LiteSpeed Web Server

LiteSpeed Web Server is Fast, Secure and Easy to install / use. Because of this we have decided to review it in the following article.
  1. Core Installation
  2. LiteSpeed is available for different platforms and can be automatically installed. For Linux it comes with intuitive bash script which will take care of everything for you. In most cases you can leave the default options unless you have reasons not to.
  3. PHP Installation / Tweaking
    • Suhosin is useless in most cases. It attempts to secure your scripts which usually only corrupts them. Website security should be implemented in the web application itself.
    • PHP Mail Header Patch is useful in case you'd like to track how a message was sent from the webserver. It will track the exact script responsible and this is essential to website security .
    • The latter 4 options are used for caching. Similarly as with Suhosin, I think Caching should be done within the Application where you have better control over it. Of course, this is true in 99% of the cases but for some large and heavy sites it might be better to use web server caching.
    • From there on the PHP Recompile wizard is quite intuitive and it should complete without any problems. After that just remember to change the default handler for PHP scripts. This can be done from Configuration, Server, Script Handler tab. The choose LiteSpeed Api for Handler Type and lsphp5 or lsphp4 depending on which PHP version you have compiled.
  4. Among LiteSpeed many benefits is the feature to easily install a new version of PHP. You can install the latest PHP 5.3, 5.2, 5.1 and 4.4. This can be done from the admin panel, Actions -> Compile PHP.

    Before doing that please make sure that you have the following installed:

    autoconf, libxml2-dev, libxml2-dev, libpng++-dev, libmysqlclient-dev

    The above are the names of the required packages under Ubuntu but they might differ slight under a different OS.

    Once you have the required packages, from the admin panel choose the version you'd like to build. There you have the following options:

    LiteSpeed PHP Recompile

    Most options can be left the default. I have tweaked only the Add-on modules where I have left checked (to be installed) only PHP Mail Header Patch. 

  5. Adding Virtual Host
  6. A virtual host allows you to serve more than one site on the same IP. Of course, LiteSpeed allows virtual hosts but if you are using the free version you will be limited only to 5 virtual hosts from Apache's configuration. If you are not using Apache configuration but the default litespeed configuration you can have unlimited hosts. The paid version does not have any limits.

    Let's imagine we have to add a new virtual host for example.org. In order to do this follow these steps:

    First: Create a directory for the virtual host. Let's use the server root /usr/local/lsws/ and create a directory called /usr/local/lsws/example.org. Make sure that this directory is owned by the user of the webserver, usually 'nobody'.

    Second: Next go your LiteSpeed Web Admin. From the top menu choose Configuration, Virtual Host Templates. There click on PHP_SuEXEC.

    litespeed add vhost

    Third: In the table Member Virtual Hosts click on Add:

    The first tab should be clear but pay attention to the second General tab. It specifies the document root for the virtual host.

    By default it is $VH_ROOT/public_html/. Since $VH_ROOT in our case is /usr/local/lsws/example.org create a directory /usr/local/lsws/example.org/public_html/. That's where all the files of your site will have to go. This directory (and files inside it) should be owned again by user nobody or the respective LiteSpeed user.

    There are also other settings for the virtual host in the tabs you might want to check. Once done save the settings and click on Instantiate next to your new vhost in the Virtual Host Templates tab. This will add it to the default listener, i.e. make it active by default.

  7. Other important settings
  8. In the admin panel, under Configuration you will find all the important settings. The following are essential:
  • Running As - always use nobody:nogroup or other non-root user. Make sure your web files are owned by this user to avoid issues with write permissions
  • Priority - the lower the value the higher priority. If you don't want to overload the server this could be set to 20 for example.
  • Security tab - under the Security tab you will find different options. Leave them to the default values if you are hosting only one client and hosted sites are trusted. Otherwise, check all the options in details for additional security.
  • Request filter tab - that's probably the most important setting in regards to website security. Request means any data passed from the user to the webserver in the form of GET, POST request or Cookie. Naturally, most security problems appear because of the payload passed in such way. The default values are quite accurate and would prevent common SQL attacks. The rules are similar as the ones for Apache's ModSecurity. So you could check for additional ModSecurity rules for your specific needs.

The above LiteSpeed Web Server review does not cover all everything in details. However, it should have given you some hints on what LiteSpeed is about and which options are important. As a whole, we conclude the LiteSpeed is fast (much faster than Apache), much easier to configure(has intuitive web interface, most operations are automatic) and secure - by default it has more options than Apache or any other web server to improve your website security.


blog comments powered by Disqus