Difference between revisions of "Litespeed"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with '== Does ASL work with LiteSpeed? == Partially, but the Web Application Firewall does not. LiteSpeed has a proprietary implementation of mod_security, the Web Application Firewa…')
 
m (Do the modsecurity rules work with Litespeed)
 
(46 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
== Does ASL work with LiteSpeed?  ==
 
== Does ASL work with LiteSpeed?  ==
  
Partially, but the Web Application Firewall does not. LiteSpeed has a proprietary implementation of mod_security, the Web Application Firewall (WAF) module we use in Apache.  
+
Yes, ASL is supported with LiteSpeed.
  
Litespeeds implementation is is not a drop in replacement for the real mod_security module.  Unfortunately, it does not support the full rule set or rule language.  It is also not documented so we have have had no luck determining what it does support.  We can say that it is not compatible with modern mod_security rules.
+
== Do the modsecurity rules work with Litespeed ==
  
To currently support LiteSpeed we would have to significantly weaken the rules, and they would also be much slower with LiteSpeed. This is actually not because LiteSpeed is slower than Apache (Litespeed claims the opposite), but because the LiteSpeed WAF module does not support the new rule language in mod_security that allows us to design in massive performance enhancements.  
+
'''Yes, when used with the [https://www.atomicorp.com/wiki/index.php/ASL_WAF#WAF_Tab ASL Transparent WAF (T-WAF)] in front of Litespeed all rules are supported.'''
  
If you want to use LiteSpeed, you will either have to forgo web application protection, or you will need to install an apache proxy in front of LiteSpeed to use our WAF protection.
+
When using the rules without the ASL Transparent WAF, where the rules are only loaded directly into Litespeed, please see the official Litespeed page for what modsecurity features Litespeed supports:
  
We do encourage you to encourage LiteSpeed to support the full mod_security rule language, and also to document their implementation - as well as to reply to our emailsWe would really like to be able to support it!
+
http://www.litespeedtech.com/support/wiki/doku.php?id=litespeed_wiki:mod_security_compatibility
 +
 
 +
Currently, if you do not use the T-WAF, this means Litespeed does not support the following features:
 +
 
 +
# Output analysis: This means Litespeed can not inspect the output from the web server.  This means rules like malware detection, malicious shell prevention, brute force protection, data loss protection and other rules that analyze the output from the web server are not supported by Litespeed, unless you use [https://www.atomicorp.com/wiki/index.php/ASL_WAF#WAF_Tab the ASL Transparent WAF (T-WAF) in front of Litespeed].
 +
# XML inspection:  Litespeed has chosen to not support XML inspection, this means XML based attacks are unfortunately not protected on that platform, unless you use [https://www.atomicorp.com/wiki/index.php/ASL_WAF#WAF_Tab the ASL Transparent WAF (T-WAF) in front of Litespeed].
 +
# Multi-part Upload protection:  Litspeed does not support scanning attached files content in multi-part upload.  If you use [https://www.atomicorp.com/wiki/index.php/ASL_WAF#WAF_Tab the ASL Transparent WAF (T-WAF) in front of Litespeed] you will be able to scan attached files in a multi-part upload.
 +
# lua: This is a language that lets us construct advanced rules.  Currently they are used for advanced anti-spam protection and advanced SQLi and XSS injection protection.  Therefore, these types of rules are not supported by Litespeed, unless you use [https://www.atomicorp.com/wiki/index.php/ASL_WAF#WAF_Tab the ASL Transparent WAF (T-WAF) in front of Litespeed].
 +
 
 +
== How to configure a local WAF for litespeed  ==
 +
 
 +
=== ASL V ===
 +
 
 +
Step 1) Log into ASL.
 +
 
 +
Step 2) Click on the "ASL" tab. 
 +
 
 +
Step 3) Click on the "WAF Configuration" menu option.
 +
 
 +
Step 4) Click the "Add" button.
 +
 
 +
Step 5) In the "Add New TWAF Setting" window from the "Add protection for ..." drop down, select "Local Web Server"
 +
 
 +
Step 6) Select the port that litespeed runs on.  Normally this is port 80.
 +
 
 +
Step 7) Check the SSL box
 +
 
 +
Enter the file system path to your SSL certificate, and SSL key in the "Path to SSL Certificate" and "Path to SSL Key file" boxes.
 +
 
 +
Step 8) Click Save
 +
 
 +
=== ASL 4 ===
 +
 
 +
Step 1) Log into ASL.
 +
 
 +
Step 2) Click on the "Configuration" tab.   
 +
 
 +
Step 3) Click on the "WAF" tab and select "WAF configuration".
 +
 
 +
Step 4) Click the "Add" button.
 +
 
 +
Step 5) Select "Local Web Server" from the "Add protection for" drop down.
 +
 
 +
Step 6) Select the port that litespeed runs on.  Normally this is port 80.
 +
 
 +
Step 7) Check the SSL box
 +
 
 +
Enter the file system path to your SSL certificate, and SSL key in the "Path to SSL Certificate" and "Path to SSL Key file" boxes.
 +
 
 +
Step 8) Click Save
 +
 
 +
Note:  Litespeed does not support the WAF in embedded mode.
 +
 
 +
= Questions =
 +
 
 +
== I've loaded the rules into Litespeed, does that mean they work with Litespeed? ==
 +
 
 +
Yes, however please see the LSWS official page for what modsecurity features Litespeed supports and does not support.
 +
 
 +
https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:config:mod_security-compatibility

Latest revision as of 16:29, 26 July 2022

Contents

[edit] Does ASL work with LiteSpeed?

Yes, ASL is supported with LiteSpeed.

[edit] Do the modsecurity rules work with Litespeed

Yes, when used with the ASL Transparent WAF (T-WAF) in front of Litespeed all rules are supported.

When using the rules without the ASL Transparent WAF, where the rules are only loaded directly into Litespeed, please see the official Litespeed page for what modsecurity features Litespeed supports:

http://www.litespeedtech.com/support/wiki/doku.php?id=litespeed_wiki:mod_security_compatibility

Currently, if you do not use the T-WAF, this means Litespeed does not support the following features:

  1. Output analysis: This means Litespeed can not inspect the output from the web server. This means rules like malware detection, malicious shell prevention, brute force protection, data loss protection and other rules that analyze the output from the web server are not supported by Litespeed, unless you use the ASL Transparent WAF (T-WAF) in front of Litespeed.
  2. XML inspection: Litespeed has chosen to not support XML inspection, this means XML based attacks are unfortunately not protected on that platform, unless you use the ASL Transparent WAF (T-WAF) in front of Litespeed.
  3. Multi-part Upload protection: Litspeed does not support scanning attached files content in multi-part upload. If you use the ASL Transparent WAF (T-WAF) in front of Litespeed you will be able to scan attached files in a multi-part upload.
  4. lua: This is a language that lets us construct advanced rules. Currently they are used for advanced anti-spam protection and advanced SQLi and XSS injection protection. Therefore, these types of rules are not supported by Litespeed, unless you use the ASL Transparent WAF (T-WAF) in front of Litespeed.

[edit] How to configure a local WAF for litespeed

[edit] ASL V

Step 1) Log into ASL.

Step 2) Click on the "ASL" tab.

Step 3) Click on the "WAF Configuration" menu option.

Step 4) Click the "Add" button.

Step 5) In the "Add New TWAF Setting" window from the "Add protection for ..." drop down, select "Local Web Server"

Step 6) Select the port that litespeed runs on. Normally this is port 80.

Step 7) Check the SSL box

Enter the file system path to your SSL certificate, and SSL key in the "Path to SSL Certificate" and "Path to SSL Key file" boxes.

Step 8) Click Save

[edit] ASL 4

Step 1) Log into ASL.

Step 2) Click on the "Configuration" tab.

Step 3) Click on the "WAF" tab and select "WAF configuration".

Step 4) Click the "Add" button.

Step 5) Select "Local Web Server" from the "Add protection for" drop down.

Step 6) Select the port that litespeed runs on. Normally this is port 80.

Step 7) Check the SSL box

Enter the file system path to your SSL certificate, and SSL key in the "Path to SSL Certificate" and "Path to SSL Key file" boxes.

Step 8) Click Save

Note: Litespeed does not support the WAF in embedded mode.

[edit] Questions

[edit] I've loaded the rules into Litespeed, does that mean they work with Litespeed?

Yes, however please see the LSWS official page for what modsecurity features Litespeed supports and does not support.

https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:config:mod_security-compatibility

Personal tools