Tuning¶
PHP suEXEC Max Conn¶
PHP suEXEC Max Conn specifies the maximum number of concurrent PHP processes that can be created by LSWS for each user when running PHP scripts in suEXEC mode. The default setting is 10
. Generally this should be a good enough limit for the shared hosting environment, since you may not want too many processes running for each account on a server with many accounts. However, if you do have a need to allow more PHP processes for each account, you can adjust the value from 10
to a higher number, such as 40
, or 100
.
If you see something like this in stderr.log
:
[STDERR] Reached max children process limit: 10, extra: 3, current: 13, please increase LSAPI_CHILDREN
try to increase LSAPI_CHILDREN.
In a control panel environment, you would change the PHP suEXEC Max Conn setting, found under Configuration > Server > General > Using Apache Configuration File, not the LSAPI_CHILDREN setting in External Apps.
If you want to explore additional ways to override PHP suEXEC Max Conn settings through the Apache configuration, either from the server level or the virtual host level, please see the Advanced PHP Configuration documentation.
Temporary/Swap Directories¶
RAM disk¶
RAM Disk Path can be customized via WebAdmin Console under Configuration > Server > Tuning > RAM Disk Path. By default, /dev/shm/lsws
is used. if /dev/shm is too small, you can create a dedicated tmpfs partition for that.
SWAP directory¶
Swap Directory is used to store big request bodies and dynamically generated responses, to reduce the system memory usage. It is different than an OS swap partition.
By default, it is set to /tmp/lshttpd/swap
. If /tmp
partition does not have enough space, or runs out of disk space, it could affect server stability.
You can move it to a partition on a fast disk, like an SSD. Or, if the server has enoguh free memory, create a RAM disk (tmpfs partition) for it.
Static File GZIP Cache Directory¶
Static Cache Directory is used to store compressed versions of static files, including both GZIP-compressed and Brotli-compressed versions. By default, it uses Swap Directory, but can be changed to its own directory. If the partition holding the directory runs out of space, it could affect server stability. We recommend using an SSD-backed partition with enough free disk space for that.
SSL/TLS tuning¶
Enable TLS v1.3¶
By default, cPanel enables TLS 1.2 but not TLS 1.3.
To enable TLS 1.3 in WHM, navigate to Service Configuration > Apache Configuration > Global Configuration, and set SSL/TLS Protocols to ALL -SSLv3 -TLSv1 -TLSv1.1
.
Save and restart LSWS.
Tip
When you set SSL/TLS Protocols to ALL -SSLv3 -TLSv1 -TLSv1.1
you are really saying, "use all available protocols, except SSLv3, TLSv1, and TLSv1.1." This will automatically allow new protocols to be enabled. If you would prefer to be explicit about it, you can set SSL/TLS Protocols to just the ones you know you want to use. For example: SSLProtocol TLSv1.2 TLSv1.3
, but when new protocols are introduced, you will need to remember to update this setting to enable them.
Note
SSLv2 is obsolete and a security risk. It is not supported by LSWS and therefore it is not necessary to explicitly exclude it from the list of enabled protocols. However SSLv2 is still supported by Apache. If there is a chance that you may switch temporarily to Apache at any time, you should set SSL/TLS Protocols to ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
and ensure that Apache never enables SSLv2.
Customize SSL Ciphers¶
In WHM, navigate to Service Configuration > Apache Configuration > Global Configuration.
Set SSL Cipher Suite to the cipher you want to use.
Save and restart LSWS.
Notes
- The default value usually is a good choice. Changing to a bad cipher value may break the SSL handshake, and cause a broken site for some old browsers.
- Cipher suites for TLSv1.3 are not changeable. This is because BoringSSL is used for HTTP/3, and it does not have an API available to modify the cipher suits.
- If you want to use ciphers with an ECDSA handshake, like: An SSL certificate signed with an RSA private key does not work. An ECC certificate is required. Starting from LSWS v5.4.9, LiteSpeed's WHM/cPanel Plugin can generate ECC Certificates. Please see our ECC Certificate Quick Start Guide to learn how to generate ECC Certificates and how to enable multi certificates on LiteSpeed.
ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256
Warning
LiteSpeed uses BoringSSL. Support for the following cipher has been removed in BoringSSL:
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
AES128-SHA256
AES256-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
Harden Server Security¶
Disable PHP Override¶
You can disable the PHP override in .htaccess
with LiteSpeed Web Server.
php_value
and php_flag
can be used in Apache configuration or .htaccess
to override php.ini
settings. However, they are only supported by Apache's mod_php
handler, which is deprecated in most of the control panel systems, having been replaced by php-fpm, fastcgi or lsphp. As a result, if you place php_value
or php_flag
in .htaccess, Apache should return an error.
You could see any one of the following errors:
500 internal server error
503 Invalid command 'php_flag', perhaps misspelled or defined by a module not included in the server configuration.
The following error can be found in the domain error log in Domains > example.com > Logs:
/var/www/vhosts/example.com/httpdocs/.htaccess: Invalid command 'php_value', perhaps misspelled or defined by a module not included in the server configuration
/var/www/vhosts/example.com/httpdocs/.htaccess: Invalid command 'php_flag', perhaps misspelled or defined by a module not included in the server configuration
/var/www/vhosts/example.com/httpdocs/.htaccess: RewriteRule: bad flag delimiters
/var/www/vhosts/example.com/public_html/.htaccess: Invalid command 'suPHP_ConfigPath', perhaps misspelled or defined by a module not included in the server configuration.
LiteSpeed Web Server uses lsphp, which supports php_value
and php_flag
usage in .htaccess. You can use these and LSWS will not return a 500 error. LSWS is more tolerant than Apache of these PHP overrides.
In some cases, you may want to disable such PHP overrides in .htaccess for LiteSpeed as well. To achieve this, add
<IfModule LiteSpeed>
DisablePhpOverride htaccess
</IfModule>
to /etc/apache2/conf.d/includes/pre_main_global.conf
.
Disable CGI Scripts and Disallow .htaccess Override¶
To disable CGI scripts such as .cgi
, .pl
, etc, You need to turn off CGI within the Apache configuration, like so:
Options -ExecCGI
For control panel users, you may need to modify the related template to make the change permanent.
You must also prevent users from overriding the ExecCGI option. Do so with the DisableCgiOverride option by adding the following to /etc/apache2/conf.d/includes/pre_main_global.conf
:
<IfModule LiteSpeed>
DisableCgiOverride On
</IfModule>
When DisableCgiOverride is ON
, it will impossible to add new CGI scripts through .htaccess
. If you need to add a new CGI script handler, you have to do it in the virtual host config file, like this:
Options -Indexes +ExecCGI
AddHandler cgi-script .pl
For more information, please read Closing the Loopholes.
Symlink Attack Prevention¶
A symlink race attack is often used against shared hosting servers. It allows a malicious user to serve files that belong to other users by creating a symbolic link to those files. It is often used to access config.php files that belong to other users.
LSWS Force Strict Ownership¶
The Force Strict Ownership setting in LSWS Admin specifies whether to enforce strict file ownership checking. If it is enabled, the web server will check if the owner of the file being served is the same as the owner of the virtual host. If it is different, a 403 Access Denied
error will be returned.
It protects LSWS from serving a bad symlink directly, however it won't protect PHP/CGI scripts from following a symlink.
CloudLinux Kernel Patch¶
To stop PHP/CGI script from executing unwanted symlink traversal, you can use CloudLinux's free kernel patch for symlink protection.
Disable mod_userdir¶
On cPanel, there is an Apache mod_userdir tweak, which you can use to disable/enable mod_userdir
for Apache. When you are running Apache, mod_userdir
is not compatible with the following modules/handlers and is actually disabled when mod_passenger
, mod_ruid
, mod_itk
, PHP-FPM
, or the CGI handler is used.
Sometimes, when you disable mod_userdir
on Apache, it seems to still be working with LSWS. Here's how you correctly disable mod_userdir for LSWS on cPanel:
vi /etc/apache2/conf/httpd.conf
In server-level configuration, add the following:
<IfModule userdir_module>
UserDir public_html
<IfModule ruid2_module>
UserDir disabled
</IfModule>
<IfModule mpm_itk.c>
UserDir disabled
</IfModule>
<IfModule mod_passenger.c>
UserDir disabled
</IfModule>
</IfModule>
In vhost-level configuration, add the following:
<IfModule userdir_module>
<IfModule !mpm_itk.c>
<IfModule !ruid2_module>
<IfModule !mod_passenger.c>
UserDir disabled
UserDir enabled check10cache
</IfModule>
</IfModule>
</IfModule>
</IfModule>
Apache may use itk
, ruid2
and/or mod_passenger
. In any of these cases, mod_userdir
is disabled on Apache. LSWS does not use config for ruid2
, itk
and mod_passenger
, hence only the following directive is applied, which actually enables mod_userdir
.
UserDir public_html
To fix this, you can add UserDir disabled
to pre_virtualhost_global.conf
:
vi /etc/apache2/conf.d/includes/pre_virtualhost_global.conf
<IfModule LiteSpeed>
UserDir disabled
</IfModule>
and then add userdir
to the list of Apache modules to ignore in LSWS configuration:
Navigate to LSWS WebAdmin > Configuration > Server > General > Using Apache Configuration File and add userdir
to Ignore Apache Modules.
Restart LSWS after the configuration change.
service lsws restart
Virtual-Host-Level Limiting¶
Bandwidth Throttling¶
LiteSpeed Web Server version 5.0 introduces virtual-host-level bandwidth throttling. Virtual-host-level bandwidth throttling allows you to customize the total bandwidth a virtual host can consume.
You can globally set default virtual-host-level parameters within this Apache configuration file: /etc/apache2/conf.d/includes/pre_virtualhost_global.conf
Or, you can configure settings for a specific virtual host in a file that looks like this: /etc/apache2/conf.d/userdata/ssl/2_4/$USER/example.com/throttling.conf
VhostBandwidthLimit¶
The VhostBandwidthLimit
directive controls the amount of bandwidth allotted to a virtual host regardless of the number of concurrent visitors. It can only be set at the virtual host level in the Apache configuration file or through Apache-style config in native LSWS configuration.
Syntax:
VhostBandwidthLimit [Speed in bytes/s]
It takes 1 parameter:
Speed
indicates the total speed available to the virtual host. IfSpeed
is less than4097
, there is no limit.
Example: To limit a virtual host to use 1000KB bandwidth maximum. Add the following configuration through a virtual-host-level include file:
<IfModule LiteSpeed>
VhostBandwidthLimit 1024000
</IfModule>
Per-Client-Level Bandwidth Throttling¶
LSWS's implementation of this bandwidth throttling follows syntax similar to that used by Apache's mod_bw. Bandwidth throttling directives can only be placed in a virtual host configuration file, not an .htaccess file.
BandWidth¶
The BandWidth
directive controls the amount of bandwidth allotted to specific users.
Syntax:
BandWidth [Origin] [Speed in bytes/s]
It takes 2 parameters:
Origin
is the origin of the connections. It can be a single IP address, a set of IP addresses, a network mask, orall
.Speed
indicates the total speed available to theOrigin
. IfSpeed
is0
, there is no limit.
MinBandWidth¶
LSWS only supports one use of MinBandWidth: MinBandWidth all -1
. When used in conjunction with the BandWidth directive (as above), this specifies the top speed for all clients.
Syntax:
BandWidth all [Speed in bytes/s]
MinBandWidth all -1
LargeFileLimit¶
The LargeFileLimit directive allows you to throttle the bandwidth that certain large files use.
Syntax:
LargeFileLimit [Type] [Minimum Size in kilobytes] [Speed in bytes/s]
It takes three parameters:
Type
is the suffix of files to be throttled.*
can be used to designate all files.Minimum Size
tells the server the size of files to be throttled.Speed
indicates the maximum speed at which these files can be served.
MaxConnPerClient¶
The MaxConnPerClient directive allows you to configure the maximum concurrent connections from one IP.
Syntax:
MaxConnPerClient <limit_for_connections>
limit_for_connections
set the connection limit.
Examples¶
BandWidth all 102400
The above setting would limit the total bandwidth allowed to this virtual host to 100KB/s
BandWidth all 50000
MinBandWidth all -1
LargeFileLimit .avi 500 10240
The above settings limit each client to 50KB/s with no maximum total bandwidth. .avi
files of 500KB or greater, though, are limited to 10KB/s.
Virtual Host Static/Dynamic Request Limit¶
A new feature as of LSWS 5.4.7 is a static/dynamic request-per-second limit for Apache virtual hosts. DynReqPerSec and StaticReqPerSec may be used in Apache virtual host configuration. They work the same way as Native static/dynamic request per second.