OpenLiteSpeed with mod_security running as reverse proxy (WAF)
- Thread starter edan
- Start date
Hi @edan ,
In this case, better raise a ticket with us support@litespeedtech.com and I will show you where's the issue.
Best,
Eric
In this case, better raise a ticket with us support@litespeedtech.com and I will show you where's the issue.
Best,
Eric
[/usr/local/lsws/conf/vhosts/nginx/vhconf.conf]
root@ols-proxy:/usr/local/lsws/conf# cat /usr/local/lsws/conf/vhosts/nginx/vhconf.conf
rewrite {
enable 1
rules REWRITERULE ^(.*)$ HTTP://nginx/$1 [P]
}
[/usr/local/lsws/conf/httpd_config.conf]
root@ols-proxy:/usr/local/lsws/conf# cat httpd_config.conf
#
# PLAIN TEXT CONFIGURATION FILE
#
#It not set, will use host name as serverName
serverName
user nobody
group nogroup
priority 0
inMemBufSize 60M
swappingDir /tmp/lshttpd/swap
autoFix503 1
gracefulRestartTimeout 300
mime conf/mime.properties
showVersionNumber 0
adminEmails root@localhost
errorlog logs/error.log {
logLevel DEBUG
debugLevel 0
rollingSize 10M
enableStderrLog 1
}
accesslog logs/access.log {
rollingSize 10M
keepDays 30
compressArchive 0
}
indexFiles index.html, index.php
expires {
enableExpires 1
expiresByType image/*=A604800,text/css=A604800,application/x-javascript=A604800,application/javascript=A604800,font/*=A604800,application/x-font-ttf=A604800
}
tuning {
maxConnections 10000
maxSSLConnections 10000
connTimeout 300
maxKeepAliveReq 10000
keepAliveTimeout 5
sndBufSize 0
rcvBufSize 0
maxReqURLLen 32768
maxReqHeaderSize 65536
maxReqBodySize 2047M
maxDynRespHeaderSize 32768
maxDynRespSize 2047M
maxCachedFileSize 4096
totalInMemCacheSize 20M
maxMMapFileSize 256K
totalMMapCacheSize 40M
useSendfile 1
fileETag 28
enableGzipCompress 1
compressibleTypes default
enableDynGzipCompress 1
gzipCompressLevel 6
gzipAutoUpdateStatic 1
gzipStaticCompressLevel 6
brStaticCompressLevel 6
gzipMaxFileSize 10M
gzipMinFileSize 300
quicEnable 1
quicShmDir /dev/shm
}
fileAccessControl {
followSymbolLink 1
checkSymbolLink 0
requiredPermissionMask 000
restrictedPermissionMask 000
}
perClientConnLimit {
staticReqPerSec 0
dynReqPerSec 0
outBandwidth 0
inBandwidth 0
softLimit 10000
hardLimit 10000
gracePeriod 15
banPeriod 300
}
CGIRLimit {
maxCGIInstances 20
minUID 11
minGID 10
priority 0
CPUSoftLimit 10
CPUHardLimit 50
memSoftLimit 1460M
memHardLimit 1470M
procSoftLimit 400
procHardLimit 450
}
accessDenyDir {
dir /
dir /etc/*
dir /dev/*
dir conf/*
dir admin/conf/*
}
accessControl {
allow ALL
}
extprocessor lsphp {
type lsapi
address uds://tmp/lshttpd/lsphp.sock
maxConns 10
env PHP_LSAPI_CHILDREN=10
env LSAPI_AVOID_FORK=200M
initTimeout 60
retryTimeout 0
persistConn 1
respBuffer 0
autoStart 1
path lsphp73/bin/lsphp
backlog 100
instances 1
priority 0
memSoftLimit 2047M
memHardLimit 2047M
procSoftLimit 1400
procHardLimit 1500
}
extprocessor nginx {
type proxy
address 172.16.0.188:80
maxConns 100
pcKeepAliveTimeout 60
initTimeout 60
retryTimeout 0
respBuffer 0
}
scripthandler {
add lsapi:lsphp php
}
railsDefaults {
maxConns 1
env LSAPI_MAX_IDLE=60
initTimeout 60
retryTimeout 0
pcKeepAliveTimeout 60
respBuffer 0
backlog 50
runOnStartUp 3
extMaxIdleTime 300
priority 3
memSoftLimit 2047M
memHardLimit 2047M
procSoftLimit 500
procHardLimit 600
}
wsgiDefaults {
maxConns 5
env LSAPI_MAX_IDLE=60
initTimeout 60
retryTimeout 0
pcKeepAliveTimeout 60
respBuffer 0
backlog 50
runOnStartUp 3
extMaxIdleTime 300
priority 3
memSoftLimit 2047M
memHardLimit 2047M
procSoftLimit 500
procHardLimit 600
}
nodeDefaults {
maxConns 5
env LSAPI_MAX_IDLE=60
initTimeout 60
retryTimeout 0
pcKeepAliveTimeout 60
respBuffer 0
backlog 50
runOnStartUp 3
extMaxIdleTime 300
priority 3
memSoftLimit 2047M
memHardLimit 2047M
procSoftLimit 500
procHardLimit 600
}
module cache {
internal 1
checkPrivateCache 1
checkPublicCache 1
maxCacheObjSize 10000000
maxStaleAge 200
qsCache 1
reqCookieCache 1
respCookieCache 1
ignoreReqCacheCtrl 1
ignoreRespCacheCtrl 0
enableCache 0
expireInSeconds 3600
enablePrivateCache 0
privateExpireInSeconds 3600
ls_enabled 1
}
virtualhost Example {
vhRoot Example/
configFile conf/vhosts/Example/vhconf.conf
allowSymbolLink 1
enableScript 1
restrained 1
setUIDMode 0
}
virtualhost nginx {
vhRoot $SERVER_ROOT/proxy/
configFile $SERVER_ROOT/conf/vhosts/$VH_NAME/vhconf.conf
allowSymbolLink 0
enableScript 0
restrained 1
}
listener Default {
address *:80
secure 0
map nginx *
}
vhTemplate centralConfigLog {
templateFile conf/templates/ccl.conf
listeners Default
}
vhTemplate EasyRailsWithSuEXEC {
templateFile conf/templates/rails.conf
listeners Default
}
root@ols-proxy:/usr/local/lsws/conf# cat /usr/local/lsws/conf/vhosts/nginx/vhconf.conf
rewrite {
enable 1
rules REWRITERULE ^(.*)$ HTTP://nginx/$1 [P]
}
[/usr/local/lsws/conf/httpd_config.conf]
root@ols-proxy:/usr/local/lsws/conf# cat httpd_config.conf
#
# PLAIN TEXT CONFIGURATION FILE
#
#It not set, will use host name as serverName
serverName
user nobody
group nogroup
priority 0
inMemBufSize 60M
swappingDir /tmp/lshttpd/swap
autoFix503 1
gracefulRestartTimeout 300
mime conf/mime.properties
showVersionNumber 0
adminEmails root@localhost
errorlog logs/error.log {
logLevel DEBUG
debugLevel 0
rollingSize 10M
enableStderrLog 1
}
accesslog logs/access.log {
rollingSize 10M
keepDays 30
compressArchive 0
}
indexFiles index.html, index.php
expires {
enableExpires 1
expiresByType image/*=A604800,text/css=A604800,application/x-javascript=A604800,application/javascript=A604800,font/*=A604800,application/x-font-ttf=A604800
}
tuning {
maxConnections 10000
maxSSLConnections 10000
connTimeout 300
maxKeepAliveReq 10000
keepAliveTimeout 5
sndBufSize 0
rcvBufSize 0
maxReqURLLen 32768
maxReqHeaderSize 65536
maxReqBodySize 2047M
maxDynRespHeaderSize 32768
maxDynRespSize 2047M
maxCachedFileSize 4096
totalInMemCacheSize 20M
maxMMapFileSize 256K
totalMMapCacheSize 40M
useSendfile 1
fileETag 28
enableGzipCompress 1
compressibleTypes default
enableDynGzipCompress 1
gzipCompressLevel 6
gzipAutoUpdateStatic 1
gzipStaticCompressLevel 6
brStaticCompressLevel 6
gzipMaxFileSize 10M
gzipMinFileSize 300
quicEnable 1
quicShmDir /dev/shm
}
fileAccessControl {
followSymbolLink 1
checkSymbolLink 0
requiredPermissionMask 000
restrictedPermissionMask 000
}
perClientConnLimit {
staticReqPerSec 0
dynReqPerSec 0
outBandwidth 0
inBandwidth 0
softLimit 10000
hardLimit 10000
gracePeriod 15
banPeriod 300
}
CGIRLimit {
maxCGIInstances 20
minUID 11
minGID 10
priority 0
CPUSoftLimit 10
CPUHardLimit 50
memSoftLimit 1460M
memHardLimit 1470M
procSoftLimit 400
procHardLimit 450
}
accessDenyDir {
dir /
dir /etc/*
dir /dev/*
dir conf/*
dir admin/conf/*
}
accessControl {
allow ALL
}
extprocessor lsphp {
type lsapi
address uds://tmp/lshttpd/lsphp.sock
maxConns 10
env PHP_LSAPI_CHILDREN=10
env LSAPI_AVOID_FORK=200M
initTimeout 60
retryTimeout 0
persistConn 1
respBuffer 0
autoStart 1
path lsphp73/bin/lsphp
backlog 100
instances 1
priority 0
memSoftLimit 2047M
memHardLimit 2047M
procSoftLimit 1400
procHardLimit 1500
}
extprocessor nginx {
type proxy
address 172.16.0.188:80
maxConns 100
pcKeepAliveTimeout 60
initTimeout 60
retryTimeout 0
respBuffer 0
}
scripthandler {
add lsapi:lsphp php
}
railsDefaults {
maxConns 1
env LSAPI_MAX_IDLE=60
initTimeout 60
retryTimeout 0
pcKeepAliveTimeout 60
respBuffer 0
backlog 50
runOnStartUp 3
extMaxIdleTime 300
priority 3
memSoftLimit 2047M
memHardLimit 2047M
procSoftLimit 500
procHardLimit 600
}
wsgiDefaults {
maxConns 5
env LSAPI_MAX_IDLE=60
initTimeout 60
retryTimeout 0
pcKeepAliveTimeout 60
respBuffer 0
backlog 50
runOnStartUp 3
extMaxIdleTime 300
priority 3
memSoftLimit 2047M
memHardLimit 2047M
procSoftLimit 500
procHardLimit 600
}
nodeDefaults {
maxConns 5
env LSAPI_MAX_IDLE=60
initTimeout 60
retryTimeout 0
pcKeepAliveTimeout 60
respBuffer 0
backlog 50
runOnStartUp 3
extMaxIdleTime 300
priority 3
memSoftLimit 2047M
memHardLimit 2047M
procSoftLimit 500
procHardLimit 600
}
module cache {
internal 1
checkPrivateCache 1
checkPublicCache 1
maxCacheObjSize 10000000
maxStaleAge 200
qsCache 1
reqCookieCache 1
respCookieCache 1
ignoreReqCacheCtrl 1
ignoreRespCacheCtrl 0
enableCache 0
expireInSeconds 3600
enablePrivateCache 0
privateExpireInSeconds 3600
ls_enabled 1
}
virtualhost Example {
vhRoot Example/
configFile conf/vhosts/Example/vhconf.conf
allowSymbolLink 1
enableScript 1
restrained 1
setUIDMode 0
}
virtualhost nginx {
vhRoot $SERVER_ROOT/proxy/
configFile $SERVER_ROOT/conf/vhosts/$VH_NAME/vhconf.conf
allowSymbolLink 0
enableScript 0
restrained 1
}
listener Default {
address *:80
secure 0
map nginx *
}
vhTemplate centralConfigLog {
templateFile conf/templates/ccl.conf
listeners Default
}
vhTemplate EasyRailsWithSuEXEC {
templateFile conf/templates/rails.conf
listeners Default
}
Is the nginx server running on the same machine or a different machine?
I see the proxy address is defined as: address 172.16.0.188:80
but it looks like your listener is also on port 80.
I would also advise again calling the proxy extapp and the virtual host both 'nginx'. That's sure to create confusion at some point.
I see the proxy address is defined as: address 172.16.0.188:80
but it looks like your listener is also on port 80.
I would also advise again calling the proxy extapp and the virtual host both 'nginx'. That's sure to create confusion at some point.
Make sure the external server is accessible from your server "curl http://172.16.0.188"
extprocessor node {
type proxy
address http://172.16.0.188
maxConns 30
initTimeout 600
retryTimeout 0
respBuffer 0
}
context / {
type proxy
handler node
addDefaultCharset off
}
extprocessor node {
type proxy
address http://172.16.0.188
maxConns 30
initTimeout 600
retryTimeout 0
respBuffer 0
}
context / {
type proxy
handler node
addDefaultCharset off
}
Yes I can access http://172.16.0.188 via curl or other text-based browser
Ah correct. I ran into this issue myself at first. I was a bit puzzled that OLS did not create the folder or display a warning that it won't work without it. @Cold-Egg: maybe it would be something worth looking it?
I think this situation happens mostly when using OLS as reverse proxy, where the necessity of creating an empty directory somewhere is not obvious.
I think this situation happens mostly when using OLS as reverse proxy, where the necessity of creating an empty directory somewhere is not obvious.
