/lib/mysql/mysql.sock /var/lib/mysql/mysql.sock --bind-try /home/mysql/mysql.sock /home/mysql/mysql.sock --bind-try /tmp/mysql.sock /tmp/mysql.sock --unshare-all --share-net --die-with-parent --dir /run/user/$UID ‘$PASSWD 65534’ ‘$GROUP 65534’

Access Denied Directories

Description

Specifies directories that should be blocked from access. Add directories that contain sensitive data to this list to prevent accidentally exposing sensitive files to clients. Append a "*" to the path to include all sub-directories. If both Follow Symbolic Link and Check Symbolic Link are enabled, symbolic links will be checked against the denied directories.

Syntax

Comma-delimited list of directories

Tips

Of critical importance: This setting only prevents serving static files from these directories. This does not prevent exposure by external scripts such as PHP/Ruby/CGI.

Access Control

Description

Specifies what sub networks and/or IP addresses can access the server. At the server level, this setting will affect all virtual hosts. You can also set up access control unique to each virtual host at the virtual host level. Virtual host level settings will NOT override server level settings.

Blocking/Allowing an IP is determined by the combination of the allowed list and the denied list. If you want to block only certain IPs or sub-networks, put * or ALL in the Allowed List and list the blocked IPs or sub-networks in the Denied List. If you want to allow only certain IPs or sub-networks, put * or ALL in the Denied List and list the allowed IPs or sub-networks in the Allowed List. The setting of the smallest scope that fits for an IP will be used to determine access.

Server Level: Trusted IPs or sub-networks must be specified in the Allowed List by adding a trailing "T". Trusted IPs or sub-networks are not affected by connection/throttling limits. Only server level access control can set up trusted IPs/sub-networks.

Tips

Use this at the server level for general restrictions that apply to all virtual hosts.

Allowed List

Description

Specifies the list of IPs or sub-networks allowed. * or ALL are accepted.

Syntax

Comma delimited list of IP addresses or sub-networks. A trailing "T" can be used to indicate a trusted IP or sub-network, such as 192.168.1.*T.

Example

Sub-networks: 192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1, or 192.168.1.*
IPv6 addresses: ::1 or [::1]
IPv6 subnets: 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64

Tips

Trusted IPs or sub-networks set at the server level access control will be excluded from connection/throttling limits.

Denied List

Description

Specifies the list of IPs or sub-networks disallowed.

Syntax

Comma delimited list of IP addresses or sub-networks. * or ALL are accepted.

Example

Sub-networks: 192.168.1.0/255.255.255.0, 192.168.1.0/24, 192.168.1, or 192.168.1.*
IPv6 addresses: ::1 or [::1]
IPv6 subnets: 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64

Privacy Policy

Privacy Policy

LiteSpeed Technologies, Inc. (aka “LiteSpeed”) is committed to protecting your privacy. This policy ("Privacy Policy" or "Policy") explains our practices for our site, www.litespeedtech.com ("Site"). You can visit most pages of the Site without giving us any information about yourself, but sometimes we do need information to provide services that you request. By using this Site or any products or services provided through the Site, you expressly consent to the use and disclosure of information as described in this Privacy Policy.

LiteSpeed reserves the right to revise, modify, add, or remove provisions to this Privacy Policy at any time. If we make changes to this Privacy Policy, we will update the Effective Date to note the date of such changes. LiteSpeed encourages you to review this Privacy Policy periodically for any changes. IF YOU DO NOT AGREE WITH ANY OF THE TERMS BELOW, YOU SHOULD NOT USE THIS SITE OR THE PRODUCTS OR SERVICES OFFERED BY LITESPEED TECHNOLOGIES AT THIS SITE.

Collection of Information

Personal Information.

LiteSpeed will ask you for certain “Personal Information” when you complete registration or product information request forms on the Site, including but not limited to your name, address, telephone number, email address, and credit card information. You can always choose not to provide us with the requested information, however, you may not be able to complete the transaction or use our products or services if you do not provide the information requested.

Non-Personal Information.

LiteSpeed may collect non-personally identifiable information from you such as the type of browser you use, your operating system, the screen resolution of your browser, your ISP, your IP address, which pages you view on the Site and the time and duration of your visits to the Site (collectively, “Non-Personal Information”). LiteSpeed may associate Non-Personal Information with Personal Information if you register with the Site.

User Communications.

If you communicate with us, we may collect information relating to that communication whether it takes the form of email, fax, letter, forum posting, blog comments, testimonials or any other form of communication between you and LiteSpeed or Submitted by you to the Site (collectively, “User Communications”).

Server Information.

If you use one of our software products such as LiteSpeed Web Server or LiteSpeed Web ADC, we may collect certain information concerning such software and concerning the server upon which the software operates. This information includes: (a) the licensed or unlicensed status of the software; (b) the source from which the license for the software was obtained (i.e., LiteSpeed or a LiteSpeed affiliate); or (c) information about the server upon which the software is installed including (i) the public IP address, (ii) the operating system and (iii) the use of any virtualization technologies on such server ((a) through (c) collectively, “Server Information”). Additionally, “Server Information” may also include information collected from you by LiteSpeed in the event that you request technical support services including without limitation, IP addresses, usernames, and passwords necessary to login to SSH, the root directory of the server upon which you installed the LiteSpeed software and any affected accounts including email accounts, control panel accounts, MySQL accounts, CMS accounts and other accounts.

Use and Storage of Collected Information

LiteSpeed may use Personal Information to create and authenticate your account, to respond to your requests, to provide you with customer and technical support, or to provide you with information regarding our products, services, partners, and company. You may update your Personal Information with us at any time, but we may maintain records of any Personal Information you disclose to us indefinitely, unless otherwise requested as outlined below.

We may use User Communications in the same ways we use Personal Information. If you communicate with us for a particular purpose, we may use your User Communications for that purpose. For example, if you contact us for technical support, we may use your communications to provide technical support to you. We may maintain records of User Communications you transmit to us indefinitely, unless otherwise requested as outlined below.

LiteSpeed may use Non-Personal Information to maintain, evaluate, improve and provide our Site, the Services and any other LiteSpeed products and services. We may retain Non-Personal Information indefinitely.

We may use Server Information to provide you with technical support services and to maintain, evaluate, improve and provide LiteSpeed products and services. We may also use such information to investigate unlicensed (and therefore unauthorized) uses of our software. LiteSpeed may maintain Server Information indefinitely, with the exception of usernames, passwords, and other login information given in connection with support service requests. Such login information will be purged when the ticket is closed.

Disclosure of Collected Information

LiteSpeed will only disclose Personal Information to third parties if acting under a good faith belief that such action is necessary, including but not limited to: (a) to resolve disputes, investigate problems, or comply with laws or regulations; (b) to enforce our Terms of Service; (c) to protect and defend the rights, property, or safety of our company or our users; or (d) in the event of a merger, acquisition or sale of all or substantially all LiteSpeed assets. Other than this limited activity, we do not share, sell, or rent any personal information to third parties.

You will receive notice in the form of modifications to this Policy when information about you might go to third parties other than as described in this Policy, and you always have the opportunity to contact us as set forth below if you do not wish your information to go to third parties.

LiteSpeed cannot be responsible for protecting your information if you share such information in publicly available sections of the Site such as the user forums, blog comments, or testimonials section. You should use your own judgment in disclosing this information on the Site.

Use of Cookies

“Cookies” are small pieces of information that your browser stores on your computer on behalf of a website that you have visited. Cookies may be used in order to complete transactions on our site. You can always choose not to accept cookies with the settings of your web browser, however, you may not be able to complete these transactions if you do not accept cookies.

Security of Personal Information

We use reasonable security methods to protect your personal information from unauthorized access, use or disclosure. No data transmission over the Internet or any wireless network can be guaranteed to be perfectly secure. While we try to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk.

LiteSpeed uses industry-standard SSL-encryption to protect sensitive data.

In the event that LiteSpeed becomes aware of a security breach, unauthorized disclosure or inadvertent disclosure concerning your information, you agree that LiteSpeed may notify you of such an event using the Personal Information previously provided.

You are responsible for maintaining your account’s security.

GDPR Notice and your Rights as Data Subject

For the purposes of the General Data Protection Regulation (the “GDPR”), in the European Union, LiteSpeed Technologies Inc. is a “data controller” of the Personal Information you provide to us for the primary purposes of providing you or your customers with our services.

For our customers and users in the European Union, by clicking the "I Accept" button or otherwise accepting the terms and conditions of our services through a clickable action or similar action, you hereby acknowledge, agree and unequivocally consent to the collection, processing, management, treatment, transfer and authorization of your Personal Information by LiteSpeed Technologies and/or its affiliates, clients, sub-processors and/or authorized third parties.

If you are a resident of Switzerland, the contact details for the data protection authorities are available here:
https://www.edoeb.admin.ch/edoeb/en/home.html.

For European Union (EU) customers, please be reminded that the EU has not found the United States and some other countries to have an adequate level of protection of Personal Information under Article 45 of the GDPR.

The sections here below cover certain situations that you, as data subject, and we as a data controller, are most likely to encounter; but you should also carefully review the full list of data subject rights here: https://www.gdpr-info.eu/chapter-3/.

  • Right to be Forgotten: You can request us to be “forgotten”; that is, to have your entire Personal Information removed from our service. If we are asked to do this, in accordance with Article 17 GDPR we will remove any Personal Information that we have collected from you as requester. We will also need to contact any third parties that process your Personal Information on our behalf, such as our cloud service providers using the adequate mechanisms. To ensure that any personal data in LiteSpeed Technologies’ possession can be removed in a timely manner, you can relay any request to be “forgotten” to us by submitting a request.
  • Right to Data Portability: In accordance with Article 20 GDPR our users located in the EU may request LiteSpeed Technologies to send them any Personal Information in our possession. In this case, we will provide you with any Personal Information that you have in a commonly used, machine-readable format.
  • Right to Data Access: As a data subject, in accordance with Article 15 GDPR you can ask LiteSpeed Technologies to confirm how and where your Personal Information is being stored and processed. You also have the right to know how such data is shared with third parties by us.
  • Right to Data Rectification: As a data subject, in accordance with Article 16 GDPR you have the right to obtain from LiteSpeed Technologies, without undue delay, the rectification of inaccurate Personal Information concerning you.
  • Right to be Informed: You have the right to be informed about the Personal Information we collect from you, and how we process it.
  • Right to Withdraw Consent: In accordance with Article 7(3) GDPR, you have the right to withdraw your consent given to us at any time.
  • Right to Object: In accordance with Article 18 GDPR you have the right to object to us processing your Personal Information for the following reasons:
    • Processing was not based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
    • Direct marketing (including profiling);
    • Processing for purposes of scientific/historical research and statistics; and
    • Rights in relation to automated decision-making and profiling.
  • Automated Individual Decision-Making and Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
  • Right to Complain: You have the right to file a complaint with supervisory authorities if your information has not been processed in compliance with the GDPR. Furthermore, in accordance with Article 77 GDPR, if the supervisory authorities fail to address your complaint properly, you may have the right to a judicial remedy.

Privacy Requests

Lastly, you retain the right to access, amend, correct or delete your Personal Information where it is inaccurate at any time. To do so, please contact us as indicated in the Contact Us section. We reserve the right to charge a reasonable fee, as permitted by applicable laws and regulations, in order to comply with complex requests or repetitive requests from individual users.

Your privacy request must include, at the least, the following information: (i) your complete name, address and/or e-mail address in order for us to notify you of the response to your request; (ii) attached documents establishing your identity; and (iii) a clear and concise description of the Personal Information with regard to which you seek to enforce any of your privacy rights. If you request rectification, please indicate amendments to be made and attach documentation to back up your request.

Upon receipt of your privacy request, and after due review, we may then edit, deactivate and/or delete your Personal Information from our services for the maximum term allowed by the GDPR for each applicable case. In case of secure databases under our control where deletion is impossible, we will make such information permanently inaccessible.

Notice to California Residents

Pursuant to the California Consumer Privacy Act of 2018 (the “CCPA”), LiteSpeed Technologies and/or its affiliates, clients, sub-processors and/or authorized third parties hereto provide the following Privacy Policy notice regarding the categories of Personal Information that we may collect and/or disclose within the preceding twelve (12) months regarding California residents who are not employees, independent contractors, owners, directors, officers, or job applicants of LiteSpeed Technologies, or emergency contacts or benefits beneficiaries of the foregoing.

Thenceforth, the CCPA provides Californians with the following rights:

  • Requests for Information: you (or your authorized agent) can request a copy of your Personal Information, including how we have collected, used, and shared your Personal Information over the past 12 months (if any), including the categories of Personal Information we collected and our purposes for doing so; the categories of sources for that information; the categories of third parties with whom we shared it for a business purpose and our purposes for doing so.
  • Your Right to Notification: under the CCPA, we cannot collect new categories of Personal Information or use them for materially different purposes without first notifying you.
  • Nondiscrimination for exercising your CCPA Rights: the CCPA prohibits us from discriminating against you for exercising your rights under the law. Such discrimination may include denying services, charging different prices or rates for services, providing a different level or quality of services, or suggesting that you will receive a different level or quality of goods or services as a result of exercising your rights.
  • Your Right to Delete Personal Information: you can request that we delete your Personal Information by contacting us. You also can request that we delete specific information, and we will honor such requests, unless a due exception applies, such as when the information is necessary to complete a transaction, verify a fraud, review a chargeback or contract for which it was collected or when it is being used to detect, prevent, or investigate security incidents, comply with laws, identify and repair bugs or ensure another consumer’s ability to exercise their free speech rights or other rights provided by law.
    • Please take into consideration that we may deny your deletion request if retaining the Personal Information is necessary for us, our affiliates or our service providers in order to:

      • Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;
      • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
      • Debug our products to identify and repair errors that impair existing intended functionality;
      • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law;
      • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.);
      • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;
      • Comply with a legal obligation that has substantive grounds;
      • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

Overall, we have, may or will collect the following categories of Personal Information from our users, customers and individuals, as necessary to fulfill our legal obligations and operational business purposes:

  • Personal information (as defined in the California Customer Records Law), such as contact information;
  • Identifiers, such as online identifier, IP address and name;
  • Internet or network activity information, such as browsing history and interactions with our and other websites and systems;
  • Geo-localization data, such as device location and IP location;
  • Audio, electronic, visual and similar information, such as video recordings and multimedia content created in connection with our business activities; and
  • Inferences drawn from any of the Personal Information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics.

International Data Transfer Notice

LiteSpeed Technologies values your users’ privacy. Although our software does not directly collect any personally identifiable information from visitors to your site, LiteSpeed may still be considered a data processor in certain jurisdictions, as user information may be temporarily cached and/or logged, as outlined in this document.

We have our headquarters in the State of Pennsylvania, United States of America (USA). Henceforth, your Personal Information may be accessed by us or our affiliates, agents, partners and third-party service providers in the USA and our locations which may or may not be located in your country of residence, and you hereby consent to such access and transfer by simple disclosure.

Servers

LiteSpeed Web Server, OpenLiteSpeed, LiteSpeed Web ADC, and related software may record IP addresses as a part of normal logging. An access log and an error log may record visitor IP addresses and URL visited. The logs are stored locally on the system where LiteSpeed server software is installed and are not transferred to or accessed by LiteSpeed employees in any way, except as necessary in providing routine technical support if you request it. This logging may be turned off through configuration. It is up to individual server administrators to come up with their own schedule for removing such logs from the file system.

Cache Solutions

Our cache plugins potentially store a duplicate copy of every web page on display on your site. The pages are stored locally on the system where LiteSpeed server software is installed and are not transferred to or accessed by LiteSpeed employees in any way, except as necessary in providing routine technical support if you request it. All cache files are temporary, and may easily be purged before their natural expiration, if necessary, via a Purge All command. It is up to individual site administrators to come up with their own cache expiration rules.

LSCache for WordPress

In addition to caching, our WordPress plugin has an Image Optimization feature. When optimization is requested, images are transmitted to a remote LiteSpeed server, processed, and then transmitted back for use on your site. LiteSpeed keeps copies of optimized images for 7 days (in case of network stability issues) and then permanently deletes them.

Similarly, the WordPress plugin has a Reporting feature whereby a site owner can transmit an environment report to our server so that we may better provide technical support.

Neither of these features collects any visitor data. Only server and site data is involved.

Support Services

Sometimes, when you request technical support, LiteSpeed may ask for login credentials to various areas of your site. You may refuse to share such credentials, however refusal may impact LiteSpeed’s ability to provide the requested support services.

Upon completion of a support ticket, LiteSpeed immediately deletes all login credentials you may have shared.

Any user data encountered by LiteSpeed is kept strictly confidential. We never provide your support ticket information to any third party without your explicit consent.

Contact Us

If you would like to update information that you have voluntarily provided to us, stop receiving information from us, or exercise any of the rights granted to you under Privacy Laws, including the EU’s General Data Protection Regulation, please e-mail info@litespeedtech.com.