Difference between revisions of "Litespeed"

From Atomicorp Wiki
Jump to: navigation, search
m (Does ASL work with LiteSpeed?)
m (Do the modsecurity rules work with Litespeed)
 
(24 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
== Does ASL work with LiteSpeed?  ==
 
== Does ASL work with LiteSpeed?  ==
  
=== Secure Kernel ===
+
Yes, ASL is supported with LiteSpeed. 
  
ASL works correctly with Litespeed.  However some versions of Litespeed contain a serious vulnerability.  When used with secure kernels, such as the ASL kernel, litespeed will attempt to open a hole in the system that secure kernels will deny.  If you use Litespeed, you may not be able to use a secure kernel, such as the ASL kernel, as Litespeed apparently must operate in this highly unsafe and insecure manner. 
+
== Do the modsecurity rules work with Litespeed ==
  
If you do use the ASL kernel, with Litespeed, and Litespeed does not work please know that this is not something we can resolve.  This is a due to a vulnerability in Litespeed that the kernel is protected the system from. ASL will not allow an application to open a hole that could compromise the entire system. Litespeed unfortunately does this. We highly recommend you report this vulnerability to Litespeed, and that you open a support case with Litespeed. We've reported this hole to them, and hope they will fix it soon.
+
'''Yes, when used with the [https://www.atomicorp.com/wiki/index.php/ASL_WAF#WAF_Tab ASL Transparent WAF (T-WAF)] in front of Litespeed all rules are supported.'''
  
Due to the closed source nature of Litespeed, this is not something we can fix in Litespeed and not something we can change in the kernel (the vulnerability in Litespeed attempts to open a hole in the kernel, which would make the system vulnerable to a root level compromise.  This is not something we can or will allow to occur with the ASL kernel).  As this is a vulnerability in Litespeed, the correct solution is for Litespeed to fix this vulnerability.
+
When using the rules without the ASL Transparent WAF, where the rules are only loaded directly into Litespeed, please see the official Litespeed page for what modsecurity features Litespeed supports:
  
=== WAF ===
+
http://www.litespeedtech.com/support/wiki/doku.php?id=litespeed_wiki:mod_security_compatibility
  
Litespeed, like all HTTP based servers, may be protected through the ASL T-WAF module.  Litespeed will show connections from the local system, by default, when using the T-WAF as all connections will in fact be coming from the server itself.  Litespeed will need to be configured to use the X-Forwarded-From header for the upstream IP address of the client.  Please contact Litespeed for official instructions about how to configure Litespeed to do this.
+
Currently, if you do not use the T-WAF, this means Litespeed does not support the following features:
  
Courtesy instructions for setting up Litespeed to do this are provided on the [[ASL WAF]] page.
+
# Output analysis: This means Litespeed can not inspect the output from the web server.  This means rules like malware detection, malicious shell prevention, brute force protection, data loss protection and other rules that analyze the output from the web server are not supported by Litespeed, unless you use [https://www.atomicorp.com/wiki/index.php/ASL_WAF#WAF_Tab the ASL Transparent WAF (T-WAF) in front of Litespeed].
 +
# XML inspection:  Litespeed has chosen to not support XML inspection, this means XML based attacks are unfortunately not protected on that platform, unless you use [https://www.atomicorp.com/wiki/index.php/ASL_WAF#WAF_Tab the ASL Transparent WAF (T-WAF) in front of Litespeed].
 +
# Multi-part Upload protection:  Litspeed does not support scanning attached files content in multi-part upload.  If you use [https://www.atomicorp.com/wiki/index.php/ASL_WAF#WAF_Tab the ASL Transparent WAF (T-WAF) in front of Litespeed] you will be able to scan attached files in a multi-part upload.
 +
# lua: This is a language that lets us construct advanced rules.  Currently they are used for advanced anti-spam protection and advanced SQLi and XSS injection protection.  Therefore, these types of rules are not supported by Litespeed, unless you use [https://www.atomicorp.com/wiki/index.php/ASL_WAF#WAF_Tab the ASL Transparent WAF (T-WAF) in front of Litespeed].
  
== Do the modsecurity rules work with Litespeed ==
+
== How to configure a local WAF for litespeed  ==
  
When used with [[ASL]] yes.
+
=== ASL V ===
  
If you are not using ASL, then no.  And this is because '''LiteSpeed does not support mod_security'''. LiteSpeed does not provide a modsecurity compatible module. Litespeed provides a proprietary implementation of something like mod_security.  It is not a drop in replacement for modsecurity, it is not complete, it does not work like modsecurity and it only supports an old and incomplete version of the rule language that all modsecurity rules depend on.
+
Step 1) Log into ASL.  
  
Unfortunately, this means that '''LiteSpeed does not support modern modsecurity rules, and Litspeeds modsecurity-like module is therefore not currently compatible with any mod_security rules including ours.'''
+
Step 2) Click on the "ASL" tab.
  
This means that Litespeed will silently ignore rules and rule language it does not understand, so mod_security rules will appear to work with Litespeed. They do not work correctly, even though they may be stopping some attacks we can assure you that the Litespeed modsecurity implementation is incomplete and does not work correctly, and therefore we can not provide support for our rules with Litespeeds module and do not recommend you use their implementation.
+
Step 3) Click on the "WAF Configuration" menu option.  
  
We encourage our LiteSpeed customers to use [[ASL]], which is supported with LiteSpeed. If you do not use ASL you must install an apache or nginx proxy, which both support the actual mod_security rule language, in front of LiteSpeed to use any mod_security rules.
+
Step 4) Click the "Add" button.
  
== How to install the T-WAF ==
+
Step 5) In the "Add New TWAF Setting" window from the "Add protection for ..." drop down, select "Local Web Server"
  
As root, run this command:
+
Step 6) Select the port that litespeed runs on.  Normally this is port 80.
  
yum install asl-waf-module
+
Step 7) Check the SSL box
  
== How to configure the T-WAF for litespeed  ==
+
Enter the file system path to your SSL certificate, and SSL key in the "Path to SSL Certificate" and "Path to SSL Key file" boxes.
 +
 
 +
Step 8) Click Save
 +
 
 +
=== ASL 4 ===
  
 
Step 1) Log into ASL.  
 
Step 1) Log into ASL.  
Line 56: Line 63:
  
 
= Questions =
 
= Questions =
 
== What should I use with Litespeed? ==
 
 
[[ASL]].  ASL supports Litespeed.
 
  
 
== I've loaded the rules into Litespeed, does that mean they work with Litespeed? ==
 
== I've loaded the rules into Litespeed, does that mean they work with Litespeed? ==
  
Litespeed will silently ignore rules and rule language it does not understand, so mod_security rules will appear to work with Litespeed. So unlike the real modsecurity, you wont even get an error if something doesnt work right.
+
Yes, however please see the LSWS official page for what modsecurity features Litespeed supports and does not support.  
 
+
== I've load the rules in Litspeed, and they are blocking attacks, doesnt that mean they work with Litespeed?==
+
  
No. We've done extensive testing with Litespeed, and Litespeed doesnt support the complete rule language and it silently ignores rules and options it doesnt understand.  That means that only some of the rules may be working. And of those, they may not even be working correctly, which means more false positives for you, and it also means the rules that are working may be missing attacks (because they require modsecurity features Litespeed doesnt support), plus all the rules that aren't working you'll never know about and none of those attacks will be stopped.
+
https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:config:mod_security-compatibility

Latest revision as of 17:29, 26 July 2022

Contents

[edit] Does ASL work with LiteSpeed?

Yes, ASL is supported with LiteSpeed.

[edit] Do the modsecurity rules work with Litespeed

Yes, when used with the ASL Transparent WAF (T-WAF) in front of Litespeed all rules are supported.

When using the rules without the ASL Transparent WAF, where the rules are only loaded directly into Litespeed, please see the official Litespeed page for what modsecurity features Litespeed supports:

http://www.litespeedtech.com/support/wiki/doku.php?id=litespeed_wiki:mod_security_compatibility

Currently, if you do not use the T-WAF, this means Litespeed does not support the following features:

  1. Output analysis: This means Litespeed can not inspect the output from the web server. This means rules like malware detection, malicious shell prevention, brute force protection, data loss protection and other rules that analyze the output from the web server are not supported by Litespeed, unless you use the ASL Transparent WAF (T-WAF) in front of Litespeed.
  2. XML inspection: Litespeed has chosen to not support XML inspection, this means XML based attacks are unfortunately not protected on that platform, unless you use the ASL Transparent WAF (T-WAF) in front of Litespeed.
  3. Multi-part Upload protection: Litspeed does not support scanning attached files content in multi-part upload. If you use the ASL Transparent WAF (T-WAF) in front of Litespeed you will be able to scan attached files in a multi-part upload.
  4. lua: This is a language that lets us construct advanced rules. Currently they are used for advanced anti-spam protection and advanced SQLi and XSS injection protection. Therefore, these types of rules are not supported by Litespeed, unless you use the ASL Transparent WAF (T-WAF) in front of Litespeed.

[edit] How to configure a local WAF for litespeed

[edit] ASL V

Step 1) Log into ASL.

Step 2) Click on the "ASL" tab.

Step 3) Click on the "WAF Configuration" menu option.

Step 4) Click the "Add" button.

Step 5) In the "Add New TWAF Setting" window from the "Add protection for ..." drop down, select "Local Web Server"

Step 6) Select the port that litespeed runs on. Normally this is port 80.

Step 7) Check the SSL box

Enter the file system path to your SSL certificate, and SSL key in the "Path to SSL Certificate" and "Path to SSL Key file" boxes.

Step 8) Click Save

[edit] ASL 4

Step 1) Log into ASL.

Step 2) Click on the "Configuration" tab.

Step 3) Click on the "WAF" tab and select "WAF configuration".

Step 4) Click the "Add" button.

Step 5) Select "Local Web Server" from the "Add protection for" drop down.

Step 6) Select the port that litespeed runs on. Normally this is port 80.

Step 7) Check the SSL box

Enter the file system path to your SSL certificate, and SSL key in the "Path to SSL Certificate" and "Path to SSL Key file" boxes.

Step 8) Click Save

Note: Litespeed does not support the WAF in embedded mode.

[edit] Questions

[edit] I've loaded the rules into Litespeed, does that mean they work with Litespeed?

Yes, however please see the LSWS official page for what modsecurity features Litespeed supports and does not support.

https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:config:mod_security-compatibility

Personal tools