Tuning

Temporary/Swap Directories

RAM disk

RAM Disk Path can be customized via WebAdmin Console under Configuration > Server > Tuning > RAM Disk Path. By default, /dev/shm/lsws is used. if /dev/shm is too small, you can create a dedicated tmpfs partition for that.

SWAP directory

Swap Directory is used to store big request bodies and dynamically generated responses, to reduce the system memory usage. It is different than an OS swap partition.

By default, it is set to /tmp/lshttpd/swap. If /tmp partition does not have enough space, or runs out of disk space, it could affect server stability.

You can move it to a partition on a fast disk, like an SSD. Or, if the server has enoguh free memory, create a RAM disk (tmpfs partition) for it.

Static File GZIP Cache Directory

Static Cache Directory is used to store compressed versions of static files, including both GZIP-compressed and Brotli-compressed versions. By default, it uses Swap Directory, but can be changed to its own directory. If the partition holding the directory runs out of space, it could affect server stability. We recommend using an SSD-backed partition with enough free disk space for that.

SSL/TLS tuning

Enable TLS v1.3

cPanel only enable TLS 1.2. TLS 1.3 is not enabled by default. In WHM, navigate to Service Configuration > Apache Configuration > Global Configuration.

Set SSL/TLS Protocls to ALL -SSLv3 -TLSv1 -TLSv1.1.

Save and restart LSWS.

Customize SSL Ciphers

In WHM, navigate to Service Configuration > Apache Configuration > Global Configuration.

Set SSL Cipher Suite to the cipher you want to use.

Save and restart LSWS.

Note

The default value usually is a good choice. Changing to a bad cipher value may break the SSL handshake, and cause a broken site for some old browsers.

Warning

LiteSpeed uses BoringSSL. Support for the following cipher has been removed in BoringSSL:

DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384

This may impact the handshake with Internet Explorer 11 on Windows 8.1. If you really care about that, you may have to enable a weaker AES_CBC cipher or switch to an ECC certificate. For a weaker cipher, you can use:

ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA

Note

If you want to use ciphers with an ECDSA handshake, like:

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256

An SSL certificate signed with an RSA private key does not work. An ECC certificate is required. Please search the internet to find out how to obtain an ECC certificate.

Harden Server Security

Disable PHP Override

You can disable the PHP override in .htaccess with LiteSpeed Web Server.

php_value and php_flag can be used in Apache configuration or .htaccess to override php.ini settings. However, they are only supported by Apache's mod_php handler, which is deprecated in most of the control panel systems, having been replaced by php-fpm, fastcgi or lsphp. As a result, if you place php_value or php_flag in .htaccess, Apache should return an error.

You could see any one of the following errors:

500 internal server error

503 Invalid command 'php_flag', perhaps misspelled or defined by a module not included in the server configuration.
The following error can be found in the domain error log in Domains > example.com > Logs:
/var/www/vhosts/example.com/httpdocs/.htaccess: Invalid command 'php_value', perhaps misspelled or defined by a module not included in the server configuration

/var/www/vhosts/example.com/httpdocs/.htaccess: Invalid command 'php_flag', perhaps misspelled or defined by a module not included in the server configuration

/var/www/vhosts/example.com/httpdocs/.htaccess: RewriteRule: bad flag delimiters

/var/www/vhosts/example.com/public_html/.htaccess: Invalid command 'suPHP_ConfigPath', perhaps misspelled or defined by a module not included in the server configuration.

LiteSpeed Web Server uses lsphp, which supports php_value and php_flag usage in .htaccess. You can use these and LSWS will not return a 500 error. LSWS is more tolerant than Apache of these PHP overrides.

In some cases, you may want to disable such PHP overrides in .htaccess for LiteSpeed as well. To achieve this, add

<IfModule LiteSpeed>
  DisablePhpOverride htaccess
</IfModule>

to /etc/apache2/conf.d/includes/pre_main_global.conf.

Disable CGI Scripts and Disallow .htaccess Override

To disable CGI scripts such as .cgi .pl etc, You need to turn off CGI with Apache configuration like

Options -ExecCGI

For control panel users, you may need to modify related template to make the change permanent.

Also, you need to disable user from override "ExecCGI" option, with our DisableCgiOverride option. Add

<IfModule LiteSpeed>
  DisableCgiOverride On
</IfModule>

to /etc/apache2/conf.d/includes/pre_main_global.conf.

For more information, please read Closing the Loopholes.

A symlink race attack is often used against shared hosting servers. It allows a malicious user to serve files that belong to other users by creating a symbolic link to those files. It is often used to access config.php files that belong to other users.

LSWS Force Strict Ownership

The Force Strict Ownership setting in LSWS Admin specifies whether to enforce strict file ownership checking. If it is enabled, the web server will check if the owner of the file being served is the same as the owner of the virtual host. If it is different, a 403 Access Denied error will be returned.

It protects LSWS from serving a bad symlink directly, however it won't protect PHP/CGI scripts from following a symlink.

CloudLinux Kernel Patch

To stop PHP/CGI script from executing unwanted symlink traversal, you can use CloudLinux's free kernel patch for symlink protection.

Disable mod_userdir

On cPanel, there is an Apache mod_userdir tweak, which you can use to disable/enable mod_userdir for Apache. When you are running Apache, mod_userdir is not compatible with the following modules/handlers and is actually disabled when mod_passenger, mod_ruid, mod_itk, PHP-FPM, or the CGI handler is used.

Sometimes, when you disable mod_userdir on Apache, it seems to still be working with LSWS. Here's how you correctly disable mod_userdir for LSWS on cPanel:

vi /etc/apache2/conf/httpd.conf

In server-level configuration, add the following:

<IfModule userdir_module>
  UserDir public_html
  <IfModule ruid2_module>
    UserDir disabled
  </IfModule>
  <IfModule mpm_itk.c>
    UserDir disabled
  </IfModule>
  <IfModule mod_passenger.c>
    UserDir disabled
  </IfModule>
</IfModule>

In vhost-level configuration, add the following:

<IfModule userdir_module>
 <IfModule !mpm_itk.c>
  <IfModule !ruid2_module>
  <IfModule !mod_passenger.c>
    UserDir disabled
    UserDir enabled check10cache
  </IfModule>
 </IfModule>
 </IfModule>
</IfModule>

Apache may use itk, ruid2 and/or mod_passenger. In any of these cases, mod_userdir is disabled on Apache. LSWS does not use config for ruid2, itk and mod_passenger, hence only the following directive is applied, which actually enables mod_userdir.

UserDir public_html

To fix this, you can add UserDir disabled to pre_virtualhost_global.conf:

vi /etc/apache2/conf.d/includes/pre_virtualhost_global.conf

<IfModule LiteSpeed>
UserDir disabled
</IfModule>

and then add userdir to the list of Apache modules to ignore in LSWS configuration:

Navigate to LSWS WebAdmin > Configuration > Server > General > Using Apache Configuration File and add userdir to Ignore Apache Modules.

Restart LSWS after the configuration change.

service lsws restart

Virtual-Host-Level Limiting

Bandwidth Throttling

LiteSpeed Web Server version 5.0 introduces virtual-host-level bandwidth throttling. Virtual-host-level bandwidth throttling allows you to customize the total bandwidth a virtual host can consume.

VhostBandwidthLimit

The VhostBandwidthLimit directive controls the amount of bandwidth allotted to a virtual host regardless of the number of concurrent visitors. It can only be set at the virtual host level in the Apache configuration file or through Apache-style config in native LSWS configuration.

Syntax:

VhostBandwidthLimit [Speed in bytes/s]

It takes 1 parameter:

  • Speed indicates the total speed available to the virtual host. If Speed is less than 4097, there is no limit.

Example: To limit a virtual host to use 1000KB bandwidth maximum. Add the following configuration through a virtual-host-level include file:

<IfModule LiteSpeed>
  VhostBandwidthLimit 1024000
</IfModule>

Per-Client-Level Bandwidth Throttling

LSWS's implementation of this bandwidth throttling follows syntax similar to that used by Apache's mod_bw. Bandwidth throttling directives can only be placed in a virtual host configuration file, not an .htaccess file.

BandWidth

The BandWidth directive controls the amount of bandwidth allotted to specific users.

Syntax:

BandWidth [Origin] [Speed in bytes/s]

It takes 2 parameters:

  • Origin is the origin of the connections. It can be a single IP address, a set of IP addresses, a network mask, or all.
  • Speed indicates the total speed available to the Origin. If Speed is 0, there is no limit.

MinBandWidth

LSWS only supports one use of MinBandWidth: MinBandWidth all -1. When used in conjunction with the BandWidth directive (as above), this specifies the top speed for all clients.

Syntax:

BandWidth all [Speed in bytes/s]
MinBandWidth all -1

LargeFileLimit

The LargeFileLimit directive allows you to throttle the bandwidth that certain large files use.

Syntax:

LargeFileLimit [Type] [Minimum Size in kilobytes] [Speed in bytes/s]

It takes three parameters:

  • Type is the suffix of files to be throttled. * can be used to designate all files.
  • Minimum Size tells the server the size of files to be throttled.
  • Speed indicates the maximum speed at which these files can be served.

MaxConnPerClient

The MaxConnPerClient directive allows you to configure the maximum concurrent connections from one IP.

Syntax:

MaxConnPerClient <limit_for_connections>
  • limit_for_connections set the connection limit.

Examples

BandWidth all 102400

The above setting would limit the total bandwidth allowed to this virtual host to 100KB/s

BandWidth all 50000
MinBandWidth all -1
LargeFileLimit .avi 500 10240

The above settings limit each client to 50KB/s with no maximum total bandwidth. .avi files of 500KB or greater, though, are limited to 10KB/s.

Virtual Host Static/Dynamic Request Limit

A new feature as of LSWS 5.4.7 is a static/dynamic request-per-second limit for Apache virtual hosts. DynReqPerSec and StaticReqPerSec may be used in Apache virtual host configuration. They work the same way as Native static/dynamic request per second.


Last update: May 1, 2020