File: //usr/local/lsws/docs/zh-CN/ServSecurity_Help.html
<!DOCTYPE html>
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
<title>Open LiteSpeed Web Server Users' Manual - Server Security</title>
<meta name="description" content="Open LiteSpeed Web Server Users' Manual - Server Security." />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="robots" content="noindex">
<link rel="shortcut icon" href="../img/favicon.ico" />
<link rel="stylesheet" type="text/css" href="../css/hdoc.css">
</head>
<body>
<div class="pagewrapper clearfix"><aside class="sidetree ls-col-1-5">
<figure>
<img src="img/ols_logo.svg" alt="openlitespeed logo" width="150px"/>
</figure>
<h3 class="ls-text-thin">OpenLiteSpeed Web Server <a href="index.html"> Users' Manual</a></h3>
<h5 class="ls-text-muted">Version 1.6 — Rev. 2</h5>
<hr/>
<div>
<ul>
<li><a href="license.html">License</a></li>
<li><a href="intro.html">Introduction</a></li>
<li><a href="install.html">Installation</a></li>
<li>
<a href="admin.html">Administration</a>
<ul class="level2">
<li><a href="ServerStat_Help.html">Service Manager</a></li>
</ul>
</li>
<li><a href="security.html">Security</a></li>
<li>
<a href="config.html">Configuration</a>
<ul class="level2">
<li><a href="ServGeneral_Help.html">Server General</a></li>
<li><a href="ServLog_Help.html">Server Log</a></li>
<li><a href="ServTuning_Help.html">Server Tuning</a></li>
<li><span class="current"><a href="ServSecurity_Help.html">Server Security</a></span></li>
<li><a href="ExtApp_Help.html">External Apps</a></li>
<ul class="level3">
<li><a href="External_FCGI.html">Fast CGI App</a></li>
<li><a href="External_FCGI_Auth.html">Fast CGI Authorizer</a></li>
<li><a href="External_LSAPI.html">LSAPI App</a></li>
<li><a href="External_Servlet.html">Servlet Engine</a></li>
<li><a href="External_WS.html">Web Server</a></li>
<li><a href="External_PL.html">Piped logger</a></li>
<li><a href="External_LB.html">Load Balancer</a></li>
</ul>
<li><a href="ScriptHandler_Help.html">Script Handler</a></li>
<li><a href="App_Server_Help.html">App Server Settings</a></li>
<li><a href="Module_Help.html">Module Configuration</a></li>
<li><a href="Listeners_General_Help.html">Listener General</a></li>
<li><a href="Listeners_SSL_Help.html">Listener SSL</a></li>
<li><a href="Templates_Help.html">Virtual Host Templates</a></li>
<li><a href="VirtualHosts_Help.html">Virtual Host Basic</a></li>
<li><a href="VHGeneral_Help.html">Virtual Host General</a></li>
<li><a href="VHSecurity_Help.html">Virtual Host Security</a></li>
<li><a href="VHSSL_Help.html">Virtual Host SSL</a></li>
<li><a href="Rewrite_Help.html">Rewrite</a></li>
<li><a href="Context_Help.html">Context</a></li>
<ul class="level3">
<li><a href="Static_Context.html">Static Context</a></li>
<li><a href="Java_Web_App_Context.html">Java Web App Context</a></li>
<li><a href="Servlet_Context.html">Servlet Context</a></li>
<li><a href="FCGI_Context.html">Fast CGI Context</a></li>
<li><a href="LSAPI_Context.html">LSAPI Context</a></li>
<li><a href="Proxy_Context.html">Proxy Context</a></li>
<li><a href="CGI_Context.html">CGI Context</a></li>
<li><a href="LB_Context.html">Load Balancer Context</a></li>
<li><a href="Redirect_Context.html">Redirect Context</a></li>
<li><a href="App_Server_Context.html">App Server Context</a></li>
<li><a href="Module_Context.html">Module Handler Context</a></li>
</ul>
<li><a href="VHWebSocket_Help.html">Web Socket Proxy</a></li>
</ul>
</li>
<li><a href="webconsole.html">Web Console</a>
<ul class="level2">
<li><a href="AdminGeneral_Help.html">Admin Console General</a></li>
<li><a href="AdminSecurity_Help.html">Admin Console Security</a></li>
<li><a href="AdminListeners_General_Help.html">Admin Listener General</a></li>
<li><a href="AdminListeners_SSL_Help.html">Admin Listener SSL</a></li>
</ul>
</li>
</ul>
</div>
</aside>
<article class="contentwrapper ls-col-3-5 clearfix"><div class="nav-bar ls-spacer-micro-top"><div class="prev">« <a href="ServTuning_Help.html">Server Tuning</a></div><div class="center"><a href="config.html">Configuration</a></div><div class="next"><a href="ExtApp_Help.html">External Apps</a> »</div></div>
<h1>Server Security</h1><h2 id="top">Table of Contents</h2><section class="toc"><section class="toc-row"><header>File Access</header><p>
<a href="#followSymbolLink">跟随符号链接</a> | <a href="#checkSymbolLink">检查符号链接</a> | <a href="#forceStrictOwnership">强制严格属主检查</a> | <a href="#requiredPermissionMask">Required Permission Mask</a> | <a href="#restrictedPermissionMask">限制权限掩码</a> | <a href="#restrictedScriptPermissionMask">脚本限制权限掩码</a> | <a href="#restrictedDirPermissionMask">脚本目录限制权限掩码</a></p></section>
<section class="toc-row"><header><a href="#perClientConnLimit">Per Client Throttling</a></header><p>
<a href="#staticReqPerSec">静态请求/秒</a> | <a href="#dynReqPerSec">Dynamic Requests/Second</a> | <a href="#outBandwidth">出口带宽</a> | <a href="#inBandwidth">入口带宽</a> | <a href="#softLimit">连接软限制</a> | <a href="#hardLimit">连接硬限制</a> | <a href="#blockBadReq">封锁坏请求</a> | <a href="#gracePeriod">宽限期(秒)</a> | <a href="#banPeriod">禁止期(秒)</a></p></section>
<section class="toc-row"><header><a href="#cgiResource">CGI Settings</a></header><p>
<a href="#cgidSock">CGI守护进程套接字</a> | <a href="#maxCGIInstances">最大CGI实例数量</a> | <a href="#minUID">最小的UID</a> | <a href="#minGID">最小的GID</a> | <a href="#forceGID">强制GID</a> | <a href="#umask">umask</a> | <a href="#CGIPriority">CGI优先级</a> | <a href="#CPUSoftLimit">CPU软限制</a> | <a href="#CPUHardLimit">CPU硬限制</a> | <a href="#memSoftLimit">内存软限制</a> | <a href="#memHardLimit">内存硬限制</a> | <a href="#procSoftLimit">进程软限制</a> | <a href="#procHardLimit">进程硬限制</a> | <a href="#cgroups">cgroups</a></p></section>
<section class="toc-row"><header><a href="#lsrecaptcha">reCaptcha Protection</a></header><p>
<a href="#enableRecaptcha">Enable reCAPTCHA</a> | <a href="#recaptchaSiteKey">Site Key</a> | <a href="#recaptchaSecretKey">Secret Key</a> | <a href="#recaptchaType">reCAPTCHA Type</a> | <a href="#recaptchaMaxTries">Max Tries</a> | <a href="#recaptchaAllowedRobotHits">Allowed Robot Hits</a> | <a href="#recaptchaBotWhiteList">Bot White List</a> | <a href="#recaptchaRegConnLimit">Connection Limit</a> | <a href="#recaptchaSslConnLimit">SSL Connection Limit</a></p></section>
<section class="toc-row"><header>Access Denied Directories</header><p>
<a href="#accessDenyDir">拒绝访问的目录</a></p></section>
<section class="toc-row"><header><a href="#accessControl">登入限制</a></header><p>
<a href="#accessControl_allow">允许列表</a> | <a href="#accessControl_deny">拒绝列表</a></p></section>
</section>
<section><div class="helpitem"><article class="ls-helpitem"><div><header id="followSymbolLink"><h3>跟随符号链接<span class="ls-permlink"><a href="#followSymbolLink"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定服务静态文件时跟踪符号链接的服务器级别默认设置。<br/><br/> 选项有<span class="val">Yes</span>、<span class="val">If Owner Match</span>和<span class="val">No</span>。<br/><br/> <span class="val">Yes</span>设置服务器始终跟踪符号链接。 <span class="val">If Owner Match</span>设置服务器只有在链接和目标属主一致时才跟踪符号链接。 <span class="val">No</span>表示服务器永远不会跟踪符号链接。 该设置可以在虚拟主机配置中覆盖,但不能通过.htaccess文件覆盖。</p> <h4>Syntax</h4><p>选项</p> <h4>Tips</h4><p>[性能和安全建议] 要获得最佳安全性,选择{VAL}No</span>或<span class="val">If Owner Match</span>。 要获得最佳性能,选择{VAL}Yes</span>。</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#checkSymbolLink">检查符号链接</a></span>.</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="checkSymbolLink"><h3>检查符号链接<span class="ls-permlink"><a href="#checkSymbolLink"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定在启用了<span class="tagl"><a href="#followSymbolLink">跟随符号链接</a></span>时,是否检查符号链接在不在<span class="tagl"><a href="#accessDenyDir">拒绝访问的目录</a></span>中。 如果启用检查,将检查网址对应的真正的资源路径是否在配置的禁止访问目录中。 如果在禁止访问目录中,访问将被禁止。</p> <h4>Syntax</h4><p>布尔值</p> <h4>Tips</h4><p>[性能和安全] 要获得最佳的安全性,启用该选项。要获得最佳性能,禁用该选项。</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#followSymbolLink">跟随符号链接</a></span>, <span class="tagl"><a href="#accessDenyDir">拒绝访问的目录</a></span></p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="forceStrictOwnership"><h3>强制严格属主检查<span class="ls-permlink"><a href="#forceStrictOwnership"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定是否执行严格的文件所有权检查。 如果启用,Web服务器将检查正在服务的文件的所有者与虚拟主机的所有者是否相同。 如果不同,将返回403拒绝访问错误。 该功能默认是关闭的。</p> <h4>Syntax</h4><p>布尔值</p> <h4>Tips</h4><p>[安全建议] 对于共享主机,启用此检查以得到更好的安全性。</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="requiredPermissionMask"><h3>Required Permission Mask<span class="ls-permlink"><a href="#requiredPermissionMask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>为静态文件指定必需的权限掩码。 例如,如果只允许所有人都可读的文件可以被输出,将该值设置为<span class="val">0004</span>。 用<span class="cmd">man 2 stat</span>命令了解所有可选值。</p> <h4>Syntax</h4><p>八进制数</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#restrictedPermissionMask">限制权限掩码</a></span>.</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="restrictedPermissionMask"><h3>限制权限掩码<span class="ls-permlink"><a href="#restrictedPermissionMask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>为不能输出的静态文件指定限制权限掩码。 例如,要禁止服务可执行文件,将掩码设置为<span class="val">0111</span>。<br/><br/> 用<span class="cmd">man 2 stat</span>命令了解所有可选值。</p> <h4>Syntax</h4><p>八进制数</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#requiredPermissionMask">Required Permission Mask</a></span>.</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="restrictedScriptPermissionMask"><h3>脚本限制权限掩码<span class="ls-permlink"><a href="#restrictedScriptPermissionMask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>为不能服务的脚本文件指定限制权限掩码。 例如,要禁止服务属组可写和全局可写的PHP脚本, 设置掩码为<span class="val">022</span>。默认值是<span class="val">000</span>。<br/><br/> 用<span class="cmd">man 2 stat</span>命令了解所有可选值。</p> <h4>Syntax</h4><p>八进制数</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#restrictedDirPermissionMask">脚本目录限制权限掩码</a></span>.</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="restrictedDirPermissionMask"><h3>脚本目录限制权限掩码<span class="ls-permlink"><a href="#restrictedDirPermissionMask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>为不能服务的脚本文件父目录指定限制权限掩码。 例如,要禁止服务属组可写和全局可写的文件夹内的PHP脚本, 设置掩码为<span class="val">022</span>。默认值是<span class="val">000</span>。 此选项可用于防止执行文件上传目录内的脚本。<br/><br/> 用<span class="cmd">man 2 stat</span>命令了解所有可选值。</p> <h4>Syntax</h4><p>八进制数</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#restrictedScriptPermissionMask">脚本限制权限掩码</a></span>.</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="perClientConnLimit"><h3>Per Client Throttling<span class="ls-permlink"><a href="#perClientConnLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>These are connection control settings are based on client IP. These settings help to mitigate DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks.</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="staticReqPerSec"><h3>静态请求/秒<span class="ls-permlink"><a href="#staticReqPerSec"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定每秒可处理的来自单个IP的静态内容请求数量(无论与该IP之间建立了多少个连接)。<br/><br/> 当达到此限制时,所有后来的请求将被延滞到下一秒。 对于动态内容请求的限制与本限制无关。 每个客户端的请求限制可以在服务器或虚拟主机级别设置。 虚拟主机级别的设置将覆盖服务器级别的设置。</p> <h4>Syntax</h4><p>无符号整数</p> <h4>Tips</h4><p>[安全] 受信任的IP或子网不受影响。</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#dynReqPerSec">Dynamic Requests/Second</a></span></p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="dynReqPerSec"><h3>Dynamic Requests/Second<span class="ls-permlink"><a href="#dynReqPerSec"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies the maximum number of requests to dynamically generated content coming from a single IP address that can be processed in each second regardless of the number of connections established. When this limit is reached, all future requests to dynamic content are tar-pitted until the next second. <br/><br/> The request limit for static content is independent of this limit. This per client request limit can be set at server or virtual host level. Virtual host-level settings override server-level settings.</p> <h4>Syntax</h4><p>无符号整数</p> <h4>Tips</h4><p><span title="Security" class="ls-icon-security"></span> Trusted IPs or sub-networks are not restrained by this limit.</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#staticReqPerSec">静态请求/秒</a></span></p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="outBandwidth"><h3>出口带宽<span class="ls-permlink"><a href="#outBandwidth"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定对单个IP地址允许的最大传出吞吐量(无论与该IP之间建立了多少个连接)。 为提高效率,真正的带宽可能最终会略高于设定值。 带宽按4KB为单位分配。设定值为<span class="val">0</span>可禁用限制。 每个客户端的带宽限制(字节/秒)可以在服务器或虚拟主机级别设置。 虚拟主机级别的设置将覆盖服务器级别的设置。</p> <h4>Syntax</h4><p>无符号整数</p> <h4>Tips</h4><p>[性能建议] 按8KB单位设置带宽可获得更好的性能。<br/> [安全建议] 受信任的IP或子网不受影响。</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#inBandwidth">入口带宽</a></span></p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="inBandwidth"><h3>入口带宽<span class="ls-permlink"><a href="#inBandwidth"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定对单个IP地址允许的最大传入吞吐量(无论与该IP之间建立了多少个连接)。 为提高效率,真正的带宽可能最终会略高于设定值。 带宽是按1KB单位分配。设定值为<span class="val">0</span>可禁用限制。 每个客户端的带宽限制(字节/秒)可以在服务器或虚拟主机级别设置。 虚拟主机级别的设置将覆盖服务器级别的设置。</p> <h4>Syntax</h4><p>无符号整数</p> <h4>Tips</h4><p>[安全] 受信任的IP或子网不受影响。</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#outBandwidth">出口带宽</a></span></p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="softLimit"><h3>连接软限制<span class="ls-permlink"><a href="#softLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定来自单个IP的并发连接的软限制。 并发连接数低于<span class="tagl"><a href="#hardLimit">连接硬限制</a></span>时,此软限制可以在<span class="tagl"><a href="#gracePeriod">宽限期(秒)</a></span>期间临时超过, 但Keep-Alive连接将被尽快断开,直到连接数低于软限制。 如果<span class="tagl"><a href="#gracePeriod">宽限期(秒)</a></span>之后,连接数仍然超过软限制,相应的IP将被封锁 <span class="tagl"><a href="#banPeriod">禁止期(秒)</a></span>所设置的时长。<br/><br/> 例如,如果页面包含许多小图像,浏览器可能会尝试同时建立许多连接,尤其是HTTP/1.0客户端。你应当在短时间内允许这些连接。<br/><br/> HTTP/1.1客户端还可能建立多个连接,以加快下载,另外SSL需要为非SSL连接建立单独的连接。确保限制设置正确, 以免影响正常服务。建议限制在<span class="val">5</span>与<span class="val">10</span>之间。</p> <h4>Syntax</h4><p>无符号整数</p> <h4>Tips</h4><p>[安全建议] 一个较低的数字将使得服务器可以服务更多独立的客户。<br/> [安全建议] 受信任的IP或子网不受影响。<br/> [性能建议] 使用大量并发客户端进行性能评测时,请设置一个较高的值。</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="hardLimit"><h3>连接硬限制<span class="ls-permlink"><a href="#hardLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定来自单个IP的并发连接的硬限制。 此限制是永远执行的,客户端将永远无法超过这个限制。 HTTP/1.0客户端通常会尝试建立尽可能多的连接,因为它们需要同时下载嵌入的内容。此限制应设置得足够高,以使HTTP/1.0客户端仍然可以访问相应的网站。 使用<span class="tagl"><a href="#softLimit">连接软限制</a></span>设置期望的连接限制。<br/><br/> 建议根据你的网页内容和流量负载,限制在<span class="val">20</span>与<span class="val">50</span>之间。</p> <h4>Syntax</h4><p>无符号整数</p> <h4>Tips</h4><p>[安全] 一个较低的数字将使得服务器可以服务更多独立的客户。<br/> [安全] 受信任的IP或子网不受影响。<br/> [性能] 使用大量并发客户端进行基准测试时,设置一个较高的值。</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="blockBadReq"><h3>封锁坏请求<span class="ls-permlink"><a href="#blockBadReq"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>封锁持续发送坏HTTP请求的IP<span class="tagl"><a href="#banPeriod">禁止期(秒)</a></span>所设置的时长。默认为{VAL}Yes</span>。 这有助于封锁反复发送垃圾请求的僵尸网络攻击。</p> <h4>Syntax</h4><p>布尔值</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="gracePeriod"><h3>宽限期(秒)<span class="ls-permlink"><a href="#gracePeriod"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定来自一个IP的连接数超过<span class="tagl"><a href="#softLimit">连接软限制</a></span>之后, 多长时间之内可以继续接受新连接。在此期间,如果总连接数仍然 低于<span class="tagl"><a href="#hardLimit">连接硬限制</a></span>,将继续接受新连接。之后,如果连接数 仍然高于<span class="tagl"><a href="#softLimit">连接软限制</a></span>,相应的IP将被封锁<span class="tagl"><a href="#banPeriod">禁止期(秒)</a></span>里设置的时长。</p> <h4>Syntax</h4><p>无符号整数</p> <h4>Tips</h4><p>[性能与安全建议] 设置为足够大的数量,以便下载完整网页, 但也要足够低以防范蓄意攻击。</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="banPeriod"><h3>禁止期(秒)<span class="ls-permlink"><a href="#banPeriod"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定在<span class="tagl"><a href="#gracePeriod">宽限期(秒)</a></span>之后,如果连接数仍然高于 <span class="tagl"><a href="#softLimit">连接软限制</a></span>,来自该IP的新连接将被拒绝多长时间。如果IP 经常被屏蔽,我们建议您延长禁止期以更强硬地惩罚滥用。</p> <h4>Syntax</h4><p>无符号整数</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="cgiResource"><h3>CGI Settings<span class="ls-permlink"><a href="#cgiResource"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The following settings control CGI processes. Memory and process limits also serve as the default for other external applications if limits have not been set explicitly for those applications.</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="cgidSock"><h3>CGI守护进程套接字<span class="ls-permlink"><a href="#cgidSock"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>用于与CGI守护进程沟通的唯一套接字地址。为了 最佳性能和安全性,LiteSpeed服务器使用一个独立的CGI 守护进程来产生CGI脚本的子进程。 默认套接字是“uds://$SERVER_ROOT/admin/conf/.cgid.sock”。 如果你需要放置在另一个位置,在这里指定一个Unix域套接字。</p> <h4>Syntax</h4><p>UDS://路径</p> <h4>Example</h4><div class="ls-example">例如UDS://tmp/lshttpd/cgid.sock</div></article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="maxCGIInstances"><h3>最大CGI实例数量<span class="ls-permlink"><a href="#maxCGIInstances"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定服务器可以启动的CGI进程最大并发数量。 对于每个对CGI脚本的请求,服务器需要启动一个独立的CGI进程。 在Unix系统中,并发进程的数量是有限的。过多的并发进程会降 低整个系统的性能,也是一种进行拒绝服务攻击的方法。 LiteSpeed服务器将对CGI脚本的请求放入管道队列,限制并发 CGI进程数量,以确保最优性能和可靠性。 硬限制为<span class="val">2000</span>。</p> <h4>Syntax</h4><p>无符号整数</p> <h4>Tips</h4><p>[安全和性能建议] 更高的数量并不一定转化为更快的性能。 在大多数情况下,更低的数量提供更好的性能和安全性。更高的数量 只在CGI处理过程中读写延迟过高时有帮助。</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="minUID"><h3>最小的UID<span class="ls-permlink"><a href="#minUID"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定外部应用程序的最小用户ID。 如果用户ID比这里指定的值更低。其外部脚本的执行将被拒绝。 如果的LiteSpeed Web服务器由“Root”用户启动,它可以在“suEXEC” 模式运行外部应用程序,类似Apache(可以切换到与Web服务器不同的用户/组ID)。</p> <h4>Syntax</h4><p>无符号整数</p> <h4>Tips</h4><p>[安全] 设置足够高的值以排除所有系统/特权用户。</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="minGID"><h3>最小的GID<span class="ls-permlink"><a href="#minGID"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定外部应用程序的最小组ID。 如果组ID比这里指定的值更小,其外部脚本的执行将被拒绝。 如果的LiteSpeed Web服务器是由“Root”用户启动,它可以在“suEXEC” 模式运行外部应用程序,类似Apache(可以切换到与Web服务器不同的用户/组ID)。</p> <h4>Syntax</h4><p>无符号整数</p> <h4>Tips</h4><p>[安全] 设置足够高的值以排除所有系统用户所属的组。</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="forceGID"><h3>强制GID<span class="ls-permlink"><a href="#forceGID"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定一组ID,以用于所有在suEXEC模式下启动的外部应用程序。 当设置为非零值时,所有suEXEC的外部应用程序(CGI、FastCGI、 LSAPI)都将使用该组ID。这可以用来防止外部应用程序访问其他用 户拥有的文件。<br/><br/> 例如,在共享主机环境,LiteSpeed以“www-data”用户、“www-data”组 身份运行。每个文件根目录是由用户帐户所有,属组为“www-data”,权限 为0750。如果强制GID被设置为“nogroup”(或“www-data”之外的任何一 个组),所有suEXEC外部应用程序都将以特定用户身份运行,但属组为 “nogroup”。这些外部应用程序的进程依然能够访问属于相应用户的文件( 因为他们的用户ID),但没有组权限访问其他人的文件。另一方面,服务器 仍然可以服务在任何用户文件根目录下的文件(因为它的组ID)。</p> <h4>Syntax</h4><p>无符号整数</p> <h4>Tips</h4><p>[安全建议] 设置足够高的值以排除所有系统用户所在的组。</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="umask"><h3>umask<span class="ls-permlink"><a href="#umask"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>设置CGI进程默认的umask。 通过<span class="cmd"> man 2 umask</span>命令了解详细信息。这也可作为外部应用程序<span class="tagl"><a href="ExtApp_Help.html#extUmask">umask</a></span>的默认值。</p> <h4>Syntax</h4><p>数值有效范围为[000] - [777]。</p> <h4>See Also</h4><p class="ls-text-small">ExtApp <span class="tagl"><a href="ExtApp_Help.html#extUmask">umask</a></span></p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="CGIPriority"><h3>CGI优先级<span class="ls-permlink"><a href="#CGIPriority"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定外部应用程序进程的优先级。数值范围从<span class="val">-20</span>到<span class="val">20</span>。数值越小,优先级越高。<br/><br/> CGI进程不能拥有比Web服务器更高的优先级。如果这个优先级数值被设置为低于 服务器的优先级数值,则将使用服务器优先级作为替代。</p> <h4>Syntax</h4><p>整数</p> <h4>See Also</h4><p class="ls-text-small">Server <span class="tagl"><a href="ServGeneral_Help.html#serverPriority">优先级</a></span></p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="CPUSoftLimit"><h3>CPU软限制<span class="ls-permlink"><a href="#CPUSoftLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>以秒为单位,指定CGI进程的CPU占用时间限制。当进程达到 软限制时,将收到通知信号。如果没有设置该限制,或者限制设为<span class="val">0</span>, 将使用操作系统的默认设置。</p> <h4>Syntax</h4><p>无符号整数</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="CPUHardLimit"><h3>CPU硬限制<span class="ls-permlink"><a href="#CPUHardLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>以秒为单位,指定CGI进程的CPU占用时间限制。 如果进程持续占用CPU时间,达到硬限制,则进程将被强制杀死。如果没有设置该限制,或者限制设为<span class="val">0</span>, 操作系统的默认设置将被使用。</p> <h4>Syntax</h4><p>无符号整数</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="memSoftLimit"><h3>内存软限制<span class="ls-permlink"><a href="#memSoftLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>以字节为单位指定服务器启动的外部应用进程或程序的内存占用限制。<br/><br/> 此限制的目的主要是为了防范软件缺陷或蓄意攻击造成的过度内存使用, 而不是限制正常使用。确保留有足够的内存,否则您的应用程序可能故障并 返回503错误。限制可以在服务器级别或独立的外部应用程序级别设置。如 果未在独立的外部应用程序级别设定限制,将使用服务器级别的限制。<br/><br/> 如果在两个级别都没有设置该限制,或者限制值设为<span class="val">0</span>,将使用操 作系统的默认设置。</p> <h4>Syntax</h4><p>无符号整数</p> <h4>Tips</h4><p>[注意] 不要过度调整这个限制。如果您的应用程序需要更多的内存, 这可能会导致503错误。</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="memHardLimit"><h3>内存硬限制<span class="ls-permlink"><a href="#memHardLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>与<span class="tagl"><a href="#memSoftLimit">内存软限制</a></span>非常相同,但是在一个用户进程中,软限制 可以被放宽到硬限制的数值。硬限制可以在服务器级别或独立的外部应用程序级别设 置。如果未在独立的外部应用程序级别设定限制,将使用服务器级别的限制。<br/><br/> 如果在两个级别都没有设置该限制,或者限制值设为<span class="val">0</span>,将使用操 作系统的默认设置。</p> <h4>Syntax</h4><p>无符号整数</p> <h4>Tips</h4><p><span title="Attention" class="ls-icon-attention"></span> Do not over adjust this limit. This may result in 503 errors if your application need more memory.</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="procSoftLimit"><h3>进程软限制<span class="ls-permlink"><a href="#procSoftLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>限制一个用户可以创建的进程总数。所有存在的进程都将被统计在内, 而不是只包括新启动的进程。如果限制被设置为<span class="val">10</span>,并且一个用户下 有超过10个进程在运行,那么网站服务器将不会再为该用户(通过 suEXEC) 启动新进程。<br/><br/> 此限制的主要目的是为了防范“fork炸弹”攻击或过量使用,而不是限制正常使用 (如果该限制被设置的过低,它将被服务器忽略)。确保留有足够空余。 本项目可以在服务器级别或独立的外部应用程序级别设置。如果未在独立的外部应用程 序级别设定限制,将使用服务器级别的限制。如果在两个级别都没有设置该限制, 或者限制值设为<span class="val">0</span>,将使用操作系统的默认设置。</p> <h4>Syntax</h4><p>无符号整数</p> <h4>Tips</h4><p><span title="Information" class="ls-icon-info"></span> PHP scripts can call for forking processes. The main purpose of this limit is as a last line of defense to prevent fork bombs and other attacks caused by PHP processes creating other processes.<br/><br/> Setting this setting too low can severely hurt functionality. The setting will thus be ignored below certain levels.<br/><br/> When <b>Run On Start Up</b> is set to "Yes (Daemon mode)", the actual process limit will be higher than this setting to make sure parent processes are not limited.</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="procHardLimit"><h3>进程硬限制<span class="ls-permlink"><a href="#procHardLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>与<span class="tagl"><a href="#procSoftLimit">进程软限制</a></span>非常相同,但是,在用户进程中软限制 可以被放宽到硬限制的数值。硬限制可以在服务器级别或独立的外部应用程序级别设 置。如果未在独立的外部应用程序级别设定限制,将使用服务器级别的限制。 如果在两个级别都没有设置该限制,或者限制值设为<span class="val">0</span>,将使用操 作系统的默认设置。</p> <h4>Syntax</h4><p>无符号整数</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="cgroups"><h3>cgroups<span class="ls-permlink"><a href="#cgroups"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Apply cgroup settings to this CGI process if supported by the current OS. At this time, RedHat/Centos Linux v7.5+ and Ubuntu 18.04+ are supported. The currently executing user will be used to determine which cgroup configuration to apply.<br/><br/> Setting this to <span class="val">Disabled</span> at the Server level will disable this setting server-wide. In all other cases, the Server level setting can be overridden at the Virtual Host level.<br/><br/> Default values:<br/> <b>Server level:</b> Off<br/> <b>VH level:</b> Inherit Server level setting</p> <h4>Syntax</h4><p>Select from drop down list</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="lsrecaptcha"><h3>reCaptcha Protection<span class="ls-permlink"><a href="#lsrecaptcha"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>reCaptcha Protection is a service provided as a way to mitigate heavy server load. reCaptcha Protection will activate after one of the below situations is hit. Once active, all requests by NON TRUSTED(as configured) clients will be redirected to a reCAPTCHA validation page. After validation, the client will be redirected to their desired page.<br/><br/> The following situations will activate reCaptcha Protection:<br/> 1. The server or vhost concurrent requests count passes the configured connection limit.<br/> 2. Anti-DDoS is enabled and a client is hitting a url in a suspicious manner. The client will redirect to reCAPTCHA first instead of getting denied when triggered.<br/> 3. WP Brute Force protection is enabled and action is set to 'Captcha or Drop’. When a brute force attack is detected, the client will redirect to reCAPTCHA first. After max tries is reached, the connection will be dropped, as per the ‘drop’ option.<br/> 4. A new rewrite rule environment is provided to activate reCAPTCHA via RewriteRules. 'verifycaptcha' can be set to redirect clients to reCAPTCHA. A special value ': deny' can be set to deny the client if it failed too many times. For example, [E=verifycaptcha] will always redirect to reCAPTCHA until verified. [E=verifycaptcha: deny] will redirect to reCAPTCHA until Max Tries is hit, after which the client will be denied.</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="enableRecaptcha"><h3>Enable reCAPTCHA<span class="ls-permlink"><a href="#enableRecaptcha"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Enable the reCaptcha Protection feature at the current level. This setting must be set to <span class="val">Yes</span> at the Server level before the reCaptcha Protection feature can be used.<br/><br/> Default values:<br/> <b>Server-level:</b> Yes<br/> <b>VH-Level:</b> Inherit Server level setting</p> <h4>Syntax</h4><p>Select from radio box</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaSiteKey"><h3>Site Key<span class="ls-permlink"><a href="#recaptchaSiteKey"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The site key is the public key provided by Google via its reCAPTCHA service. A default Site Key will be used if not set.</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaSecretKey"><h3>Secret Key<span class="ls-permlink"><a href="#recaptchaSecretKey"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The secret key is the private key provided by Google via its reCAPTCHA service. A default Secret Key will be used if not set.</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaType"><h3>reCAPTCHA Type<span class="ls-permlink"><a href="#recaptchaType"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specify the reCAPTCHA type to use with the key pairs. If a key pair has not been provided and this setting is set to <span class="val">Not Set</span>, a default key pair of type <span class="val">Invisible</span> will be used.<br/> <span class="val">Checkbox</span> will display a checkbox reCAPTCHA for the visitor to validate.<br/> <span class="val">Invisible</span> will attempt to validate the reCAPTCHA automatically and if successful, will redirect to the desired page.<br/><br/> Default value is <span class="val">Invisible</span>.</p> <h4>Syntax</h4><p>Select from drop down list</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaMaxTries"><h3>Max Tries<span class="ls-permlink"><a href="#recaptchaMaxTries"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Max Tries specifies the maximum number of reCAPTCHA attempts permitted before denying the visitor.<br/><br/> Default value is <span class="val">3</span>.</p> <h4>Syntax</h4><p>无符号整数</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaAllowedRobotHits"><h3>Allowed Robot Hits<span class="ls-permlink"><a href="#recaptchaAllowedRobotHits"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Number of hits per 10 seconds to allow ‘good bots’ to pass. Bots will still be throttled when the server is under load.<br/><br/> Default value is <span class="val">3</span>.</p> <h4>Syntax</h4><p>无符号整数</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaBotWhiteList"><h3>Bot White List<span class="ls-permlink"><a href="#recaptchaBotWhiteList"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>List of custom user agents to allow access. Will be subject to the ‘good bots’ limitations, including allowedRobotHits.</p> <h4>Syntax</h4><p>List of user agents, one per line. Regex is supported.</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaRegConnLimit"><h3>Connection Limit<span class="ls-permlink"><a href="#recaptchaRegConnLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The number of concurrent connections (SSL & non-SSL) needed to activate reCAPTCHA. reCAPTCHA will be used until concurrent connections drop below this number.<br/><br/> Default value is <span class="val">15000</span>.</p> <h4>Syntax</h4><p>无符号整数</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaSslConnLimit"><h3>SSL Connection Limit<span class="ls-permlink"><a href="#recaptchaSslConnLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The number of concurrent SSL connections needed to activate reCAPTCHA. reCAPTCHA will be used until concurrent connections drop below this number.<br/><br/> Default value is <span class="val">10000</span>.</p> <h4>Syntax</h4><p>无符号整数</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="accessDenyDir"><h3>拒绝访问的目录<span class="ls-permlink"><a href="#accessDenyDir"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定应该拒绝访问的目录。 将包含敏感数据的目录加入到这个列表,以防止向客户端意外泄露敏感文件。 在路径后加一个“*”,可包含所有子目录。 如果<span class="tagl"><a href="#followSymbolLink">跟随符号链接</a></span>和<span class="tagl"><a href="#checkSymbolLink">检查符号链接</a></span>都被启用, 符号链接也将被检查是否在被拒绝访问目录中。</p> <h4>Syntax</h4><p>逗号分隔的目录列表</p> <h4>Tips</h4><p>[安全建议] 至关重要: 此设置只能防止服务这些目录中的静态文件。 这不能防止外部脚本如PHP、Ruby、CGI造成的泄露。</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="accessControl"><h3>登入限制<span class="ls-permlink"><a href="#accessControl"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定哪些子网络和/或IP地址可以访问该服务器。 这是影响所有的虚拟主机的服务器级别设置。您还可以为每个虚拟主机设置登入限制。虚拟主机的设置不会覆盖服务器设置。<br/><br/> 是否阻止/允许一个IP是由允许列表与阻止列表共同决定。 如果你想阻止某个特定IP或子网,请在<span class="tagl"><a href="#accessControl_allow">允许列表</a></span>中写入<span class="val">*</span> 或 <span class="val">ALL</span>,并在<span class="tagl"><a href="#accessControl_deny">拒绝列表</a></span>中写入需要阻止的IP或子网。 如果你想允许某个特定的IP或子网,请在<span class="tagl"><a href="#accessControl_deny">拒绝列表</a></span>中写入<span class="val">*</span> 或 <span class="val">ALL</span>,并在<span class="tagl"><a href="#accessControl_allow">允许列表</a></span>中写入需要允许的IP或子网。 单个IP地址是被允许访问还是禁止访问取决于该IP符合的最小限制范围。<br/><br/> 信任的IP或子网络可以在<span class="tagl"><a href="#accessControl_allow">允许列表</a></span>列表中添加后缀“T”来指定。受信任的IP或子网不受连接数/流量限制。 只有服务器级别的登入限制才可以设置受信任的IP或子网。</p> <h4>Tips</h4><p>[安全建议] 用此项设置适用于所有虚拟主机的常规限制。</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="accessControl_allow"><h3>允许列表<span class="ls-permlink"><a href="#accessControl_allow"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定允许的IP地址或子网的列表。 可以使用{VAL}*</span>或{VAL}ALL</span>。</p> <h4>Syntax</h4><p>逗号分隔的IP地址或子网列表。 结尾加上“T”可以用来表示一个受信任的IP或子网,如{VAL}192.168.1.*T</span>。</p> <h4>Example</h4><div class="ls-example">子网: <span class="val">192.168.1.0/255.255.255.0</span>, <span class="val">192.168.1.0/24</span>, <span class="val">192.168.1</span> 或 <span class="val">192.168.1.*</span>. <br/> IPv6 地址: <span class="val">::1</span> 或 <span class="val">[::1]</span> <br/> IPv6 子网: <span class="val">3ffe:302:11:2:20f:1fff:fe29:717c/64</span> 或 <span class="val">[3ffe:302:11:2:20f:1fff:fe29:717c]/64</span>.</div><h4>Tips</h4><p>[安全建议] 在服务器级别设置的受信任的IP或子网不受连接/节流限制。</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="accessControl_deny"><h3>拒绝列表<span class="ls-permlink"><a href="#accessControl_deny"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定不允许的IP地址或子网的列表。</p> <h4>Syntax</h4><p>逗号分隔的IP地址或子网列表。 可以使用{VAL}*</span>或{VAL}ALL</span>。</p> <h4>Example</h4><div class="ls-example">子网: <span class="val">192.168.1.0/255.255.255.0</span>, <span class="val">192.168.1.0/24</span>, <span class="val">192.168.1</span> 或 <span class="val">192.168.1.*</span>. <br/> IPv6 地址: <span class="val">::1</span> 或 <span class="val">[::1]</span> <br/> IPv6 子网: <span class="val">3ffe:302:11:2:20f:1fff:fe29:717c/64</span> 或 <span class="val">[3ffe:302:11:2:20f:1fff:fe29:717c]/64</span>.</div></article> </div>
</section>
</article><div class="ls-col-1-1"><footer class="copyright">Copyright © 2013-2018. <a href="https://www.litespeedtech.com">LiteSpeed Technologies Inc.</a> All rights reserved.</footer>
</div></div>
</body>
</html>