PHP suEXEC Max Conn¶
PHP suEXEC Max Conn specifies the maximum number of concurrent PHP processes that can be created by LSWS for each user when running PHP scripts in suEXEC mode. The default setting is
10. Generally this should be a good enough limit for the shared hosting environment, since you may not want too many processes running for each account on a server with many accounts. However, if you do have a need to allow more PHP processes for each account, you can adjust the value from
10 to a higher number, such as
If you see something like this in
[STDERR] Reached max children process limit: 10, extra: 3, current: 13, please increase LSAPI_CHILDREN
try to increase LSAPI_CHILDREN.
In a control panel environment, you would change the PHP suEXEC Max Conn setting, found under Configuration > Server > General > Using Apache Configuration File, not the LSAPI_CHILDREN setting in External Apps.
If you want to explore additional ways to override PHP suEXEC Max Conn settings through the Apache configuration, either from the server level or the virtual host level, please see the Advanced PHP Configuration documentation.
RAM Disk Path can be customized via WebAdmin Console under Configuration > Server > Tuning > RAM Disk Path. By default,
/dev/shm/lsws is used. if /dev/shm is too small, you can create a dedicated tmpfs partition for that.
Swap Directory is used to store big request bodies and dynamically generated responses, to reduce the system memory usage. It is different than an OS swap partition.
By default, it is set to
/tmp partition does not have enough space, or runs out of disk space, it could affect server stability.
You can move it to a partition on a fast disk, like an SSD. Or, if the server has enoguh free memory, create a RAM disk (tmpfs partition) for it.
Static File GZIP Cache Directory¶
Static Cache Directory is used to store compressed versions of static files, including both GZIP-compressed and Brotli-compressed versions. By default, it uses Swap Directory, but can be changed to its own directory. If the partition holding the directory runs out of space, it could affect server stability. We recommend using an SSD-backed partition with enough free disk space for that.
Enable TLS v1.3¶
By default, cPanel enables TLS 1.2 but not TLS 1.3.
To enable TLS 1.3 in WHM, navigate to Service Configuration > Apache Configuration > Global Configuration, and set SSL/TLS Protocols to
ALL -SSLv3 -TLSv1 -TLSv1.1.
Save and restart LSWS.
When you set SSL/TLS Protocols to
ALL -SSLv3 -TLSv1 -TLSv1.1 you are really saying, "use all available protocols, except SSLv3, TLSv1, and TLSv1.1." This will automatically allow new protocols to be enabled. If you would prefer to be explicit about it, you can set SSL/TLS Protocols to just the ones you know you want to use. For example:
SSLProtocol TLSv1.2 TLSv1.3, but when new protocols are introduced, you will need to remember to update this setting to enable them.
SSLv2 is obsolete and a security risk. It is not supported by LSWS and therefore it is not necessary to explicitly exclude it from the list of enabled protocols. However SSLv2 is still supported by Apache. If there is a chance that you may switch temporarily to Apache at any time, you should set SSL/TLS Protocols to
ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 and ensure that Apache never enables SSLv2.
Customize SSL Ciphers¶
In WHM, navigate to Service Configuration > Apache Configuration > Global Configuration.
Set SSL Cipher Suite to the cipher you want to use.
Save and restart LSWS.
- The default value usually is a good choice. Changing to a bad cipher value may break the SSL handshake, and cause a broken site for some old browsers.
- Cipher suites for TLSv1.3 are not changeable. This is because BoringSSL is used for HTTP/3, and it does not have an API available to modify the cipher suits.
- If you want to use ciphers with an ECDSA handshake, like: An SSL certificate signed with an RSA private key does not work. An ECC certificate is required. Starting from LSWS v5.4.9, LiteSpeed's WHM/cPanel Plugin can generate ECC Certificates. Please see our ECC Certificate Quick Start Guide to learn how to generate ECC Certificates and how to enable multi certificates on LiteSpeed.
LiteSpeed uses BoringSSL. Support for the following cipher has been removed in BoringSSL:
AES128-SHA256 AES256-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384
Harden Server Security¶
Disable PHP Override¶
You can disable the PHP override in
.htaccess with LiteSpeed Web Server.
php_flag can be used in Apache configuration or
.htaccess to override
php.ini settings. However, they are only supported by Apache's
mod_php handler, which is deprecated in most of the control panel systems, having been replaced by php-fpm, fastcgi or lsphp. As a result, if you place
php_flag in .htaccess, Apache should return an error.
You could see any one of the following errors:
500 internal server error 503 Invalid command 'php_flag', perhaps misspelled or defined by a module not included in the server configuration. The following error can be found in the domain error log in Domains > example.com > Logs: /var/www/vhosts/example.com/httpdocs/.htaccess: Invalid command 'php_value', perhaps misspelled or defined by a module not included in the server configuration /var/www/vhosts/example.com/httpdocs/.htaccess: Invalid command 'php_flag', perhaps misspelled or defined by a module not included in the server configuration /var/www/vhosts/example.com/httpdocs/.htaccess: RewriteRule: bad flag delimiters /var/www/vhosts/example.com/public_html/.htaccess: Invalid command 'suPHP_ConfigPath', perhaps misspelled or defined by a module not included in the server configuration.
LiteSpeed Web Server uses lsphp, which supports
php_flag usage in .htaccess. You can use these and LSWS will not return a 500 error. LSWS is more tolerant than Apache of these PHP overrides.
In some cases, you may want to disable such PHP overrides in .htaccess for LiteSpeed as well. To achieve this, add
<IfModule LiteSpeed> DisablePhpOverride htaccess </IfModule>
Disable CGI Scripts and Disallow .htaccess Override¶
To disable CGI scripts such as
.pl, etc, You need to turn off CGI within the Apache configuration, like so:
For control panel users, you may need to modify the related template to make the change permanent.
You must also prevent users from overriding the ExecCGI option. Do so with the DisableCgiOverride option by adding the following to
<IfModule LiteSpeed> DisableCgiOverride On </IfModule>
When DisableCgiOverride is
ON, it will impossible to add new CGI scripts through
.htaccess. If you need to add a new CGI script handler, you have to do it in the virtual host config file, like this:
Options -Indexes +ExecCGI AddHandler cgi-script .pl
For more information, please read Closing the Loopholes.
Symlink Attack Prevention¶
A symlink race attack is often used against shared hosting servers. It allows a malicious user to serve files that belong to other users by creating a symbolic link to those files. It is often used to access config.php files that belong to other users.
LSWS Force Strict Ownership¶
The Force Strict Ownership setting in LSWS Admin specifies whether to enforce strict file ownership checking. If it is enabled, the web server will check if the owner of the file being served is the same as the owner of the virtual host. If it is different, a
403 Access Denied error will be returned.
It protects LSWS from serving a bad symlink directly, however it won't protect PHP/CGI scripts from following a symlink.
CloudLinux Kernel Patch¶
To stop PHP/CGI script from executing unwanted symlink traversal, you can use CloudLinux's free kernel patch for symlink protection.
On cPanel, there is an Apache mod_userdir tweak, which you can use to disable/enable
mod_userdir for Apache. When you are running Apache,
mod_userdir is not compatible with the following modules/handlers and is actually disabled when
PHP-FPM, or the CGI handler is used.
Sometimes, when you disable
mod_userdir on Apache, it seems to still be working with LSWS. Here's how you correctly disable mod_userdir for LSWS on cPanel:
In server-level configuration, add the following:
<IfModule userdir_module> UserDir public_html <IfModule ruid2_module> UserDir disabled </IfModule> <IfModule mpm_itk.c> UserDir disabled </IfModule> <IfModule mod_passenger.c> UserDir disabled </IfModule> </IfModule>
In vhost-level configuration, add the following:
<IfModule userdir_module> <IfModule !mpm_itk.c> <IfModule !ruid2_module> <IfModule !mod_passenger.c> UserDir disabled UserDir enabled check10cache </IfModule> </IfModule> </IfModule> </IfModule>
Apache may use
mod_passenger. In any of these cases,
mod_userdir is disabled on Apache. LSWS does not use config for
mod_passenger, hence only the following directive is applied, which actually enables
To fix this, you can add
UserDir disabled to
<IfModule LiteSpeed> UserDir disabled </IfModule>
and then add
userdir to the list of Apache modules to ignore in LSWS configuration:
Navigate to LSWS WebAdmin > Configuration > Server > General > Using Apache Configuration File and add
userdir to Ignore Apache Modules.
Restart LSWS after the configuration change.
service lsws restart
LiteSpeed Web Server version 5.0 introduces virtual-host-level bandwidth throttling. Virtual-host-level bandwidth throttling allows you to customize the total bandwidth a virtual host can consume.
You can globally set default virtual-host-level parameters within this Apache configuration file:
Or, you can configure settings for a specific virtual host in a file that looks like this:
VhostBandwidthLimit directive controls the amount of bandwidth allotted to a virtual host regardless of the number of concurrent visitors. It can only be set at the virtual host level in the Apache configuration file or through Apache-style config in native LSWS configuration.
VhostBandwidthLimit [Speed in bytes/s]
It takes 1 parameter:
Speedindicates the total speed available to the virtual host. If
Speedis less than
4097, there is no limit.
Example: To limit a virtual host to use 1000KB bandwidth maximum. Add the following configuration through a virtual-host-level include file:
<IfModule LiteSpeed> VhostBandwidthLimit 1024000 </IfModule>
Per-Client-Level Bandwidth Throttling¶
LSWS's implementation of this bandwidth throttling follows syntax similar to that used by Apache's mod_bw. Bandwidth throttling directives can only be placed in a virtual host configuration file, not an .htaccess file.
BandWidth directive controls the amount of bandwidth allotted to specific users.
BandWidth [Origin] [Speed in bytes/s]
It takes 2 parameters:
Originis the origin of the connections. It can be a single IP address, a set of IP addresses, a network mask, or
Speedindicates the total speed available to the
0, there is no limit.
LSWS only supports one use of MinBandWidth:
MinBandWidth all -1. When used in conjunction with the BandWidth directive (as above), this specifies the top speed for all clients.
BandWidth all [Speed in bytes/s] MinBandWidth all -1
The LargeFileLimit directive allows you to throttle the bandwidth that certain large files use.
LargeFileLimit [Type] [Minimum Size in kilobytes] [Speed in bytes/s]
It takes three parameters:
Typeis the suffix of files to be throttled.
*can be used to designate all files.
Minimum Sizetells the server the size of files to be throttled.
Speedindicates the maximum speed at which these files can be served.
The MaxConnPerClient directive allows you to configure the maximum concurrent connections from one IP.
limit_for_connectionsset the connection limit.
BandWidth all 102400
The above setting would limit the total bandwidth allowed to this virtual host to 100KB/s
BandWidth all 50000 MinBandWidth all -1 LargeFileLimit .avi 500 10240
The above settings limit each client to 50KB/s with no maximum total bandwidth.
.avi files of 500KB or greater, though, are limited to 10KB/s.
Virtual Host Static/Dynamic Request Limit¶
A new feature as of LSWS 5.4.7 is a static/dynamic request-per-second limit for Apache virtual hosts. DynReqPerSec and StaticReqPerSec may be used in Apache virtual host configuration. They work the same way as Native static/dynamic request per second.