HostingLimits module for Apache

Navigation:  Limits > Integration Components >

HostingLimits module for Apache

Previous pageReturn to chapter overviewNext page

mod_hostinglimits works with existing cgi/php modules, to put them into LVE context. In most cases the cgi/php process will be placed into LVE with ID of user that sites belongs to. mod_hostinglimits detects the user from SuexecUserGroup (suexec module), SuPHP_UserGroup (from mod_suphp), AssignUserID (MPM ITK), RUidGid (mod_ruid2) directives.

 

This can be overwritten via LVEId or LVEUser parameter on the Directory level. Note, that those parameters will not work with mod_fcgid and mod_cgid. The order of detection is like following:

 

LVEId
LVEUser
SuexecUserGroup

suPHP_UserGroup

RUidGid
AssignUserID

 

LVE doesn't work for mod_include #include due to its "filter" nature.

 

Example:

 

LoadModule hostinglimits_module modules/mod_hostinglimits.so
<IfModule mod_hostinglimits.c>
  AllowedHandlers cgi-script php5-script php4-script
  SecureLinks On
</IfModule>

 

Additional notes

 

mod_hostinglimits (beginning from version 1.0-22) supports min-uid - cagefsctl --set-min-uid=600. Min UID is read on apache start/restart and stored in memory during apache runtime. If min UID has changed, you should restart apache for mod_hostinglimits applying new min UID value. Full min UID is supported only with APR.

The following message should appear: [notice] mod_hostinglimits: found apr extention version 3. This means that correct APR is installed with mod_hostinglimits.

 

mod_hostinglimist has variable for apache CustomLog format string - %{LVE_ID}y. How to use:

 

LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" req for lve %{LVE_ID}y" combined

 

shows in access_log the following info:

 

*.*.*.* - - [09/Apr/2015:07:17:06 -0400] "GET /1.php HTTP/1.1" 200 43435 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0" req for lve 500

*.*.*.* - - [09/Apr/2015:07:17:06 -0400] "GET /1.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524 "************/1.php" "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0" req for lve 500

*.*.*.* - - [09/Apr/2015:07:17:06 -0400] "GET /1.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146 "************/1.php" "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0" req for lve 500

 

Installation

 

cPanel

Installed by default during EasyApache build. Requires lve-stats & lve-utils packages to be installed.

DirectAdmin

Can be built using custombuild

$ yum install liblve-devel
$ cd /usr/local/directadmin/custombuild
$ ./build update
$ ./build set cloudlinux yes
$ ./build apache
$ ./build rewrite_confs
if you run suphp, then run the following:
$ ./build suphp

Plesk

$ yum install mod_hostinglimits

ISPmanager

$ yum install mod_hostinglimits

InterWorx

$ yum install mod_hostinglimits

H-Sphere

Included by default in H-Sphere 3.5+

Standard Apache from RPM

$ yum install mod_hostinglimits

Custom Apache installation

Compile from source: http://repo.cloudlinux.com/cloudlinux/sources/mod_hostinglimits.tar.gz

$ wget http://repo.cloudlinux.com/cloudlinux/sources/mod_hostinglimits.tar.gz
$ yum install cmake
$ tar -zxvf mod_hostinglimits*.tar.gz
$ cd mod_hostinglimits*
$ cmake .
$ make
$ make install

 

 

 

Apache Module Identifier:

hostinglimits_module

Source Files:

mod_hostinglimits.c

Compatibility:

MPM prefork, worker, event, ITK

 

Directives

 

SecureLinks

Description:

Makes sure that for any virtual hosts, only files owned by user specified via SuexecUserGroup or other ways as described above are served. For files owned by any other user apache will return Access Denied error. The directive will not affect VirtualHost without user id specified, or with uid < 100

Syntax:

SecureLinks On

Default:

SecureLinks Off

Context:

server config

Prevents apache from serving files not owned by user, stopping symlink attacks against php config files.

 

Example:

 

SecureLinks On

 

 

SkipErros

Description:

Allow apache to continue if LVE is not available

Syntax:

SkipErrors On

Default:

SkipErrors On

Context:

server config

Prevents apache from existing if LVE is not available.

 

Example:

 

SkipErrors Off

 

 

AllowedHandlers

Description:

List of handlers that should be placed into LVE, support regexp

Syntax:

AllowedHandlers cgi-script %^php%  my-script

Default:

none

Context:

server config

This directive allows to list handlers which will be intercepted and placed into LVE.

 

Example:

 

Match requests handled by cgi-script handler:

 

AllowedHandlers cgi-script

 
Match all requests:

 

AllowedHandlers *

 
Match all requests that handled by handler that contains php:

 

AllowedHandlers %php%

 
Match all requests handled by handler that starts with php:

 

AllowedHandlers %^php%

 

 

DenyHandlers

Description:

List of handlers that should not be placed into LVE, support regexp

Syntax:

DenyHandlers text/html

Default:

none

Context:

server config

This directive works together with AllowHandlers, to exclude some handlers from being allowed in LVE

Example:

Match all requests, but text/*

AllowedHandlers *
DenyHandler %text/*%

 

 

LVEErrorCode

Description:

Error code to display once entry is rejected due to maxEntryProcs

Syntax:

values from 500 to 510

Default:

508

Context:

directory config

Specifies ErrorCode to use on LVE error (like too many concurrent processes running). The message that will be displayed by default is:

 

Resource Limit Is Reached
The website is temporarily unable to server your request as it exceeded resource limit.
Please try again later.
You can redefine error message using ErrorDocument directive

 

Example:

 

LVEErrorCode 508
ErrorDocument 508 508.html

 

 

LVEid

Description:

Allows to setup separate LVE id on per directory level. If not set, user id of corresponding user is used

Syntax:

LVEId number

Default:

User Id is used

Context:

directory config

Specifies LVE id for particular directory

Example:

<Directory "/home/user1/domain.com/forums">
 LVEId 10001
</Directory>

 

 

LVEUser

Description:

Allows to setup separate LVE id on per directory level.

Syntax:

LVEUser username

Default:

none

Context:

directory config

Specifies LVE id for particular directory

Example:

<Directory "/home/user1/domain.com/forums">
 LVEUser user1
</Directory>        

 

 

LVEUserGroupID

Description:

Use group ID instead of user ID for lve container number

Syntax:

LVEUserGroupID On/Off

Default:

User Id is used

Context:

global config only

If option enabled, group id will be used instead of user id. Apache will display following string in error logs:

mod_hostinglimits: use GroupID instead of UID
mod_hostinglimits: found apr extension version 2
mod_hostinglimits: apr_lve_environment_init_group check ok

If compatible apr library is not found, following error message will display in error logs

mod_hostinglimits:  apr_lve_* not found!!!

Example:

<Directory "/home/user1/domain.com/forums">
 LVEUserGroupID On
</Directory>

 

LVERetryAfter

Description:

Returns Retry-After header when LVE error 508 occurs.

Syntax:

LERetryAfter MINUTES

Default:

240 minutes

Context:

directory config

Specifies interval for Retry-After header.  The Retry-After response-header field can be used w to indicate how long the service is expected to be unavailable to the requesting client.

Example:

LVERetryAfter 180

 

LVESitesDebug

Description:

Provides extended debug info for listed sites

Syntax:

LVESitesDebug test.com test2.com

Default:

none

Context:

directory config

Specifies virtual hosts for which to provide extra debugging information

Example:

<Directory "/home/user1/domain.com/forums">
 LVESitesDebug abc.com yx.cnet
</Directory>

 

LVEParseMode

Description:

Determines the way LVE id will be extraced. In Conf

Syntax:

LVEParseMode CONF|PATH|OWNER|REDIS

Default:

CONF

Context:

directory config

In CONF mode, standard way to extract LVE id is used (SuexecUserGroup, LVEId, or similar directives.

In PATH mode, username is extracted from the home directory path. The default way to match username is via following regexp  /home/([^/]*)/. Custom regexp can be specified in LVEPathRegexp

In OWNER mode, owner of the file used as a LVE id

In REDIS mode, LVE id is retrieved from Redis database

Example:  

LVEParseMode CONF

 

LVEPathRegexp

Description:

Regexp used to extract username from the path. Used in conjuction with LVEParseMode PATH

Syntax:

LVEPathRegexp regexp

Default:

/home/([^/]*)/

Context:

directory config

Used to extract user's name via path.

Example:  

LVEPathRegexp /home/([^/]*)/