Virtual Host Security
Table of Contents
Enable reCAPTCHA | Site Key | Secret Key | reCAPTCHA Type | Max Tries | Concurrent Request Limit
Bubblewrap Container | Namespace Container | Additional Namespace Template File
Realm Name | User DB Location | User DB Max Cache Size | User DB Cache Timeout (secs) | Group DB Location | Group DB Max Cache Size | Group DB Cache Timeout (secs)
reCAPTCHA Protection⇑
Description
reCAPTCHA Protection is a service provided as a way to mitigate heavy server load. reCAPTCHA Protection will activate after one of the below situations is hit. Once active, all requests by NON TRUSTED(as configured) clients will be redirected to a reCAPTCHA validation page. After validation, the client will be redirected to their desired page.
The following situations will activate reCAPTCHA Protection:
1. The server or vhost concurrent requests count passes the configured connection limit.
2. Anti-DDoS is enabled and a client is hitting a url in a suspicious manner. The client will redirect to reCAPTCHA first instead of getting denied when triggered.
3. A new rewrite rule environment is provided to activate reCAPTCHA via RewriteRules. 'verifycaptcha' can be set to redirect clients to reCAPTCHA. A special value ': deny' can be set to deny the client if it failed too many times. For example, [E=verifycaptcha] will always redirect to reCAPTCHA until verified. [E=verifycaptcha: deny] will redirect to reCAPTCHA until Max Tries is hit, after which the client will be denied.
Enable reCAPTCHA⇑
Description
Enable the reCAPTCHA Protection feature at the current level. This setting must be set to Yes at the Server level before the reCAPTCHA Protection feature can be used.
Default values:
Server-level: Yes
VH-Level: Inherit Server level setting
Syntax
Select from radio box
Site Key⇑
Description
The site key is the public key provided by Google via its reCAPTCHA service. A default Site Key will be used if not set.
Secret Key⇑
Description
The secret key is the private key provided by Google via its reCAPTCHA service. A default Secret Key will be used if not set.
reCAPTCHA Type⇑
Description
Specify the reCAPTCHA type to use with the key pairs.
If a key pair has not been provided and this setting is set to Not Set, a default key pair of type Invisible will be used.
Checkbox will display a checkbox reCAPTCHA for the visitor to validate.
Invisible will attempt to validate the reCAPTCHA automatically and if successful, will redirect to the desired page.
hCaptcha can be used to support reCAPTCHA provider hCaptcha.
Default value is Invisible.
Syntax
Select from drop down list
Max Tries⇑
Description
Max Tries specifies the maximum number of reCAPTCHA attempts permitted before denying the visitor.
Default value is 3.
Syntax
Integer number
Concurrent Request Limit⇑
Description
The number of concurrent requests needed to activate reCAPTCHA. reCAPTCHA will be used until concurrent requests drop below this number.
Default value is 15000.
Syntax
Integer number
Bubblewrap Container⇑
Description
Set to On if you wish to start CGI processes (including PHP programs) in a bubblewrap sandbox. See https://wiki.archlinux.org/title/Bubblewrap for details on using bubblewrap. Bubblewrap must be installed on your system prior to using this setting.
This setting cannot be turned on at the Virtual Host level if set to "Disabled" at the Server level.
Default values:
Server level: Disabled
VH level: Inherit Server level setting
Syntax
Select from drop down list
Namespace Container⇑
Description
Set to Enabled if you wish to start CGI processes (including PHP programs) in a namespace container sandbox. Only used when Bubblewrap Container is set to Disabled.
When not Disabled at the Server level, this settings value can be overridden at the Virtual Host level.
Default values:
Server level: Disabled
Virtual Host Level: Inherit Server level setting
Syntax
Select from drop down list
Additional Namespace Template File⇑
Description
Path to an existing configuration file containing a list of directories to be mounted along with the methods used to mount them. If Namespace Template File is also set at the Server level, both files will be used.
Syntax
A path which can be absolute, relative to $SERVER_ROOT, or relative to $VH_ROOT.
Access Control⇑
Description
Specifies what sub networks and/or IP addresses can access the server. At the server level, this setting will affect all virtual hosts. You can also set up access control unique to each virtual host at the virtual host level. Virtual host level settings will NOT override server level settings.
Blocking/Allowing an IP is determined by the combination of the allowed list and the denied list. If you want to block only certain IPs or sub-networks, put * or ALL in the Allowed List and list the blocked IPs or sub-networks in the Denied List. If you want to allow only certain IPs or sub-networks, put * or ALL in the Denied List and list the allowed IPs or sub-networks in the Allowed List. The setting of the smallest scope that fits for an IP will be used to determine access.
Server Level: Trusted IPs or sub-networks must be specified in the Allowed List by adding a trailing "T". Trusted IPs or sub-networks are not affected by connection/throttling limits. Only server level access control can set up trusted IPs/sub-networks.
Tips
Use this at the server level for general restrictions that apply to all virtual hosts.
Allowed List⇑
Description
Specifies the list of IPs or sub-networks allowed. * or ALL are accepted.
Syntax
Comma delimited list of IP addresses or sub-networks. A trailing "T" can be used to indicate a trusted IP or sub-network, such as 192.168.1.*T.
Example
IPv6 addresses: ::1 or [::1]
IPv6 subnets: 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64
Tips
Trusted IPs or sub-networks set at the server level access control will be excluded from connection/throttling limits.
Denied List⇑
Description
Specifies the list of IPs or sub-networks disallowed.
Syntax
Comma delimited list of IP addresses or sub-networks. * or ALL are accepted.
Example
IPv6 addresses: ::1 or [::1]
IPv6 subnets: 3ffe:302:11:2:20f:1fff:fe29:717c/64 or [3ffe:302:11:2:20f:1fff:fe29:717c]/64
Authorization Realms⇑
Description
Lists all authorization realms for this virtual host. Authorization realms are used to block unauthorized users from accessing protected web pages. A realm is a user directory containing usernames and passwords with optional group classifications. Authorization is performed at context level. Since different contexts can share the same realm (user database), so realms are defined separately from the contexts that use them. You can refer to a realm by these names in context configuration.
Realm Name⇑
Description
Specifies a unique name for the authorization realm.
User DB Location⇑
Description
Specifies the location of the user database. It is recommended that the database be stored under the $SERVER_ROOT/conf/vhosts/$VH_NAME/ directory.
For DB type Password File, it is the path to the flat file containing user/password definitions. You can edit this file through the WebAdmin console by clicking on the filename.
Each line of the user file contains a username followed by a colon, followed by a crypt() encrypted password, optionally followed by a colon and group names that user belongs to. Group names are delimitated by commas. If group information is specified in the user database, then the group database will not be checked.
Example:
john:HZ.U8kgjnMOHo:admin,user
Syntax
Path to user DB file.
See Also
User DB Max Cache Size⇑
Description
Specifies the maximum cache size of the user database. Recently accessed user authentication data will be cached in memory to provide maximum performance.
Syntax
Integer number
Tips
As a larger cache will consume more memory, a higher value may or may not provide better performance. Set it to an appropriate size according to your user database size and site usage.
User DB Cache Timeout (secs)⇑
Description
Specifies how often the backend user database will be checked for changes. Every entry in the cache has a timestamp. When cached data is older than the specified timeout, the backend database will be checked for changes. If there is no change, the timestamp will be reset to the current time, otherwise the new data will be loaded. Sevrer reload and graceful restart will clear the cache immediately.
Syntax
Integer number
Tips
If the backend database does not change very often, set a longer timeout for better performance.
Group DB Location⇑
Description
Specifies the location of the group database. It is recommended that the database be stored under the $SERVER_ROOT/conf/vhosts/$VH_NAME/ directory.
Group information can be set either in the user database or in this standalone group DB. For user authentication, the user DB will be checked first. If the user DB also contains group information, then the group DB will not be checked.
For the DB type Password File, the group DB location should be the path to the flat file containing group definitions. You can edit this file through the WebAdmin console by clicking on the filename.
Each line of a group file should contain a groupname followed by a colon, followed by space delimited group of usernames. Example:
testgroup: user1 user2 user3
Syntax
Filename which can be an absolute path or a relative path to $SERVER_ROOT, $VH_ROOT.
See Also
User DB Location, Context Require (Authorized Users/Groups), Group Member Attribute
Group DB Max Cache Size⇑
Description
Specifies the maximum cache size of the group database.
Syntax
Integer number
Tips
As a larger cache will consume more memory, a higher value may or may not provide better performance. Set it to an appropriate size according to your user database size and site usage.
See Also
Group DB Cache Timeout (secs)⇑
Description
Specifies how often the backend group database will be checked for changes. For more detail please refer to User DB Cache Timeout (secs).
Syntax
Integer number