Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
litespeed_wiki:config:mitigating-ddos-attacks [2019/06/05 14:35]
Lisa Clarke [Enable reCAPTCHA feature] Proofreading
litespeed_wiki:config:mitigating-ddos-attacks [2020/01/07 17:21] (current)
Lisa Clarke [Never set **Use Client IP in Header** to ''Yes'']
Line 121: Line 121:
 To order LiteSpeed Advanced Anti-DDos Setup Service, please [[https://​store.litespeedtech.com/​store/​cart.php?​gid=5|visit our store]]. To order LiteSpeed Advanced Anti-DDos Setup Service, please [[https://​store.litespeedtech.com/​store/​cart.php?​gid=5|visit our store]].
  
 +===== Never set Use Client IP in Header to Yes =====
 +To restore real visitor IPs, navigate to **LiteSpeed WebAdmin Console > Configuration > General Settings** and set **Use Client IP in Header** to ''​Trusted IP Only'',​ and add your CDN such as CloudFlare IPs/subnets to the trusted list. Never set **Use Client IP in Header** to ''​Yes'',​ since clients can spoof IPs with the ''​X-Forwarded-For''​ header that is sent to CloudFlare.
 ===== Troubleshooting ===== ===== Troubleshooting =====
  
Line 160: Line 162:
  ​[NOTICE] [x.x.x.x reached per client hard connection limit: 1, close connection!  ​[NOTICE] [x.x.x.x reached per client hard connection limit: 1, close connection!
  ​[NOTICE] [x.x.x.x] bot detected for vhost [N/A], reason: OverConnHardLimit,​ close connection!  ​[NOTICE] [x.x.x.x] bot detected for vhost [N/A], reason: OverConnHardLimit,​ close connection!
 +</​code>​
 +or
 +<​code>​
 + ​[NOTICE] [x.x.x.x] bot detected for vhost [N/A], reason: OverConnSoftLimit,​ close connection
 </​code>​ </​code>​
  
Line 188: Line 194:
 In LSWS Admin Console Server → Security → Access Control → Allowed List, you can set Trusted IP there with trailing “T”. In LSWS Admin Console Server → Security → Access Control → Allowed List, you can set Trusted IP there with trailing “T”.
  
-=== Set Trusted IP on Virtual Host Level ===  +=== Set Trusted IP on Virtual Host Level .htaccess ​===  
-Since LSWS 5.4RC1, LSWS added virtual host trusted IP support, where you use ''​Trusted 1.2.3.4, 5.6.7.8''​ in Virtual Host document root .htaccess to unblock blocked IP and make that IP trusted for that vhost.+Since LSWS 5.4RC1, LSWS has virtual host trusted IP support, where you may use ''​Trusted 1.2.3.4, 5.6.7.8''​ in the Virtual Host document root .htaccess to unblock ​blocked IP and make that IP trusted for that vhost. This is not the same as the **Trusted IP** configured by Admin at server level. It has no effect on bandwidth. The main effect of adding it in .htaccess is to take that IP off of the blacklist and disable WordPress Protect and reCAPTCHA when accessing that specific virtual host
  
 ==== Drop or Deny ==== ==== Drop or Deny ====
 What if ModSecurity does a drop (TCP FIN) rather than deny for a trusted IP? The trusted list only has an effect on the "​drop"​ action, but not on the "​deny"​ action. A trusted IP won't be added to blacklist, but trust status has no effect on other actions. What if ModSecurity does a drop (TCP FIN) rather than deny for a trusted IP? The trusted list only has an effect on the "​drop"​ action, but not on the "​deny"​ action. A trusted IP won't be added to blacklist, but trust status has no effect on other actions.
  • Admin
  • Last modified: 2019/06/05 14:35
  • by Lisa Clarke