LSWS and Mod_security

[Mask]

Hello,

I am currently using Trial license and I am looking forward to get 1CPU license for my server. I have been using Varnish (via Unixy plugin) and mod_security (with latest rules from ASL) till now and they have been working just fine. But I do see that with LSWS, I site is loading a bit quicker and especially with more concurrent users, its looking great.

However, since the site gets attack often, I need to use mod_security on it. But reading all the threads here I am getting really worried. Is LSWS not compatible with Mod_security ??? Most people seems to have issues with it?? On my trial setup, everytime I restart LSWS I get this message in log viewer

ERROR [ModSecurity] unknown server variable while parsing: MULTIPART_STRICT_ERROR

And that;s when I don't have any ASL rules. (just compiled it via easyapache).

So, before I go purchase the license, please let me know if I can use mod_security rules from ASL just like I will use them with Apache. (I am using LSWS with cPanel).

Thanks
Mask

 

[mistwang]

Please read
http://www.litespeedtech.com/support/wiki/doku.php?id=litespeed_wiki:mod_security_compatibility

Most rules will work fine, if there are minor compatibility issue, we will fix it.
MULTIPART_STRICT_ERROR is not supported.

 

[Mask]

Thanks you so much. That's what I wanted to know that I will get help too get things working
....
Ok here is the first one. I am using cP/WHM with PHP 5.3.27 and Latest mod_security and paid rules from Atomic Secure Linux. (Using CSF and CMC from ConfigServer)
With Apache, everything works fine.

When I switch to LSWS, I can not login to WP-Admin, it gives 403 error with the message.

[26/Aug/2013:19:42:08 -0700] - 192.168.1.1 60361 127.0.0.1:80 80
--48f01da6-B--
POST /wp-login.php HTTP/1.1
Host: example.com
Connection: keep-alive
Content-Length: 112
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: http://example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.57 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://example.com/wp-login.php?redirect_to=http%3A%2F%2Fexample.com%2Fwp-admin%2F&reauth=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Cookie: __qca=P0-1998578287-1377539979392; __gads=ID=841d9ef778d9942e:T=1377539981:S=ALNI_MYZP_0llAHJra_iI-M9ppW_xeKMvQ; bb_; bb_lastvisit=1377539989; bb_lastactivity=0; PHPSESSID=a01d5a5526e29f53ea5f82142518629b; _ga=GA1.2.522719876.1377539978; __utma=160960380.522719876.1377539978.1377539978.1377544922.2; __utmc=160960380; __utmz=160960380.1377539978.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wordpress_test_cookie=WP+Cookie+check

--48f01da6-F--
HTTP/1.1 403 Forbidden

--48f01da6-H--
Message: [client 192.168.1.1] mod_security: Access denied with code 403, [Rule: 'TX:0' '!^%{tx.allowed_request_content_type}$'] [ID "391213"] [Msg "Atomicorp.com WAF Rules: Request content type is not allowed by policy"] [severity "WARNING"] [MatchedString "application/x-www-form-urlencoded"]

With Apache, CMC actually will report which rule file it is. (for any alert). With LSWS, it gives no such info. I have to use Grep to find out which files have 391213 rule id.
In this case, there were two files: 01_asl_content.conf and waf_classes.conf
I removed 01_asl_content.conf and I was able to login to WP-Admin.

I can provide 01_asl_content.conf if needed.

Please help. I have changed actual domain with example.com, my (client) IP with 192.168.1.1 and server IP with 127.0.0.1 above.

 

[mistwang]

Yes, please send a copy of 01_asl_content.conf to bug@litespeed... or attach to a PM to me.

 

[mistwang]

Also we need the whole request trigger it.

The easiest way is to use chrome tools->"Developer Tool". click "network" tab. locate the request url, right click, then select "Copy as cURL". paste it to a text file, then send it to us.

It does not matter the offending rule has been commented out or not.

 

[mistwang]

We will try the request data in the log first. maybe it will work.

 

[Mask]

Thanks a lot for your prompt response.
I tried to send you PM but couldn't how to attach the file. Sent you email instead.

I be happy to provide any other info to get it sorted.

 

[mistwang]

issue fixed with latest 4.2.4 build. please do a force reinstall from web console or with command

/usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.4

 

[stormy]

Can you confirm then that these rules work with Litespeed 4.2.4? That would be great!