Litespeed Security

LiteSpeed web server is designed with security in mind. With chroot jail, IP level bandwidth throttling, connection accounting, strict HTTP request checking, and URL context filtering, DoS effects are minimized and the application backend is properly fenced away from the HTTP request layer, greatly reducing vulnerability.

• Access Control at server, virtual host and directory (context) level
• IP level throttling (Bandwidth and Request Rate)
• Comprehensive IP level connection accounting
• Hotlink protection
• Strict HTTP request checking
• Comprehensive protection for static files

(D)DoS Protection

Not only does LiteSpeed offer built-in denial of service attack protection, but you can quickly identify the site that is the target of such an attack via the real-time statistics available in the LiteSpeed console.

External Application Firewall

LiteSpeed Web server forwards requests to external applications such as CGI, Fast CGI and Servlet engine to process/generate dynamic content. Usually each request requires one instance of the external application. Those applications may use a lot of system resources, and the performance of the whole system will be severely degraded when system resource consumption reaches a certain point, for example, when swapping space has been used. DoS attacks can be conducted by flooding the web server with concurrent requests to an external application that consumes a lot of system resources. LiteSpeed web server pipelines requests and controls the concurrency level of external applications to prevent server overloading. It only forwards completed requests to external applications and caches the response. Thus external applications will be immediately available to process the next request without waiting for the response to be completely received by the client. In this way, the server can utilize fewer instances of external applications to serve more concurrent requests and will achieve higher performance and scalability. LiteSpeed web server uses its own virtual memory to cache the request and response body to minimize the usage of system memory without sacrificing performance.

CGI Resources Consumption Limit

LiteSpeed web server limits system resources consumption for CGI applications in two ways and effectively fends off "fork bomb" attacks.

• Maximum number of concurrent CGI process is limited.
• For each request to a CGI script, the web server needs to start a standalone CGI process to handle it. On a Unix system the number of concurrent processes is limited, excessive concurrent processes will degrade the performance of the whole system and it could become the target of a DoS attack. Maximum number of concurrent CGI instances is configurable.
• Maximum system resource consumption for each CGI process is limited, includes: number of concurrent children process spawned, memory usage and CPU time.

File system protection

LiteSpeed web server will serve a static file only if the following conditions are satisfied:

• ".ht*" and ".svn*" are not allowed in a decoded URL, this will deny accessing some important hidden files and directories.
• the file permission must contain configured required permission bits.
• the file permission must not contain any configured restricted permission bits.
• the file is not in the Access Denied Directory list
• does not contain symbolic links if symbolic linking is not allowed.