To manage the OpenLiteSpeed (OLS)/LiteSpeed (LS) Web Application Firewall (WAF) through cPFence, it’s important to know how to manage them through the CLI or by manual configuration.
CLI Options for Managing WAF Rules
The cPFence CLI currently supports several options for managing WAF rules:
-
Globally Disable a WAF rule by ID
cpfence --disable-waf-rule RULE-IDThis command disables a specific OLS/LS WAF rule by its ID. The rule will be disabled for all sites on the server, meaning it’s a total disable across the board.
- Globally Re-enable a disabled WAF rule by ID
cpfence --enable-waf-rule RULE-ID
This command re-enables a rule that was previously disabled (server-wide).
- Disable OLS/LS WAF entirely for a specific domain
cpfence --disable-waf-domain example.comThis command disables OLS/LS WAF entirely for a specific domain.
- Re-enable OLS/LS WAF for a previously disabled domain
cpfence --enable-waf-domain example.comThis command re-enables OLS/LS WAF for a previously disabled domain.
- Disable one or more specific WAF rules for a domain
cpfence --disable-waf-domain-byid example.com 7001,7002,7003
or
cpfence --disable-waf-domain-byid example.com 7001This command disables one or more specific WAF rules for a domain by providing a list of rule IDs or one ID.
- Re-enable one or more WAF rules for a specific domain
cpfence --enable-waf-domain-byid example.comThis command re-enables one or more WAF rules for a specific domain that were previously disabled using RuleRemoveById.
These features provide greater flexibility in managing WAF rules on a per-domain basis, allowing users to disable or re-enable specific rules or the entire WAF as needed.
Important Note :
LiteSpeed is known to occasionally not regenerate the full virtual host, which can cause changes to not apply correctly. To force the changes to be applied for the website you're trying to whitelist, you can trigger a rebuild of the control panel’s virtual host by toggling the "Force HTTPS" setting on and off in the Security tab of the Enhance control panel for the website.
Manual Whitelisting
Whitelist Configuration File
All your WAF whitelist rules should be added to the following file:
/opt/cpfence/user-config/cpfwaf/whitelist_ols.conf
This file is where you define exceptions and rules for WAF behavior, which apply to all sites on the server.
Warning: Do Not Remove The following Critical Default Configuration Entry!!
In the whitelist configuration file, make sure that the following line is not removed as it is essential for cPFence functionality
Include /opt/cpfence/app/cpfwaf/Whitelist_Rules.conf
After making any changes to the whitelist configuration file, you must run the following commands to apply the changes:
/opt/cpfence/app/cpfcron
You can perform whitelisting manually by editing the whitelist file (whitelist_ols.conf). When doing this, remember to add each rule entry on a new line. After modifying the file, be sure to run the /opt/cpfence/app/cpfcron command to apply the changes.
Here are some examples:
-
Disable a rule manually for all sites:
SecRuleRemoveById Numeric_rule_id
- Whitelist a specific URL:
SecRule REQUEST_URI "@contains /wp-admin/page.php" "id:6003,phase:1,pass,nolog,ctl:RuleRemoveById=200007,225170,200002,210230"
- Whitelist for a specific domain:
SecRule REQUEST_HEADERS:Host "@streq example.com" "id:6002,phase:1,pass,nolog,ctl:RuleRemoveById=200007,225170,200002,210230"
- Completely disable WAF for a domain:
SecRule REQUEST_HEADERS:Host "@streq example.com" "id:6001,phase:1,pass,nolog,ctl:ruleEngine=Off"
Important Notes :
- You can disable or whitelist a single rule ID or multiple rule IDs in each entry. For example, to remove a single rule, use
ctl:RuleRemoveById=200007. You can also list multiple rule IDs, separated by commas, like this:ctl:RuleRemoveById=200007,225170,210230. - Each whitelisting rule must have a unique ID. The ID should be unique and should not be reused for other rules. Please note that IDs in the range 1000–1999 are reserved for cPFence internal use, so use IDs outside of this range, such as 6001, 6002, etc., for your custom rules.
