Thanks for the question. You can use litespeed, but you must use the T-WAF to protect web applications served with litespeed. Also, litespeed has been compiled (in some versions) with a nasty stack smashing flag set. The ASL kernel wont allow an application to open a nasty hole like this on your system, so if you have a version of litespeed that has this vulnerability we recommend you report this to litespeed as a vulnerability (because it is). If you wish to ignore this vulnerability, just run with a non-secure kernel.
The big issue though is litespeeds modsecurity support. As you may know, Litespeeds waf module does not correctly support or completely implement the mod_security rule language, so it does not work with mod_security rules
. If you load modsecurity rules with it, and it can not correctly parse a rule, it will both not load it and it will do this silently
. So you wont know that it hasnt loaded them correctly, and because it does not understand the modern rule language theres no telling what the loaded rules will or will not do. Modern modsecurity rules use branching logic (if then, else, etc.), so they are nothing like the rules of old when you just specific a regex and move on. The rules contain all kinds of complex logic, its almost unfair to call them rules anymore, its a language. And with LUA, some of the rules ARE in a programming language.
None of this appears or behaves as if its supported in litespeed. From our end, if they just documented what they did and did not support we'd have a place to potentially start, but they don't document that so its a total black box. We can say the rules just dont work right, all sorts of crazy things seem to happen.
So, unfortunately, right now there is nothing we can do to make our rules work with their waf module. We don't know what it supports, but we do know that it doesn't seem to understand the current modsecurity rule language (and it hasn't since at least 2.0 came out, and that was years ago).
We'd be thrilled if they supported the language correctly. You can read some of the thread opened by litespeed customers on this issue here:http://www.litespeedtech.com/support/fo ... php?t=4619
We've given them access to the real time rules for years (for free), so the ball is in their court to make their module support the rule language. When the day comes they actually support the whole modsecurity rule language, and all the features in modsecurity, we'll throw them a parade.
So, use the T-WAF to protect litespeed.