This is an old revision of the document!


reCAPTCHA

As of LiteSpeed WebServer 5.4RC1, reCAPTCHA is available as a method of defense against DDoS attack.

Access the WebAdmin console via https://YOUR_SERVER_IP:7080

Navigate to Configuration → Server → Security → reCAPTCHA Protection

Set Enable reCAPTCHA to Yes. This is the master switch and it is required for both a control panel environment and an LSWS native environment. It will enable the reCAPTCHA feature for all control panel Apache virtual hosts as well as LSWS native virtual hosts globally. It may be overridden at the virtual host level.

For other options, hover over the ? symbol to view detailed information about that option.

For demonstration purposes, we will set Trigger Sensitivity to maximum (100), and reCAPTCHA Type to Checkbox. You may adjust these values according to your needs. Save and restart LSWS. This sensitivity setting will be inherited by all control panel Apache virtual hosts and LSWS native virtual hosts unless overridden at the virtual host level.

When a visitor accesses the website , they will need to go though reCAPTCHA validation to protect against a DDoS attack such as HTTP Flood.

You can also enable reCAPTCHA on an individual virtual host that is under attack, while leaving other websites disabled.

Assuming you have enabled reCAPTCHA at the server level globally, you can override the settings at a virtual host level, but how you do so depends on which environment you are using.

Override/Disable for Control Panel Virtual Hosts

As of LSWS v5.4RC4, you can configure vhost-level reCAPTCHA via the LsRecaptcha directive in the virtual host include configuration.

<IfModule LiteSpeed>
   LsRecaptcha (0-100)
</IfModule>

The 0-100 value defines or overrides Trigger Sensitivity for the virtual host. When LsRecaptcha is set to 0, it means the reCAPTCHA feature has been disabled for that virtual host.

NOTE: The LsRecaptcha directive cannot be used in .htaccess files.

Override for LiteSpeed Native Virtual Hosts

Use the LSWS WebAdmin console to override reCAPTCHA in LSWS native mode.

Navigate to Configuration → Virtual Hosts → Security → reCAPTCHA Protection

If you want to further define the reCAPTCHA action as deny or drop, you can use one of the following rewrite rule directives in control panel virtual host document root .htaccess:

[E=verifycaptcha] or [E=verifycaptcha: ACTION]

[E=verifycaptcha] will always redirect to reCAPTCHA until verified. ACTION can be deny to return a 403 or drop to drop the connection when Max Tries is reached. Until Max Tries is reached, the client will be redirected to reCAPTCHA.

For example:

RewriteCond SOME-CONDITIONAL-CHECK

RewriteRule .* - [E=verifycaptcha]

(SOME-CONDITIONAL-CHECK would be a suspicious UA, IP address, etc.)

Google bots are considered good bots because they help index your site. However, they cannot do their job properly without receiving the correct page. The Bot Whitelist configuration may be used to specify bots that you may need for your site.

Here, we have configured 'Edge' in the Bot Whitelist text area. Bot Whitelist is a 'contains' match, but regex may be used as well.

After restarting, browsers containing Edge in the user-agent header will bypass reCAPTCHA:

The browser on the left is Microsoft Edge, the browser on the right is Chrome.

The Allowed Bot Hits configuration may be used to limit how many times a good bot (including Googlebot) is allowed to hit a URL before it is redirected to reCAPTCHA as well. This may be useful to prevent bad actors from bypassing reCAPTCHA using a custom user agent.

The default reCAPTCHA page is generic. If you would like to customize the page, you may do so by creating a file at $SERVER_ROOT/lsrecaptcha/_recaptcha_custom.shtml.

There are two script tags that are required and it is strongly recommended to avoid changing the form and the recaptchadiv unless you know what you are doing. There are three echos within the page itself. Those are used by the web server to customize the reCAPTCHA type and keys and specify any query string used.

Beyond those required attributes, everything else is customizable. As noted before, please ensure that you have backups of the default page and your customized page. Note that the .shtml extension is required in order to use the LSWS configured type and keys.

You can apply your own reCAPTCHA key and adjust the configuration as you like. Client verification is completely determined by Google's reCAPTCHA service. The invisible type may display a difficult puzzle.

For server wide protection that needs to cover a lot of domains, make sure Verify the origin of reCAPTCHA solutions is unchecked. Otherwise, you may need to apply a key for each domain.

Trigger Sensitivity refers to the automatic reCAPTCHA sensitivity. The higher the value, the more likely reCAPTCHA Protection will be used. A value of 0 is equivalent to “Off” while a value of 100 is equivalent to “Always On”.

Default values:

  • Server level: 0.
  • Virtual Host level: inherits server-level setting.

Syntax: Integer value between 0 and 100.

LiteSpeed calculates Trigger Sensitivity as the percentage of your server capacity used, based on the number of active connections. reCAPTCHA is activated when this formula is true:

Active connections * 100 / Max Connections > (100 - Trigger Sensitivity)

If reCAPTCHA fails a few times, it will return a 403 error and then drop the connection from that IP. It works this way in order to block attacks. If the invisible reCAPTCHA keeps auto-refreshing and then fails, just change the type to one-click.

  • Admin
  • Last modified: 2019/06/13 20:12
  • by Lisa Clarke