File: //usr/local/lsws/docs/zh-CN/VHSecurity_Help.html
<!DOCTYPE html>
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
<title>Open LiteSpeed Web Server Users' Manual - Virtual Host Security</title>
<meta name="description" content="Open LiteSpeed Web Server Users' Manual - Virtual Host Security." />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="robots" content="noindex">
<link rel="shortcut icon" href="../img/favicon.ico" />
<link rel="stylesheet" type="text/css" href="../css/hdoc.css">
</head>
<body>
<div class="pagewrapper clearfix"><aside class="sidetree ls-col-1-5">
<figure>
<img src="img/ols_logo.svg" alt="openlitespeed logo" width="150px"/>
</figure>
<h3 class="ls-text-thin">OpenLiteSpeed Web Server <a href="index.html"> Users' Manual</a></h3>
<h5 class="ls-text-muted">Version 1.6 — Rev. 2</h5>
<hr/>
<div>
<ul>
<li><a href="license.html">License</a></li>
<li><a href="intro.html">Introduction</a></li>
<li><a href="install.html">Installation</a></li>
<li>
<a href="admin.html">Administration</a>
<ul class="level2">
<li><a href="ServerStat_Help.html">Service Manager</a></li>
</ul>
</li>
<li><a href="security.html">Security</a></li>
<li>
<a href="config.html">Configuration</a>
<ul class="level2">
<li><a href="ServGeneral_Help.html">Server General</a></li>
<li><a href="ServLog_Help.html">Server Log</a></li>
<li><a href="ServTuning_Help.html">Server Tuning</a></li>
<li><a href="ServSecurity_Help.html">Server Security</a></li>
<li><a href="ExtApp_Help.html">External Apps</a></li>
<ul class="level3">
<li><a href="External_FCGI.html">Fast CGI App</a></li>
<li><a href="External_FCGI_Auth.html">Fast CGI Authorizer</a></li>
<li><a href="External_LSAPI.html">LSAPI App</a></li>
<li><a href="External_Servlet.html">Servlet Engine</a></li>
<li><a href="External_WS.html">Web Server</a></li>
<li><a href="External_PL.html">Piped logger</a></li>
<li><a href="External_LB.html">Load Balancer</a></li>
</ul>
<li><a href="ScriptHandler_Help.html">Script Handler</a></li>
<li><a href="App_Server_Help.html">App Server Settings</a></li>
<li><a href="Module_Help.html">Module Configuration</a></li>
<li><a href="Listeners_General_Help.html">Listener General</a></li>
<li><a href="Listeners_SSL_Help.html">Listener SSL</a></li>
<li><a href="Templates_Help.html">Virtual Host Templates</a></li>
<li><a href="VirtualHosts_Help.html">Virtual Host Basic</a></li>
<li><a href="VHGeneral_Help.html">Virtual Host General</a></li>
<li><span class="current"><a href="VHSecurity_Help.html">Virtual Host Security</a></span></li>
<li><a href="VHSSL_Help.html">Virtual Host SSL</a></li>
<li><a href="Rewrite_Help.html">Rewrite</a></li>
<li><a href="Context_Help.html">Context</a></li>
<ul class="level3">
<li><a href="Static_Context.html">Static Context</a></li>
<li><a href="Java_Web_App_Context.html">Java Web App Context</a></li>
<li><a href="Servlet_Context.html">Servlet Context</a></li>
<li><a href="FCGI_Context.html">Fast CGI Context</a></li>
<li><a href="LSAPI_Context.html">LSAPI Context</a></li>
<li><a href="Proxy_Context.html">Proxy Context</a></li>
<li><a href="CGI_Context.html">CGI Context</a></li>
<li><a href="LB_Context.html">Load Balancer Context</a></li>
<li><a href="Redirect_Context.html">Redirect Context</a></li>
<li><a href="App_Server_Context.html">App Server Context</a></li>
<li><a href="Module_Context.html">Module Handler Context</a></li>
</ul>
<li><a href="VHWebSocket_Help.html">Web Socket Proxy</a></li>
</ul>
</li>
<li><a href="webconsole.html">Web Console</a>
<ul class="level2">
<li><a href="AdminGeneral_Help.html">Admin Console General</a></li>
<li><a href="AdminSecurity_Help.html">Admin Console Security</a></li>
<li><a href="AdminListeners_General_Help.html">Admin Listener General</a></li>
<li><a href="AdminListeners_SSL_Help.html">Admin Listener SSL</a></li>
</ul>
</li>
</ul>
</div>
</aside>
<article class="contentwrapper ls-col-3-5 clearfix"><div class="nav-bar ls-spacer-micro-top"><div class="prev">« <a href="VHGeneral_Help.html">Virtual Host General</a></div><div class="center"><a href="config.html">Configuration</a></div><div class="next"><a href="VHSSL_Help.html">Virtual Host SSL</a> »</div></div>
<h1>Virtual Host Security</h1><h2 id="top">Table of Contents</h2><section class="toc"><section class="toc-row"><header><a href="#VHlsrecaptcha">reCaptcha Protection</a></header><p>
<a href="#enableRecaptcha">Enable reCAPTCHA</a> | <a href="#recaptchaSiteKey">Site Key</a> | <a href="#recaptchaSecretKey">Secret Key</a> | <a href="#recaptchaType">reCAPTCHA Type</a> | <a href="#recaptchaMaxTries">Max Tries</a> | <a href="#recaptchaVhReqLimit">Concurrent Request Limit</a></p></section>
<section class="toc-row"><header><a href="#accessControl">登入限制</a></header><p>
<a href="#accessControl_allow">允许列表</a> | <a href="#accessControl_deny">拒绝列表</a></p></section>
<section class="toc-row"><header><a href="#realms">Realms授权</a></header><p>
<a href="#realmName">Realm名称</a> | <a href="#userDBLocation">用户数据库地址</a> | <a href="#userDBMaxCacheSize">用户数据库最大缓存大小</a> | <a href="#userDBCacheTimeout">用户数据库缓存超时</a> | <a href="#GroupDBLocation">Group DB Location</a> | <a href="#groupDBMaxCacheSize">组数据库最大缓存大小</a> | <a href="#groupDBCacheTimeout">Group DB Cache Timeout (secs)</a></p></section>
</section>
<section><div class="helpitem"><article class="ls-helpitem"><div><header id="VHlsrecaptcha"><h3>reCaptcha Protection<span class="ls-permlink"><a href="#VHlsrecaptcha"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>reCaptcha Protection is a service provided as a way to mitigate heavy server load. reCaptcha Protection will activate after one of the below situations is hit. Once active, all requests by NON TRUSTED(as configured) clients will be redirected to a reCAPTCHA validation page. After validation, the client will be redirected to their desired page.<br/><br/> The following situations will activate reCaptcha Protection:<br/> 1. The server or vhost concurrent requests count passes the configured connection limit.<br/> 2. Anti-DDoS is enabled and a client is hitting a url in a suspicious manner. The client will redirect to reCAPTCHA first instead of getting denied when triggered.<br/> 3. WP Brute Force protection is enabled and action is set to 'Captcha or Drop’. When a brute force attack is detected, the client will redirect to reCAPTCHA first. After max tries is reached, the connection will be dropped, as per the ‘drop’ option.<br/> 4. A new rewrite rule environment is provided to activate reCAPTCHA via RewriteRules. 'verifycaptcha' can be set to redirect clients to reCAPTCHA. A special value ': deny' can be set to deny the client if it failed too many times. For example, [E=verifycaptcha] will always redirect to reCAPTCHA until verified. [E=verifycaptcha: deny] will redirect to reCAPTCHA until Max Tries is hit, after which the client will be denied.</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="enableRecaptcha"><h3>Enable reCAPTCHA<span class="ls-permlink"><a href="#enableRecaptcha"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Enable the reCaptcha Protection feature at the current level. This setting must be set to <span class="val">Yes</span> at the Server level before the reCaptcha Protection feature can be used.<br/><br/> Default values:<br/> <b>Server-level:</b> Yes<br/> <b>VH-Level:</b> Inherit Server level setting</p> <h4>Syntax</h4><p>Select from radio box</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaSiteKey"><h3>Site Key<span class="ls-permlink"><a href="#recaptchaSiteKey"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The site key is the public key provided by Google via its reCAPTCHA service. A default Site Key will be used if not set.</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaSecretKey"><h3>Secret Key<span class="ls-permlink"><a href="#recaptchaSecretKey"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The secret key is the private key provided by Google via its reCAPTCHA service. A default Secret Key will be used if not set.</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaType"><h3>reCAPTCHA Type<span class="ls-permlink"><a href="#recaptchaType"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specify the reCAPTCHA type to use with the key pairs. If a key pair has not been provided and this setting is set to <span class="val">Not Set</span>, a default key pair of type <span class="val">Invisible</span> will be used.<br/> <span class="val">Checkbox</span> will display a checkbox reCAPTCHA for the visitor to validate.<br/> <span class="val">Invisible</span> will attempt to validate the reCAPTCHA automatically and if successful, will redirect to the desired page.<br/><br/> Default value is <span class="val">Invisible</span>.</p> <h4>Syntax</h4><p>Select from drop down list</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaMaxTries"><h3>Max Tries<span class="ls-permlink"><a href="#recaptchaMaxTries"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Max Tries specifies the maximum number of reCAPTCHA attempts permitted before denying the visitor.<br/><br/> Default value is <span class="val">3</span>.</p> <h4>Syntax</h4><p>无符号整数</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="recaptchaVhReqLimit"><h3>Concurrent Request Limit<span class="ls-permlink"><a href="#recaptchaVhReqLimit"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The number of concurrent requests needed to activate reCAPTCHA. reCAPTCHA will be used until concurrent requests drop below this number.<br/><br/> Default value is <span class="val">15000</span>.</p> <h4>Syntax</h4><p>无符号整数</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="accessControl"><h3>登入限制<span class="ls-permlink"><a href="#accessControl"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定哪些子网络和/或IP地址可以访问该服务器。 这是影响所有的虚拟主机的服务器级别设置。您还可以为每个虚拟主机设置登入限制。虚拟主机的设置不会覆盖服务器设置。<br/><br/> 是否阻止/允许一个IP是由允许列表与阻止列表共同决定。 如果你想阻止某个特定IP或子网,请在<span class="tagl"><a href="#accessControl_allow">允许列表</a></span>中写入<span class="val">*</span> 或 <span class="val">ALL</span>,并在<span class="tagl"><a href="#accessControl_deny">拒绝列表</a></span>中写入需要阻止的IP或子网。 如果你想允许某个特定的IP或子网,请在<span class="tagl"><a href="#accessControl_deny">拒绝列表</a></span>中写入<span class="val">*</span> 或 <span class="val">ALL</span>,并在<span class="tagl"><a href="#accessControl_allow">允许列表</a></span>中写入需要允许的IP或子网。 单个IP地址是被允许访问还是禁止访问取决于该IP符合的最小限制范围。<br/><br/> 信任的IP或子网络可以在<span class="tagl"><a href="#accessControl_allow">允许列表</a></span>列表中添加后缀“T”来指定。受信任的IP或子网不受连接数/流量限制。 只有服务器级别的登入限制才可以设置受信任的IP或子网。</p> <h4>Tips</h4><p>[安全建议] 用此项设置适用于所有虚拟主机的常规限制。</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="accessControl_allow"><h3>允许列表<span class="ls-permlink"><a href="#accessControl_allow"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定允许的IP地址或子网的列表。 可以使用{VAL}*</span>或{VAL}ALL</span>。</p> <h4>Syntax</h4><p>逗号分隔的IP地址或子网列表。 结尾加上“T”可以用来表示一个受信任的IP或子网,如{VAL}192.168.1.*T</span>。</p> <h4>Example</h4><div class="ls-example">子网: <span class="val">192.168.1.0/255.255.255.0</span>, <span class="val">192.168.1.0/24</span>, <span class="val">192.168.1</span> 或 <span class="val">192.168.1.*</span>. <br/> IPv6 地址: <span class="val">::1</span> 或 <span class="val">[::1]</span> <br/> IPv6 子网: <span class="val">3ffe:302:11:2:20f:1fff:fe29:717c/64</span> 或 <span class="val">[3ffe:302:11:2:20f:1fff:fe29:717c]/64</span>.</div><h4>Tips</h4><p>[安全建议] 在服务器级别设置的受信任的IP或子网不受连接/节流限制。</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="accessControl_deny"><h3>拒绝列表<span class="ls-permlink"><a href="#accessControl_deny"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定不允许的IP地址或子网的列表。</p> <h4>Syntax</h4><p>逗号分隔的IP地址或子网列表。 可以使用{VAL}*</span>或{VAL}ALL</span>。</p> <h4>Example</h4><div class="ls-example">子网: <span class="val">192.168.1.0/255.255.255.0</span>, <span class="val">192.168.1.0/24</span>, <span class="val">192.168.1</span> 或 <span class="val">192.168.1.*</span>. <br/> IPv6 地址: <span class="val">::1</span> 或 <span class="val">[::1]</span> <br/> IPv6 子网: <span class="val">3ffe:302:11:2:20f:1fff:fe29:717c/64</span> 或 <span class="val">[3ffe:302:11:2:20f:1fff:fe29:717c]/64</span>.</div></article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="realms"><h3>Realms授权<span class="ls-permlink"><a href="#realms"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>列出这个虚拟主机的所有Realm。 Realm授权可以阻止未授权用户访问受保护的网页。 Realm是一个用户名录,其中包含了用户名、密码、分组(可选)。授权是在context级别执行的。不同的context可以共享相同的Realm(用户数据库),所以Realm是与调用它的context分开定义的。你可以通过context配置中的名称识别Realm。</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="realmName"><h3>Realm名称<span class="ls-permlink"><a href="#realmName"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>为Realm授权指定唯一的名称。</p> <h4>Syntax</h4><p>文本</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="userDBLocation"><h3>用户数据库地址<span class="ls-permlink"><a href="#userDBLocation"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定用户数据库的地址。 对于类型为<span class="val">Password File</span>的数据库,应设置为包含用户名/密码的展平文件的路径。 您可以在WebAdmin控制台中点击文件名来进行修改。<br/><br/> 用户文件的每一行包含一个用户名,后面加上冒号,在跟上加密的密码,后面可选择添加冒号和用户所属组名。 多个组名通过逗号分隔。如果组信息在用户数据库中指定,那么组数据库将不被检查。<br/><br/> 例如: <blockquote><code>john:HZ.U8kgjnMOHo:admin,user</code></blockquote><br/><br/> 对于类型为<span class="val">LDAP</span>的数据库,应该设置用于查询用户信息的LDAP URL。对于每个有效的用户,存储在LDAP服务器中的认证数据 应至少包含用户ID和用户密码。当根据HTTP认证报头中的信息通过指定URL进行LDAP查询请求时,应当有且仅有一个记录被返回。"$k"必须在URL中的过滤部分指定并且将用用户名来替代。用户密码属性名必须在查询中返回。用户密码属性名由<span class="tagl"><a href="#userDB_attrPasswd">密码属性名</a></span>指定。组信息可以使用<span class="tagl"><a href="#userDB_attrMemberOf">Member-of 属性</a></span>来指定(可选)。<br/><br/> 例如: 用户至少要在LDAP中通过以下对象类定义:uidObject, simpleSecurityObject和organizationalRole。可以使用如下URL:<br/> <blockquote><code>ldap://localhost/ou=UserDB,dc=example,dc=com???(&(objectClass=*)(uid=$k))</code></blockquote></p> <h4>Syntax</h4><p>到用户数据库文件的路径或LDAP URL(RFC 2255)。</p> <h4>Tips</h4><p>[安全建议] 建议在文档树以外保存用户密码文件。 如果用户密码文件被放置在文档树以内,只需要使用".ht"作为文件名开头, 如<span class="val">.htuser</span>,来防止被当做静态文件输出。LiteSpeed Web服务器不输出前缀为“.ht”的文件。</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#GroupDBLocation">Group DB Location</a></span>, <span class="tagl"><a href="#userDB_attrPasswd">密码属性名</a></span>, <span class="tagl"><a href="#userDB_attrMemberOf">Member-of 属性</a></span></p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="userDBMaxCacheSize"><h3>用户数据库最大缓存大小<span class="ls-permlink"><a href="#userDBMaxCacheSize"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定用户数据库的最大缓存大小。 最近访问的用户认证信息会被缓存在内存中以提供最佳性能。</p> <h4>Syntax</h4><p>无符号整数</p> <h4>Tips</h4><p>[性能建议] 由于更大的缓存会消耗更多的内存,更高的值可能会也可能不会提供更好的性能。 请根据您的用户数据库大小和网站使用情况来设定一个合适的大小。</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="userDBCacheTimeout"><h3>用户数据库缓存超时<span class="ls-permlink"><a href="#userDBCacheTimeout"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定多久检查一次后端用户数据库变更。 在缓存中每个条目都有一个时间戳。 当缓存日期超过指定的超时时间时,将检查后端数据库是否有变化。 如果没有,时间戳将被重置为当前时间,否则会将新的数据载入。 服务器重载和平滑重启会立即清除缓存。</p> <h4>Syntax</h4><p>单元</p> <h4>Tips</h4><p>[性能建议] 如果后端数据库不经常发生变更,设置较长的缓存时间来获得更好的性能。</p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="GroupDBLocation"><h3>Group DB Location<span class="ls-permlink"><a href="#GroupDBLocation"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定组数据库的位置。<br/> 组信息可以在用户数据库或在这个独立的组数据库中设置。 用于用户验证时,将首先检查用户数据库。 如果用户数据库同样包含组信息,组数据库将不被检查。<br/> 对于类型为<span class="val">Password File</span>的数据库, 组数据库地址应当是到达包含有组定义的平面文件的路径。 你可以在WebAmin控制台中点击文件名来修改这个设置。<br/> 每一行组文件应当包含一个组名, 组名后面跟一个冒号,并在冒号后面使用空格来分割组中的用户名。 例如: <blockquote><code>testgroup: user1 user2 user3</code></blockquote><br/><br/> 对于类型为<span class="val">LDAP</span>的数据库, 组数据库地址应当是查询组信息的LDAP URL地址。 对于每一个有效的组, 基于同一URL地址和同一在<span class="tagl"><a href="Context_Help.html#required">Require(授权的用户/组)</a></span>中指明的组名进行的LDAP查询请求,应当有且仅有一个记录返回。 "$k"中指定的组名称必须在URL的过滤部分指定并用组名称代替。在组中指定成员的属性名称需在<span class="tagl"><a href="#groupDB_attrGroupMember">组成员属性名</a></span>中指定。<br/><br/><br/> 例如: 如果objectClass posixGroup被用来存储组信息。可以使用以下的地址:<br/> <blockquote><code>ldap: //localhost/ou=GroupDB,dc=example,dc=com???(&(objectClass=*)(cn=$k))</code></blockquote></p> <h4>Syntax</h4><p>文件3</p> <h4>Tips</h4><p>[安全建议] 建议把组文件保存到站点目录外。 如果必须将组文件放置在站点目录内,只需要用".ht"开头命名,如<span class="val">.htgroup</span>,来防止文件被当做静态文件而输出。LiteSpeed网页服务器不会输出前缀是".ht"的文件。</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#userDBLocation">用户数据库地址</a></span>, Context <span class="tagl"><a href="Context_Help.html#required">Require(授权的用户/组)</a></span>, <span class="tagl"><a href="#groupDB_attrGroupMember">组成员属性名</a></span></p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="groupDBMaxCacheSize"><h3>组数据库最大缓存大小<span class="ls-permlink"><a href="#groupDBMaxCacheSize"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定组数据库的最大缓存大小。</p> <h4>Syntax</h4><p>无符号整数</p> <h4>Tips</h4><p>[性能建议] 由于更大的缓存会消耗更多的内存, 更高的值可能会也可能不会提供更好的性能。 请根据你的用户数据库大小和网站使用情况来设置合适的大小。</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#userDBMaxCacheSize">用户数据库最大缓存大小</a></span></p> </article> </div>
<div class="helpitem"><article class="ls-helpitem"><div><header id="groupDBCacheTimeout"><h3>Group DB Cache Timeout (secs)<span class="ls-permlink"><a href="#groupDBCacheTimeout"></a></span><span class="top"><a href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>指定多长时间后台组数据库将检查一次变更。 查看更多详细信息查看<span class="tagl"><a href="#userDBCacheTimeout">用户数据库缓存超时</a></span>。</p> <h4>Syntax</h4><p>无符号整数</p> <h4>See Also</h4><p class="ls-text-small"><span class="tagl"><a href="#userDBCacheTimeout">用户数据库缓存超时</a></span></p> </article> </div>
</section>
</article><div class="ls-col-1-1"><footer class="copyright">Copyright © 2013-2018. <a href="https://www.litespeedtech.com">LiteSpeed Technologies Inc.</a> All rights reserved.</footer>
</div></div>
</body>
</html>