LSWS Server & virtual hosts handling IP deny errors & RFC 2616 etc

brrr

Well-Known Member
#1
This may be a bug or a feature in LSWS 3 Standard Ed. - I'm not sure. Probably a bug.

Under Apache, if you deny a remote IP address from accessing your server server-wide via httpd.conf - eg:

Code:
<Files *>
Order Allow,Deny
Allow from all
Deny from 123.456.789.000
</Files>
the server generates a "403: Forbidden" response and the client sees whatever you have defined as the handler of 403 responses. Furthermore, the error gets logged.

Also, under Apache, if you define the same sort of block on a virtual host basis:

Code:
<VirtualHost 111.111.111.111:80>
ServerName foobar.com
<Directory /var/www/foobar.com/public_html>
Order Allow,Deny
Allow from all
Deny from 123.456.789.000
</Directory> 
</VirtualHost> etc
the virtual host behaves the same way as the server-wide Apache settings - a 403 is generated as a result of the access attempt, this 403 response is passed to the client, and the result is logged.

However LSWS 3 Std Ed. doesn't behave this way.

When a visitor to your LSWS site from IP address 123.456.789.000 hits an IP address block you've defined globally (under LSWS Server >Security) to deny from access to the server - ie:
Code:
<accessControl>
<allow>ALL</allow>
<deny>123.456.789.000</deny>
when that remote IP address attempts to visit the server, rather than generate a formal response to the client (eg a "403: Forbidden" textual error or a custom error page) LSWS just simply drops the connection to the remote IP address, and does not pass any information to the remote IP address about what has happened, nor deliver any error page.

The remote client sees nothing at all and the connection just drops, eventually. Furthermore, nothing is logged by LSWS in any access or error logs about the event.

However LSWS behaves differently (and more like Apache) when an IP address is denied at the virtual host level.

If you tell LSWS to deny the same IP address only at a virtual host level (under Virtual host foobar > Security), then LSWS generates a conventional 403 response, and the client sees whatever you have defined as the handler for 403 responses. Plus a 403 error gets fully logged in the access log for the virtual host, and the server error log records the incident like so:

DATE TIME [INFO] [123.456.789.000-0#foobar.com] [ACL] Access to virtual host [foobar.com] is denied.
I would really like it if LSWS would behave the same way at the SERVER level as it does at the VIRTUAL HOST level - ie properly send out a 403 response when it denies access, and log the event.

I have a lot of IP addresses that I need to block from accessing the sites I have on my server, and it is much more efficient (and far less work) to block those IP addresses at the server level than attempting to do so at the virtual host level. I would also like to have any 403 errors defined at the server-wide level to be recorded in a log.

Not only is this LSWS behaviour a potential Apache incompatibility, but this behavious at the server-wide level may mean LSWS could be breaking RFC 2616 for the Hypertext Transfer Protocol HTTP/1.1 since:
(a) under the RFC HTTP clients are led to expect a meaningful response code from the server for such events, and
(b) the HTTP server should, according to the RFC, describe the reason for why the request was not fulfilled, which LSWS isn't doing consistently here.

http://www.w3.org/Protocols/rfc2616/rfc2616-sec6.html

This behaviour has bugged me for a long time: see the end of:
http://www.litespeedtech.com/support/forum/showthread.php?t=1569

It would be great if this bug could be addressed.
 
Top