RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://test-cpanel.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://test-cpanel.com$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.test-cpanel.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.test-cpanel.com$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ - [F,NC]

It actually checks for the line “RewriteEngine on” and does not add it a second time into the .htaccess which is smart… The problem comes when you remove hotlink protection.

cPanel goes through all domains, subdomains, add-on domains once again this time and removes the code but it removes all instances of “RewriteEngine On” in every .htaccess. The problem that comes with this is that if you’re running something such as WordPress, vBulletin, IPB, or any other script that uses mod_rewrite, as most do, suddenly all of your rewrite rules no longer work.

I contacted cPanel about this issue and the technician confirmed that this was a bug and this is what I got back:

I responded back asking a simple curious question:

Their response (same technician):

Now don’t get me wrong … I fully understand why a large organization would take such a stance on issues with their software, but that doesn’t stop me from disagreeing with this stance.

Being fairly irritated with this issue (and others in the past) that I have reported and seen it take 6+ months to resolve I responded with this:

The tech did go ahead and pass my message on to management:

I won’t be holding my breath.

Point of the story: be careful with “Hotlink Protection.”

The individual signed up using a first name and last initial only, their mailing address was a mail forwarding address, and many other red flags were sent up when this individual attempted to order services.

Here is a complete view of the email conversation with all personally identifying information redacted and by all means read it over and let me know what you think in the comments.

This individual came to us from WebHostingTalk.com so I’m curious how they are going to portray this email conversation.  I guess we’ll just have to wait and see what they have to say.

Let’s face it – the world tends to be a very hostile environment and the internet is not much different.  From viruses and trojans to distruption of service attacks – it happens all day every day and it is only a matter of time before it affects you.  I have personally dealt with two DoS attacks in the last two weeks and both for very different reasons although the end result is about the same.

Last week the DDoS, or distributed disruption of service, attack was motivated entirely by financial gain for the attacker.  The attacker had previously attacked another hosting company called A Small Orange and had attempted to extort $7,000 from the company to stop the attack.  ASO did not bow to the demands of the attacker and simply worked to filter out the attack and return service to their customers.  While some of ASO’s customers were not satisfied, many times when a provider is put in this situation there is not much that can be done.

The attacker moved on from ASO to my company and sent a message to our sales department informing us that we were next.  The attack began about an hour later and peaked at about 4.5GBPS which is enough to  bring down most small data centers in their entirety however our data center SoftLayer Dallas was able to filter out the attack within 10 minutes to restore full service.  The attacker subsequently moved on to their next target which was VectorLevel who was hosted with Colo4Dallas at the time.  The attack at VectorLevel brought Colo4Dallas to it’s knees until the attack was null-routed at C4D’s upstream provider.  At the time of this writing Colo4Dallas’ web site was unreachable and as such I am not directly linking to it.

Fast forward a week and a half and another one of my servers was under a new attack from a new source.  This time the attack was not monetary and the goal was simply to take a particular site offline.  The target of the attack was a fairly popular forum that centers around firearms manufactured by a particular company.  The forum has information such as cleaning and maintenance of the guns and in my looking over the site is nothing apparently negative.  My guess is that whoever wanted to bring the site offline was more of a “pro gun control” type of person.

This attack was a bit more difficult to stop as it was smaller and “flew under the radar” of our automatic filtering systems but was still large enough to cause intermittent connection issues over the period of about two hours.  We worked to filter out the attack however whoever was administering this particular attack was doing a pretty good job of countering the counter-measures were putting in place to mitigate the attack.  Ultimately we were able to fully mitigate the attack after quite a bit of work and effort.

It seems that there are malicious people out there whose only goal is to cause harm and to disrupt the services of others.  If you do find yourself in a situation where your web site or hosting service is being disrupted by a DoS attack please do be patient with your provider and understand that there isn’t always something that can be done to fully mitigate the attack.  If your provider is able to restore full service to you within a fairly short period of time (less than 2 to 4 hours) you should consider yourself lucky as many DoS and DDoS attacks can last days if not weeks.

I was doing the math on the licensing structure (we’ll go with the 1-CPU Enterprise license as this example).

I will start by saying that I realize it is in LiteSpeed Technologies’ best interests for you to lease your license from them as this gives them the most profit/income etc… where as an Owned license is generally seen as a larger up-front investment to reduce long-term costs.

I am also aware that I am comparing monthly lease to a yearly ownership as I am wanting to compare the extremes (smallest up-front investment vs the largest).

Owned licenses are an investment into LiteSpeed Web Server/Technologies and I always look at investments based upon how well they will return and how long until they return. A 39 month wait until the investment begins to return is a tad too long in my opinion and as you read on you will see the details of my analysis of their licensing program.

The primary problem that I see is that the Owned licensing doesn’t really reduce long-term costs fast enough – the argument could be seen either way that either the leasing prices need increased (sorry, have to share both view points) or that the owned licensing needs to be reduced either the initial purchase or the support renewal costs.

The price of a 1-CPU Enterprise Leased license is $32/month or $384 paid monthly for a year.

The price of a 1-CPU Enterprise Owned license is $41.58/month or $499 paid yearly.

At these prices you could have a Leased license for 15.6 Months for the price of an Owned license for one year – which makes sense if you think about it.  At the end of the first year if you want to continue support and upgrades for your owned license you then have to pay $99 for a support renewal.  You do not have to pay any such renewal fee for Leased license.

The price of a 1-CPU Enterprise Owned license for two years is $598 which would get you 18.69 months of Leased licensing – so after you have your owned license for over 18 and a half months you’ve broken even on your investment of an owned license.  While a year and a half is not a tremendous amount of time – it is asking for a huge investment of your money up front.  To make the Owned license an option you have to be willing to invest over a year and a half into LiteSpeed before you even break even.

After 18.69 months of being on an Owned license and having paid the $99 support fee after a year you will be at approximately $8.25/month for each owned license which isn’t terribly bad (a savings over leased of $23.75/month), but keep in mind it took over a year and a half to get to this point which leads me to my next concern.

The next major concern in my eyes with the current structure is that for the Owned license to “pay for itself” (to return on my original investment) which is one of the primary reasons I look at owned licenses over leased – it will take an additional  21 months for a total of 39 months before going Owned has “paid for itself” and returns on your initial owned licensing investment will be realized if you don’t include the support Renewals. The first and second renewal for a total addition of $198 because by this point you’re already at 39 months before going Owned has paid for itself.

Is it really intentional on the part of LiteSpeedTech to make an Owned license holder have to wait 39 months before they can start to see a return on their investment of going Owned?

What are your thoughts? Post comments!

I have in the past fought tooth-and-nail for Apache’s ability to match LiteSpeed Web Server’s speed when serving web sites.  Apache can be configured to be nearly as fast if not just as fast as LiteSpeed but the problem is that Apache requires in my own personal testing nearly two times as much memory and FastCGI to come close to LiteSpeed comes out of the box.  LiteSpeed claims to serve static content up to 9 times faster than Apache and PHP up to 50% faster.  While I won’t go into depth as to which one can do what faster, I will go into why I chose to move my company from Apache to LiteSpeed and what benefits we have seen.  If you want to see benchmarks that compare LiteSpeed and Apache I recommend you search Google.

My company has relied upon Apache for years however I recently began testing the latest version of LiteSpeed which has come a long way.  LiteSpeed out of the box offers the performance of an extremely-optimized Apache installation with half or less memory consumption in my testing which is a major benefit.  Apache is very weak against certain DoS attacks such as a HTTP Request DoS which doesn’t require a large amount of outgoing bandwidth but can be devastating to an Apache web server where as LightSpeed takes such attacks in stride in my testing.

I found personally that the overall “feel” of browsing various test sites, both dynamic and static, felt snappier or zippier which is an additional benefit to running LiteSpeed.  In the end if you know what you are doing and you have the RAM in your server to accomplish it you can match LightSpeed Web Server’s speed at the cost of efficiency.

LiteSpeed’s Web Server is a direct replacement for Apache and installation was a breeze.  LiteSpeed supports all of the popular control panels and all of the features of Apache except for your old Server Side Includes but who uses those any more?  In my experience on a cPanel based web server you can log into WHM and switch between LiteSpeed and Apache at any time and you can run LiteSpeed on an alternate port for testing any sites that you wish to make sure will function correctly before “making the switch.”  I have yet to run into any issues that are caused by LiteSpeed however I will post an update if I do run into any.

At the end of the day my advice is to spend the extra money you would be paying to add additional RAM into your server on a LiteSpeed Web Server license.

Edit: LiteSpeed 4.0 *does* support Server Side Includes even though the current FAQ on LiteSpeedTech.com says that it does not.