Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
litespeed_wiki:config:recaptcha [2019/06/10 14:53]
Jackson Zhang [Enable reCAPTCHA for Control Panel Virtual Hosts Through Rewrite Rules]
litespeed_wiki:config:recaptcha [2020/01/23 19:42]
George Wang [End-user can define reCAPTCHA Actions Through Rewrite Rules in .htaccess]
Line 3: Line 3:
 As of LiteSpeed WebServer 5.4RC1, reCAPTCHA is available as a method of defense against DDoS attack. As of LiteSpeed WebServer 5.4RC1, reCAPTCHA is available as a method of defense against DDoS attack.
  
-===== How To Enable at the Server Level =====+===== Enable ​Globally ​at the Server Level =====
  
 Access the WebAdmin console via ''<​nowiki>​https://​YOUR_SERVER_IP:​7080 </​nowiki>''​ Access the WebAdmin console via ''<​nowiki>​https://​YOUR_SERVER_IP:​7080 </​nowiki>''​
Line 12: Line 12:
  
  
-Set **Enable reCAPTCHA** to ''​Yes''​. This is the master switch and it is required for both control panel environment and LSWS native environment. ​+Set **Enable reCAPTCHA** to ''​Yes''​. This is the master switch and it is required for both control panel environment and an LSWS native environment. ​It will enable the reCAPTCHA feature for all control panel Apache virtual hosts as well as LSWS native virtual hosts globally. It may be overridden at the virtual host level.  ​
  
 For other options, hover over the ''?''​ symbol to view detailed information about that option. For other options, hover over the ''?''​ symbol to view detailed information about that option.
  
- +For demonstration purposes, we will set **Trigger Sensitivity** to maximum (''​100''​),​ and **reCAPTCHA Type** to ''​Checkbox''​. ​You  ​may adjust these values according to your needs. Save and restart LSWS. This sensitivity setting will be inherited by all control panel Apache virtual hosts and LSWS native virtual hosts unless overridden at the virtual host level
-For demonstration purposes, we will set **Trigger Sensitivity** to maximum (''​100''​),​ and **reCAPTCHA Type** to ''​Checkbox''​. ​You  may adjust these values according to your needs. Save and restart LSWS.+
  
 {{:​litespeed_wiki:​config:​recaptcha2.jpg|}} {{:​litespeed_wiki:​config:​recaptcha2.jpg|}}
  
  
-When a visitor accesses the website , they will need to go though reCAPTCHA validation ​to protect ​against ​a DDoS attack such as HTTP Flood.+When a visitor accesses the website, they will need to go though reCAPTCHA validation. This validation protects the server ​against HTTP Flood and other DDoS attacks. 
 + 
 +After passing the reCAPTCHA validation, the visitor is temporarily whitelisted as long as they continue to browse the site. This makes for a better user experience. Once the visitor has been inactive for more than 20 minutes, reCAPTCHA is once again enabled for that visitor'​s next request.
  
 {{:​litespeed_wiki:​config:​recaptcha3.jpg|}} {{:​litespeed_wiki:​config:​recaptcha3.jpg|}}
Line 28: Line 29:
 You can also enable reCAPTCHA on an individual virtual host that is under attack, while leaving other websites disabled. You can also enable reCAPTCHA on an individual virtual host that is under attack, while leaving other websites disabled.
  
-===== How To Enable ​at the Virtual Host Level =====+===== Override/​Disable ​at the Virtual Host Level =====
  
-Server-level reCAPTCHA must be enabled ​even control panel used+Assuming you have enabled ​reCAPTCHA at the server level globally, you can override the settings at a virtual host level, but how you do so depends on which environment you are using.
  
-LSWS native virtual-host-level sensitivity will override the sensitivity set at the server level. 
  
-You can enable virtual-host-level reCAPTCHA ​through rewrite rules for control panel virtual hosts or through ​the WebAdmin console for LSWS native ​virtual ​hosts.+==== Override/​Disable for Apache Virtual Hosts ==== 
 +As of LSWS v5.4RC4, you can configure vhost-level reCAPTCHA ​via the ''​LsRecaptcha''​ directive in the virtual ​host include configuration.
  
-==== Enable ​reCAPTCHA for Control Panel Virtual Hosts Through Rewrite Rules ====+  <​IfModule LiteSpeed>​ 
 +     ​LsRecaptcha (0-100) 
 +  </​IfModule>​ 
 +   
 +The ''​0-100''​ value defines or overrides **Trigger Sensitivity** for the virtual host. When LsRecaptcha is set to ''​0'',​ it means the reCAPTCHA ​feature has been disabled ​for that virtual host. 
  
-Use one of the following rewrite rule directives ​in control panel virtual host document root .htaccess:+**NOTE**: The ''​LsRecaptcha''​ directive cannot be used in .htaccess ​files.
  
-''​[E=verifycaptcha]''​ or ''​[E=verifycaptcha:​ ACTION]''​+==== Override for LiteSpeed Native Virtual Hosts ==== 
  
-''​[E=verifycaptcha]''​ will always redirect to reCAPTCHA until verified. ''​ACTION''​ can be ''​deny''​ to return a 403 or ''​drop''​ to drop the connection when **Max Tries** is reached. Until Max Tries is reached, ​the client will be redirected ​to reCAPTCHA.+Use the LSWS WebAdmin console ​to override ​reCAPTCHA ​in LSWS native mode.
  
-For example:+Navigate to **Configuration -> Virtual Hosts -> Security -> reCAPTCHA Protection**
  
-<code>RewriteCond SOME-CONDITIONAL-CHECK+{{:​litespeed_wiki:​config:​recaptcha4.jpg|}} 
 + 
 + 
 +===== Set "​Trusted ​<ip>" in .htaccess to bypass reCAPTCHA check ==== 
 + 
 +Since LSWS 5.4RC1, LSWS added virtual host trusted IP support, where you use ''​Trusted 1.2.3.4, 5.6.7.8''​ for IPv4 or ''​Trusted [2001:​db8:​85a3:​8d3:​1319:​8a2e:​370:​7348]''​ for IPv6 in Virtual Host document root .htaccess to bypass reCAPTCHA, it also unblock blocked IP and make that IP trusted for that vhost. 
 + 
 + 
 +===== End-user can define reCAPTCHA Actions Through Rewrite Rules in .htaccess ===== 
 +If Server System Admin would like the end-user to control/​enable reCAPTCHA through .htaccess, System Admin will need to enable reCAPTCHA from server level globally and set server sensitivity to ''​0''​ first.  
 + 
 +''​[E=verifycaptcha]''​ can be used to enable reCAPTCHA to override server-level ''​0''​ sensitivity. 
 + 
 +For example:
  
-RewriteRule .* - [E=verifycaptcha]</​code>​+<​code>​ 
 +<​IfModule LiteSpeed>​ 
 +RewriteCond SOME-CONDITIONAL-CHECK 
 +RewriteRule .* - [E=verifycaptcha] 
 +</​IfModule>​ 
 +</​code>​
  
 (''​SOME-CONDITIONAL-CHECK''​ would be a suspicious UA, IP address, etc.) (''​SOME-CONDITIONAL-CHECK''​ would be a suspicious UA, IP address, etc.)
  
-==== Enable ​reCAPTCHA ​for Control Panel Virtual Hosts Through "​LsRecaptcha"​ directive ==== +The end user can even further define the reCAPTCHA ​action as ''​deny''​ or ''​drop'' ​in .htaccess ​through ''​[E=verifycaptchaACTION]''​
-With latest build of 5.4RC4, you can configure vhost level recaptcha via virtual host include configurations through "​LsREcaptcha"​ directive and it can not be used in .htaccess:+
  
-  ​<​IfModule LiteSpeed>​ +For example: 
-     LsRecaptcha (0-100) +<​code>​ 
-  </​IfModule>​+<​IfModule LiteSpeed>​ 
 +RewriteCond SOME-CONDITIONAL-CHECK 
 +RewriteRule .* - [E=verifycaptcha:​ deny] 
 +</​IfModule
 +</code>
  
-When LsRecaptcha is set to ''​0'',​ it means the Recaptcha feature has been disabled for that virtual host. +or 
-==== Enable reCAPTCHA for LiteSpeed Native Virtual Hosts ==== +
  
-You can also use LSWS WebAdmin console to enable reCAPTCHA in LSWS native mode.+<​code>​ 
 +<​IfModule LiteSpeed>​ 
 +RewriteCond SOME-CONDITIONAL-CHECK 
 +RewriteRule ​.* - [E=verifycaptcha:​ drop] 
 +</​IfModule>​ 
 +</​code>​
  
-Navigate to **Configuration -> Virtual Hosts -> Security -> reCAPTCHA ​Protection**+**NOTE1**''​[E=verifycaptcha]''​ will always redirect to reCAPTCHA ​until verified. ''​ACTION''​ can be ''​deny''​ to return a 403 or ''​drop''​ to drop the connection when **Max Tries** is reached. Until Max Tries is reached, the client will be redirected to reCAPTCHA.
  
-{{:litespeed_wiki:​config:​recaptcha4.jpg|}}+**NOTE2**In most cases, rewrite rules will override the default server behavior. However, in cases where trigger sensitivity is high, visitors may be sent directly to reCAPTCHA before the rewrite rules can even be processed.
  
-===== Customizing ​the Good Bots List =====+===== Customize ​the Good Bots List =====
  
 Google bots are considered good bots because they help index your site. However, they cannot do their job properly without receiving the correct page. The Bot Whitelist configuration may be used to specify bots that you may need for your site. Google bots are considered good bots because they help index your site. However, they cannot do their job properly without receiving the correct page. The Bot Whitelist configuration may be used to specify bots that you may need for your site.
Line 74: Line 104:
 {{:​litespeed_wiki:​config:​recaptcha5.png|}} {{:​litespeed_wiki:​config:​recaptcha5.png|}}
  
-Here, we have configured '​Edge'​ in the Bot Whitelist text area. Bot Whitelist is a '​contains'​ match, but regex may be used as well.+Here, we have configured ​''Edge'' in the Bot Whitelist text area. Bot Whitelist is a ''​contains'' match (case sensitive), but regex may be used as well.
  
 After restarting, browsers containing Edge in the user-agent header will bypass reCAPTCHA: After restarting, browsers containing Edge in the user-agent header will bypass reCAPTCHA:
Line 82: Line 112:
 The Allowed Bot Hits configuration may be used to limit how many times a good bot (including Googlebot) is allowed to hit a URL before it is redirected to reCAPTCHA as well. This may be useful to prevent bad actors from bypassing reCAPTCHA using a custom user agent. The Allowed Bot Hits configuration may be used to limit how many times a good bot (including Googlebot) is allowed to hit a URL before it is redirected to reCAPTCHA as well. This may be useful to prevent bad actors from bypassing reCAPTCHA using a custom user agent.
  
-===== Customizing ​the reCAPTCHA Page =====+===== Customize ​the reCAPTCHA Page =====
  
 The default reCAPTCHA page is generic. If you would like to customize the page, you may do so by creating a file at ''​$SERVER_ROOT/​lsrecaptcha/​_recaptcha_custom.shtml''​. The default reCAPTCHA page is generic. If you would like to customize the page, you may do so by creating a file at ''​$SERVER_ROOT/​lsrecaptcha/​_recaptcha_custom.shtml''​.
  
-There are two script tags that are required and it is strongly recommended to avoid changing the form and the recaptchadiv unless you know what you are doing. There are three echos within the page itself. Those are used by the web server to customize the reCAPTCHA type and keys and specify any query string used.+There are two script tags that are required and it is strongly recommended to avoid changing the form and the ''​recaptchadiv'' ​unless you know what you are doing. There are three echos within the page itself. Those are used by the web server to customize the reCAPTCHA type and keys and specify any query string used.
  
 Beyond those required attributes, everything else is customizable. As noted before, please ensure that you have backups of the default page and your customized page. Note that the ''​.shtml''​ extension is required in order to use the LSWS configured type and keys. Beyond those required attributes, everything else is customizable. As noted before, please ensure that you have backups of the default page and your customized page. Note that the ''​.shtml''​ extension is required in order to use the LSWS configured type and keys.
  
 ===== Apply Your Own Site Key ===== ===== Apply Your Own Site Key =====
-You can apply your own reCAPTCHA key and adjust the configuration as you like. Client verification is completely determined by Google'​s reCAPTCHA service. The invisible type may display a difficult puzzle.+You can apply your own reCAPTCHA key and adjust the configuration as you like from [[https://​developers.google.com/​recaptcha/​intro|here]]. Client verification is completely determined by Google'​s reCAPTCHA service. The invisible type may display a difficult puzzle.
  
-For server wide protection that needs to cover a lot of domains, make sure ''​Verify the origin of reCAPTCHA''​ solutions is unchecked. Otherwise, you may need to apply a key for each domain.+For server wide protection that needs to cover a lot of domains, make sure ''​Verify the origin of reCAPTCHA''​ solutions is unchecked. Otherwise, you may need to apply a key for each domain. Please refer to google doc [[https://​developers.google.com/​recaptcha/​docs/​domain_validation|here]].
  
-===== Trigger Sensitivity ===== +===== Set Trigger Sensitivity ===== 
-Trigger Sensitivity refers to the automatic reCAPTCHA sensitivity. The higher the value, the more likely reCAPTCHA Protection will be used. A value of 0 is equivalent to "​Off"​ while a value of 100 is equivalent to "​Always On". Default values: Server level: 0. Virtual Host level: Inherit Server level setting. Syntax: Integer value between 0 and 100.+Trigger Sensitivity refers to the automatic reCAPTCHA sensitivity. The higher the value, the more likely reCAPTCHA Protection will be used. A value of ''​0'' ​is equivalent to "​Off"​ while a value of ''​100'' ​is equivalent to "​Always On"​. ​
  
-LiteSpeed calculates Trigger Sensitivity as the percentage of your server capacity used, based on the number of active connectionsreCAPTCHA is activated when "in use connection" ​100 / max connections"​ > (100 sensitivity).+Default values:  
 +  * Server level: ''​0''​ 
 +  ​Virtual Host level: inherits server-level setting.  
 +   
 +Syntax: Integer value between ''​0''​ and ''​100''​.
  
-===== reCAPTCHA ​Returning 403 and Dropping Connection =====+LiteSpeed calculates **Trigger Sensitivity** as the percentage of your server capacity used, based on the number of active connections. ​reCAPTCHA ​is activated when this formula is true:
  
-If reCAPTCHA fails a few times, it will return a 403 error and then drop the connection from that IP. It is the way it works in order to block attacks. If the ''​invisible''​ reCAPTCHA keeps auto-refreshing and then fails, just change the type to ''​one-click''​.+Active connections * 100 / **Max Connections** > (100 **Trigger Sensitivity**)
  
-===== Disable ​reCAPTCHA ​on Individual Vhost on Apache Configuration File =====+For example: 
 + 
 +If **Max Connections** = ''​1000'',​ **Trigger Sensitivity** = ''​20'',​ and you currently have 900 connections,​ the formula would be evaluated like so: 
 + 
 +900 * 100 / 1000 > 100 - 20 
 + 
 +90 > 80  
 + 
 +The result is true, so the incoming connection //will// be given a reCAPTCHA test. 
 + 
 +Calculating backwards, you can see that when the number of connections drops to less than 800, reCAPTCHA will not be invoked. 
 + 
 + 
 +===== reCAPTCHA ​Returning 403 and Dropping Connection ​=====
  
-In certain case if you have reCAPTCHA ​enabled globally ​and want to disable it for certain vhost please add following directives into that vhost configuration file.+If reCAPTCHA ​fails a few times, it will return a 403 error and then drop the connection from that IP. It works this way in order to block attacks. If the ''​invisible''​ reCAPTCHA keeps auto-refreshing and then failsjust change the type to ''​one-click''​.
  
-<​code><​IfModule LiteSpeed>​ 
-LsRecaptcha 0 
-</​IfModule></​code>​ 
  
  • Admin
  • Last modified: 2020/05/20 20:25
  • by Shivam Saluja