LiteSpeed Web Server User's Manual

Security

LiteSpeed Web server is designed with security as top consideration in mind.
It supports SSL; has Access Control at server and virtual host level; has Realm protection for context. Besides those standard features, it also has the following special security features.

Connection level limits:

IP level throttling: Limits network bandwidth to and from a single IP address regardless of the number of connections.
IP level connection accounting: Limits the number of concurrent connections from a single IP address. It is controlled by Connection Soft Limit, Connection Hard Limit, Grace Period and Banned Period.

Request checking:

Every HTTP request is strictly checked by LiteSpeed web server.
"/." is not allowed in a decoded URL, this will deny accessing hidden files and parent directories.
Request size is limited by Max Request URL Length, Max Request Header Length and Max Request Body Length.

Request filtering:

Request header and body can be checked against signatures of possible attacks like XSS attack or SQL injection attackes, and block those requests in the first place.

Static file checking:

LiteSpeed web server will serve a static file only if the following conditions are satisfied:

the file is readable by everyone.
the file is not executable.
The file is not in the Access Denied Directory list
does not contain symbolic link if symbolic link is not allowed.
By default, LiteSpeed web server does not index a directory by listing its files, it has to be enabled explicitly.

External application firewall:

LiteSpeed Web server forwards requests to external applications such as CGI, Fast CGI and Servlet engine to process/generate dynamic content. Usually each request requires one instance of the external application. Those applications may use a lot of system resources, and the performance of the whole system will be severely degraded when system resource consumption reaches certain point, for example, when swapping space has to be used. DoS attack can be conducted by flooding the web server with concurrent requests to an external application that consumes a lot of system resources.

LiteSpeed web server can pipeline requests and control the concurrent level of external applications to prevent over consumption of system resources. It only forwards completed request to external application and caches the response. Thus external application will be immediately available to process next request without waiting for the response completely received by the client. In this way, the server can utilize fewer instances of external applications to serve more concurrent requests and will achieve higher performance and scalability as well. LiteSpeed web server uses its own virtual memory to cache the request and response body to minimize the usage of system memory without sacrificing performance.

CGI Resources Consumption Limit

LiteSpeed web server restricts system resources that can be consumed by CGI applications. For each request to a CGI script, the web server needs to start a standalone CGI process to handle it. On a Unix system number of concurrent processes is limited, excessive concurrent processes will degrade the performance of the whole system and it could become a target of DoS attack. Maximum number of concurrent CGI instances that the web server can launch can be configured. In order to control the number of processes that can be spawned by CGI application itself, system process limit can be specified per user. Each process is further confined by CPU and memory limits.

Enhanced CGI/FastCGI security with suEXEC and chroot

In order to reduce security risks of a CGI or Fast CGI script, LiteSpeed web server can restrict the system resources the CGI script can access by running it in "suEXEC" and "chroot jail" mode. "suEXEC" is to have a CGI or Fast CGI script started with a different user ID from that of web server, which greatly improves security of shared hosting environment by preventing one user's CGI script from accessing other users' files.
"chroot jail" is to have a CGI script started under an assigned alternative root directory, the script can not access files beyond the new root directory. With it, you no longer need to worry about confidential system files being exposed by vulnerable scripts.

Chroot [Enterprise Edition Only]:

LiteSpeed web server can run in chroot environment (known as a chroot jail). In chroot environment, the web server and its children processes cannot access file system outside of the chroot jail. This protects system from attacks of malicious code.