mod_hostinglimits works with existing CGI/PHP modules, to put them into LVE context. In most cases the CGI/PHP process will be placed into LVE with the ID of the user that sites belongs to. mod_hostinglimits detects the user from SuexecUserGroup (suexec module), SuPHP_UserGroup (from mod_suphp), AssignUserID (MPM ITK), RUidGid (mod_ruid2) directives.
This can be overwritten via LVEId or LVEUser parameter on the Directory level. Note that those parameters will not work with mod_fcgid and mod_cgid. The order of detection looks as follows:
• | LVEId |
• | LVEUser |
• | SuexecUserGroup |
•suPHP_UserGroup
• | RUidGid |
• | AssignUserID |
Note. LVE doesn't work for mod_include #include due to its "filter" nature.
Example:
LoadModule hostinglimits_module modules/mod_hostinglimits.so
<IfModule mod_hostinglimits.c>
AllowedHandlers cgi-script php5-script php4-script
SecureLinks On
</IfModule>
Additional notes
mod_hostinglimits (since version 1.0-22) supports min-uid - cagefsctl --set-min-uid=600. Min UID is read on Apache start/restart and stored in the memory during apache runtime. If min UID has changed, you should restart Apache for mod_hostinglimits applying new min UID value. Full min UID is supported only with APR.
The following message should appear: [notice] mod_hostinglimits: found apr extention version 3. This means that the correct APR is installed with mod_hostinglimits.
mod_hostinglimist has variable for Apache CustomLog format string - %{LVE_ID}y. How to use:
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" req for lve %{LVE_ID}y" combined
shows in access_log the following info:
*.*.*.* - - [09/Apr/2015:07:17:06 -0400] "GET /1.php HTTP/1.1" 200 43435 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0" req for lve 500
*.*.*.* - - [09/Apr/2015:07:17:06 -0400] "GET /1.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2524 "************/1.php" "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0" req for lve 500
*.*.*.* - - [09/Apr/2015:07:17:06 -0400] "GET /1.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146 "************/1.php" "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0" req for lve 500
Installation
cPanel |
Installed by default during EasyApache build. Requires lve-stats & lve-utils packages to be installed. |
DirectAdmin |
Can be built using custombuild:
$ yum install liblve-devel
|
Plesk |
$ yum install mod_hostinglimits |
ISPmanager |
$ yum install mod_hostinglimits |
InterWorx |
$ yum install mod_hostinglimits |
H-Sphere |
Included by default in H-Sphere 3.5+ |
Standard Apache from RPM |
$ yum install mod_hostinglimits |
Custom Apache installation |
Compile from the source: http://repo.cloudlinux.com/cloudlinux/sources/mod_hostinglimits.tar.gz
$ wget http://repo.cloudlinux.com/cloudlinux/sources/mod_hostinglimits.tar.gz |
Apache Module Identifier: |
hostinglimits_module |
Source Files: |
mod_hostinglimits.c |
Compatibility: |
MPM prefork, worker, event, ITK |
Directives
SecureLinks
Description: |
Makes sure that for any virtual hosts, only files owned by user specified via SuexecUserGroup or other ways as described above are served. For files owned by any other user apache will return Access Denied error. The directive will not affect VirtualHost without user id specified, or with uid < 100 |
Syntax: |
SecureLinks On |
Default: |
SecureLinks Off |
Context: |
server config |
Prevents apache from serving files not owned by user, stopping symlink attacks against php config files.
Example:
SecureLinks On
SkipErrors
Description: |
Allow apache to continue if LVE is not available |
Syntax: |
SkipErrors On |
Default: |
SkipErrors On |
Context: |
server config |
Prevents Apache from exiting if LVE is not available.
Example:
SkipErrors Off
AllowedHandlers
Description: |
List of handlers that should be placed into LVE, support regexp |
Syntax: |
AllowedHandlers cgi-script %^php% my-script |
Default: |
none |
Context: |
server config |
This directive allows to list handlers which will be intercepted and placed into LVE.
Example:
Match requests handled by cgi-script handler:
AllowedHandlers cgi-script
Match all requests:
AllowedHandlers *
Match all requests that handled by handler that contains PHP:
AllowedHandlers %php%
Match all requests handled by handler that starts with PHP:
AllowedHandlers %^php%
DenyHandlers
Description: |
List of handlers that should not be placed into LVE, support regexp |
Syntax: |
DenyHandlers text/html |
Default: |
none |
Context: |
server config |
This directive works together with AllowHandlers, to exclude some handlers from being allowed in LVE.
Example:
Match all requests, but text/*
AllowedHandlers *
DenyHandler %text/*%
LVEErrorCode
Description: |
Error code to display once entry is rejected due to maxEntryProcs |
Syntax: |
values from 500 to 510 |
Default: |
508 |
Context: |
directory config |
Specifies ErrorCode to use on LVE error (like too many concurrent processes running). The message that will be displayed by default is:
Resource Limit Is Reached
The website is temporarily unable to server your request as it exceeded resource limit.
Please try again later.
You can redefine error message using ErrorDocument directive
Example:
LVEErrorCode 508
ErrorDocument 508 508.html
LVEid
Description: |
Allows to setup separate LVE ID on per directory level. If not set, user ID of a corresponding user is used. |
Syntax: |
LVEId number |
Default: |
User Id is used |
Context: |
directory config |
Specifies LVE id for particular directory
Example:
<Directory "/home/user1/domain.com/forums">
LVEId 10001
</Directory>
LVEUser
Description: |
Allows to setup separate LVE ID on per directory level. |
Syntax: |
LVEUser username |
Default: |
none |
Context: |
directory config |
Specifies LVE ID for particular directory.
Example:
<Directory "/home/user1/domain.com/forums">
LVEUser user1
</Directory>
LVEUserGroupID
Description: |
Use group ID instead of user ID for LVE container number. |
Syntax: |
LVEUserGroupID On/Off |
Default: |
User Id is used |
Context: |
global config only |
If the option enabled, group ID will be used instead of a user ID. Apache will display the following string in error logs:
mod_hostinglimits: use GroupID instead of UID
mod_hostinglimits: found apr extension version 2
mod_hostinglimits: apr_lve_environment_init_group check ok
If a compatible apr library is not found, the following error message will be display in error logs.
mod_hostinglimits: apr_lve_* not found!!!
Example:
<Directory "/home/user1/domain.com/forums">
LVEUserGroupID On
</Directory>
LVERetryAfter
Description: |
Returns Retry-After header when LVE error 508 occurs. |
Syntax: |
LERetryAfter MINUTES |
Default: |
240 minutes |
Context: |
directory config |
Specifies interval for Retry-After header. The Retry-After response-header field can be used to indicate how long the service is expected to be unavailable to the requesting client.
Example:
LVERetryAfter 180
LVESitesDebug
Description: |
Provides extended debug info for listed sites. |
Syntax: |
LVESitesDebug test.com test2.com |
Default: |
none |
Context: |
directory config |
Specifies virtual hosts to provide extra debugging information.
Example:
<Directory "/home/user1/domain.com/forums">
LVESitesDebug abc.com yx.cnet
</Directory>
LVEParseMode
Description: |
Determines the way LVE ID will be extraced. In Conf |
Syntax: |
LVEParseMode CONF|PATH|OWNER|REDIS |
Default: |
CONF |
Context: |
directory config |
In CONF mode, standard way to extract LVE ID is used (SuexecUserGroup, LVEId, or similar directives).
In PATH mode, username is extracted from the home directory path. The default way to match username is via the following regexp: /home/([^/]*)/. Custom regexp can be specified in LVEPathRegexp.
In OWNER mode, the owner of the file is used as an LVE ID.
In REDIS mode, LVE ID is retrieved from Redis database.
Example:
LVEParseMode CONF
LVEPathRegexp
Description: |
Regexp used to extract username from the path. Used in conjuction with LVEParseMode PATH |
Syntax: |
LVEPathRegexp regexp |
Default: |
/home/([^/]*)/ |
Context: |
directory config |
Used to extract usersname via path.
Example:
LVEPathRegexp /home/([^/]*)/
LVELimitRecheckTimeout
Description: |
Timeout in milliseconds, a site will return EP without lve_enter for LA decreasing after this time |
Syntax: |
LVELimitRecheckTimeout number |
Default: |
0 |
Context: |
httpd.conf, virtualhost |
Example:
LVELimitRecheckTimeout 1000
LVEUse429
Description: |
Use 429 error code as code returned on max entry limits (on/off). |
Syntax: |
LVEUse429 on |
Default: |
off |
Context: |
httpd.conf, virtualhost |
Example:
LVEUse429 on
Available for RPM based panels, EasyApache 4 and DirectAdmin.