has anyone here ever gotten this setup to work?
does it require any custom configuration to get this working properly?
from searching, i saw that litespeed doesn't fully support ASL due to old mod_rewrite they use.
but this post was from several years ago and i'm thinking it must have changed as i see litespeed made several new updates to their software, stating they have improved mod_rewrite rules compatibility.

Thanks for the question. You can use litespeed, but you must use the T-WAF to protect web applications served with litespeed. Also, litespeed has been compiled (in some versions) with a nasty stack smashing flag set. The ASL kernel wont allow an application to open a nasty hole like this on your system, so if you have a version of litespeed that has this vulnerability we recommend you report this to litespeed as a vulnerability (because it is). If you wish to ignore this vulnerability, just run with a non-secure kernel.

The big issue though is litespeeds modsecurity support. As you may know, Litespeeds waf module does not correctly support or completely implement the mod_security rule language, so it does not work with mod_security rules. If you load modsecurity rules with it, and it can not correctly parse a rule, it will both not load it and it will do this silently. So you wont know that it hasnt loaded them correctly, and because it does not understand the modern rule language theres no telling what the loaded rules will or will not do. Modern modsecurity rules use branching logic (if then, else, etc.), so they are nothing like the rules of old when you just specific a regex and move on. The rules contain all kinds of complex logic, its almost unfair to call them rules anymore, its a language. And with LUA, some of the rules ARE in a programming language.

None of this appears or behaves as if its supported in litespeed. From our end, if they just documented what they did and did not support we'd have a place to potentially start, but they don't document that so its a total black box. We can say the rules just dont work right, all sorts of crazy things seem to happen.

So, unfortunately, right now there is nothing we can do to make our rules work with their waf module. We don't know what it supports, but we do know that it doesn't seem to understand the current modsecurity rule language (and it hasn't since at least 2.0 came out, and that was years ago).

We'd be thrilled if they supported the language correctly. You can read some of the thread opened by litespeed customers on this issue here:

http://www.litespeedtech.com/support/fo ... php?t=4619

We've given them access to the real time rules for years (for free), so the ball is in their court to make their module support the rule language. When the day comes they actually support the whole modsecurity rule language, and all the features in modsecurity, we'll throw them a parade.

So, use the T-WAF to protect litespeed.

can you state which versions?
i'm currently on the latest stable version of theirs, which is 4.1.13.

i'd like the ability to use the ASL kernel on it, but please confirm if this won't work.
thanks.

Unfortunately no. These seems to happen occasionally with their builds. You'll know if you have one with this vulnerability if litespeed wont start.

Partial update here:

4.1.11 <- absolutely vulnerable
4.1.12 <- absolutely vulnerable
4.1.13 <- absolutely vulnerable

thanks for clarification.