HostingLimits module for Apache

Navigation:  Limits > Integration Components >

HostingLimits module for Apache

 Previous pageReturn to chapter overviewNext page

mod_hostinglimits works with existing CGI/PHP modules, to put them into LVE context. In most cases the CGI/PHP process will be placed into LVE with the ID of the user that sites belongs to. mod_hostinglimits detects the user from SuexecUserGroup (suexec module), SuPHP_UserGroup (from mod_suphp), AssignUserID (MPM ITK), RUidGid (mod_ruid2) directives.

 

This can be overwritten via LVEId or LVEUser parameter on the Directory level. Note that those parameters will not work with mod_fcgid and mod_cgid. The order of detection looks as follows:

 

LVEId
LVEUser
SuexecUserGroup

suPHP_UserGroup

RUidGid
AssignUserID

 

Note. LVE doesn't work for mod_include #include due to its "filter" nature.

 

Example:

LoadModule hostinglimits_module modules/mod_hostinglimits.so
<IfModule mod_hostinglimits.c>
  AllowedHandlers cgi-script php5-script php4-script
  SecureLinks On
</IfModule>

Additional notes

 

mod_hostinglimits (since version 1.0-22) supports min-uid - cagefsctl --set-min-uid=600. Min UID is read on Apache start/restart and stored in the memory during apache runtime. If min UID has changed, you should restart Apache for mod_hostinglimits applying new min UID value. Full min UID is supported only with APR.

 

The following message should appear: [notice] mod_hostinglimits: found apr extention version 3. This means that the correct APR is installed with mod_hostinglimits.

 

mod_hostinglimist has variable for Apache CustomLog format string - %{LVE_ID}y. How to use:

 

LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" req for lve %{LVE_ID}y" combined

 

shows in access_log the following info:

*.*.*.* - - [09/Apr/2015:07:17:06 -0400] "GET /1.php HTTP/1.1" 200 43435 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0" req for lve 500

*.*.*.* - - [09/Apr/2015:07:17:06 -0400] "GET /1.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524 "************/1.php" "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0" req for lve 500

*.*.*.* - - [09/Apr/2015:07:17:06 -0400] "GET /1.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146 "************/1.php" "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0" req for lve 500

Installation

 

cPanel

Installed by default during EasyApache build. Requires lve-stats & lve-utils packages to be installed.

DirectAdmin

Can be built using custombuild:

$ yum install liblve-devel
$ cd /usr/local/directadmin/custombuild
$ ./build update
$ ./build set cloudlinux yes
$ ./build apache
$ ./build rewrite_confs
if you run suphp, then run the following:
$ ./build suphp

 

Plesk

$ yum install mod_hostinglimits

ISPmanager

$ yum install mod_hostinglimits

InterWorx

$ yum install mod_hostinglimits

H-Sphere

Included by default in H-Sphere 3.5+

Standard Apache from RPM

$ yum install mod_hostinglimits

Custom Apache installation

Compile from the source: http://repo.cloudlinux.com/cloudlinux/sources/mod_hostinglimits.tar.gz

$ wget http://repo.cloudlinux.com/cloudlinux/sources/mod_hostinglimits.tar.gz
$ yum install cmake
$ tar -zxvf mod_hostinglimits*.tar.gz
$ cd mod_hostinglimits*
$ cmake .
$ make
$ make install

 

Apache Module Identifier:

hostinglimits_module

Source Files:

mod_hostinglimits.c

Compatibility:

MPM prefork, worker, event, ITK

 

Directives

 

SecureLinks

 

Description:

Makes sure that for any virtual hosts, only files owned by user specified via SuexecUserGroup or other ways as described above are served. For files owned by any other user apache will return Access Denied error. The directive will not affect VirtualHost without user id specified, or with uid < 100

Syntax:

SecureLinks On

Default:

SecureLinks Off

Context:

server config

 

Prevents apache from serving files not owned by user, stopping symlink attacks against php config files.

 

Example:

SecureLinks On

SkipErrors

 

Description:

Allow apache to continue if LVE is not available

Syntax:

SkipErrors On

Default:

SkipErrors On

Context:

server config

 

Prevents Apache from exiting if LVE is not available.

 

Example:

SkipErrors Off

AllowedHandlers

 

Description:

List of handlers that should be placed into LVE, support regexp

Syntax:

AllowedHandlers cgi-script %^php%  my-script

Default:

none

Context:

server config

 

This directive allows to list handlers which will be intercepted and placed into LVE.

 

Example:

 

Match requests handled by cgi-script handler:

AllowedHandlers cgi-script 


Match all requests:

AllowedHandlers *


Match all requests that handled by handler that contains PHP:

AllowedHandlers %php%


Match all requests handled by handler that starts with PHP:

AllowedHandlers %^php%

DenyHandlers

 

Description:

List of handlers that should not be placed into LVE, support regexp

Syntax:

DenyHandlers text/html

Default:

none

Context:

server config

 

This directive works together with AllowHandlers, to exclude some handlers from being allowed in LVE.

 

Example:

 

Match all requests, but text/*

AllowedHandlers *
DenyHandler %text/*%

LVEErrorCode

 

Description:

Error code to display once entry is rejected due to maxEntryProcs

Syntax:

values from 500 to 510

Default:

508

Context:

directory config

 

Specifies ErrorCode to use on LVE error (like too many concurrent processes running). The message that will be displayed by default is:

Resource Limit Is Reached
The website is temporarily unable to server your request as it exceeded resource limit.
Please try again later.
You can redefine error message using ErrorDocument directive

Example:

LVEErrorCode 508
ErrorDocument 508 508.html

LVEid

 

Description:

Allows to setup separate LVE ID on per directory level. If not set, user ID of a corresponding user is used.

Syntax:

LVEId number

Default:

User Id is used

Context:

directory config

 

Specifies LVE id for particular directory

 

Example:

<Directory "/home/user1/domain.com/forums">
  LVEId 10001
</Directory>

LVEUser

 

Description:

Allows to setup separate LVE ID on per directory level.

Syntax:

LVEUser username

Default:

none

Context:

directory config

 

Specifies LVE ID for particular directory.

 

Example:

<Directory "/home/user1/domain.com/forums">

  LVEUser user1

</Directory>

LVEUserGroupID

 

Description:

Use group ID instead of user ID for LVE container number.

Syntax:

LVEUserGroupID On/Off

Default:

User Id is used

Context:

global config only

 

If the option enabled, group ID will be used instead of a user ID. Apache will display the following string in error logs:

mod_hostinglimits: use GroupID instead of UID 
mod_hostinglimits: found apr extension version 2 
mod_hostinglimits: apr_lve_environment_init_group check ok

If a compatible apr library is not found, the following error message will be display in error logs.

mod_hostinglimits:  apr_lve_* not found!!!

Example:

<Directory "/home/user1/domain.com/forums">
  LVEUserGroupID On
</Directory>

LVERetryAfter

 

Description:

Returns Retry-After header when LVE error 508 occurs.

Syntax:

LERetryAfter MINUTES

Default:

240 minutes

Context:

directory config

 

Specifies interval for Retry-After header.  The Retry-After response-header field can be used to indicate how long the service is expected to be unavailable to the requesting client.

 

Example:

LVERetryAfter 180

LVESitesDebug

 

Description:

Provides extended debug info for listed sites.

Syntax:

LVESitesDebug test.com test2.com

Default:

none

Context:

directory config

 

Specifies virtual hosts to provide extra debugging information.

 

Example:

<Directory "/home/user1/domain.com/forums">
  LVESitesDebug abc.com yx.cnet
</Directory>

LVEParseMode

 

Description:

Determines the way LVE ID will be extraced. In Conf

Syntax:

LVEParseMode CONF|PATH|OWNER|REDIS

Default:

CONF

Context:

directory config

 

In CONF mode, standard way to extract LVE ID is used (SuexecUserGroup, LVEId, or similar directives).

 

In PATH mode, username is extracted from the home directory path. The default way to match username is via the following regexp: /home/([^/]*)/. Custom regexp can be specified in LVEPathRegexp.

 

In OWNER mode, the owner of the file is used as an LVE ID.

 

In REDIS mode, LVE ID is retrieved from Redis database.

 

Example:  

 

LVEParseMode CONF

LVEPathRegexp

 

Description:

Regexp used to extract username from the path. Used in conjuction with LVEParseMode PATH

Syntax:

LVEPathRegexp regexp

Default:

/home/([^/]*)/

Context:

directory config

 

Used to extract usersname via path.

 

Example:  

LVEPathRegexp /home/([^/]*)/

LVELimitRecheckTimeout

 

Description:

Timeout in milliseconds, a site will return EP without lve_enter for LA decreasing after this time

Syntax:

LVELimitRecheckTimeout number

Default:

0

Context:

httpd.conf, virtualhost

 

Example:

LVELimitRecheckTimeout 1000

LVEUse429

 

Description:

Use 429 error code as code returned on max entry limits (on/off).

Syntax:

LVEUse429 on

Default:

off

Context:

httpd.conf, virtualhost

 

Example:

LVEUse429 on

Available for RPM based panels, EasyApache 4 and DirectAdmin.