Messenger service - MESSENGER
Display a message to a blocked connecting IP address to inform the user that they are blocked by the firewall. The
service is provided by two daemons running on ports providing either an HTML or TEXT message. The iptables module
ipt_REDIRECT is required.
Default: 0 Range: 0-1
Use for temporary blocks - MESSENGER_TEMP
Show the message to temporary IP address blocks.
Default: 1 Range: 0-1
Use for permanent blocks - MESSENGER_PERM
Show the message permanent IP address blocks.
Default: 1 Range: 0-1
User account to run under - MESSENGER_USER
The user account to run the messenger service servers under.
Default: csf
Maximum child connections - MESSENGER_CHILDREN
The maximum concurrent connections allowed to each service server.
Default: 10 Range: 2-200
Rate limit for connections - MESSENGER_RATE
Limit the rate at which connections can be made to the messenger service servers. See the iptables man page for the
correct --limit rate syntax.
Default: 100/s
Burst limit for connections - MESSENGER_BURST
The maximum initial number of packets to match.
Default: 150
MESSENGERV3 - MESSENGERV3
This uses the web server http daemon to provide the web server functionality for the MESSENGER HTML and HTTPS services. It uses a fraction of the
resources that the lfd inbuilt service uses and overcomes the memory overhead of using the MESSENGER HTTPS service.
This option requires that the PHP packages from your OS vendor are installed and that FAST-CGI support is enabled in Apache.
Requirements can be installed with the command: plesk installer add --components mod_fcgid,phpgroup
Default: 0
MESSENGERV3LOCATION - MESSENGERV3LOCATION
The file or directory where the additional web server configuration file should be included.
Default: Centos/RHEL/AlmaLinux: /etc/httpd/conf.d Debian/Ubuntu: /etc/apache2/conf-enabled/
MESSENGERV3RESTART - MESSENGERV3RESTART
The command to restart the web server.
Default: Centos/RHEL/AlmaLinux: systemctl restart httpd Debian/Ubuntu: systemctl restart apache2
MESSENGERV3TEST - MESSENGERV3TEST
The command to test the validity of the web server configuration. If using Litespeed, set to empty.
Default: /usr/sbin/apachectl -t
MESSENGERV3HTTPS_CONF - MESSENGERV3HTTPS_CONF
The main httpd.conf file for either Apache or Litespeed.
Default: Centos/RHEL/AlmaLinux: /etc/httpd/conf/httpd.conf Debian/Ubuntu: /etc/apache2/apache2.conf
MESSENGERV3WEBSERVER - MESSENGERV3WEBSERVER
Set to apache for servers running Apache v2.4+ or litespeed for Litespeed.
Default: apache
MESSENGERV3PERMS - MESSENGERV3PERMS
On creation, set the MESSENGER_USER public_html directory permissions to. Note: If you precreate this directory the
following setting will be ignored.
Default: 711
MESSENGERV3GROUP - MESSENGERV3GROUP
On creation, set the MESSENGER_USER public_html directory group user to. Note: If you precreate this directory the
following setting will be ignored.
Default: Centos/RHEL/AlmaLinux: apache Debian/Ubuntu: www-data
MESSENGERV3PHPHANDLER - MESSENGERV3PHPHANDLER
The web server configuration to allow PHP scripts to run. This should be set as an "Include /home/csf/csf_php.conf" or similar file which must contain
appropriate web server configuration to allow PHP scripts to run. This line will be included within each MESSENGER VirtualHost container.
This will replace the [MESSENGERV3PHPHANDLER] line from the csf webserver template files.
Default: Include /etc/csf/csf_php.conf
• Perl module IO::Socket::SSL version 1.83 or newer is required for secure messenger support. Older OS like Centos 6 would need to use CPAN to install a newer version.
• To test that HTTPS support is working properly you can browse to a site on the server accessing the messenger port directly: https://www.example.com:8887
HTTPS HTML message port - MESSENGER_HTTPS
Set this to the port that will receive the HTTPS HTML message. You should configure this port to be >1023 and different from the TEXT and HTML port. Do NOT enable access to this port in TCP_IN.
This option requires the perl module IO::Socket::SSL at a version level that supports SNI (1.83+). Additionally the version of openssl on the server must also support SNI.
The option uses existing SSL certificates on the server for each domain to maintain a secure connection without browser warnings.
It uses SNI to choose the correct certificate to use for each client connection.
Default: 8887
HTTPS HTML ports redirected - MESSENGER_HTTPS_IN
This comma separated list are the HTTPS HTML ports that will be redirected for the blocked IP address.
If you are using per application blocking (LF_TRIGGER) then only the relevant block port will be redirected to the messenger port.
Recommended setting 443 plus any end-user control panel SSL ports.
Default: 443,7081,8443
Virtualhost SSL definitions - MESSENGER_HTTPS_CONF
This option points to the file(s) containing the Apache VirtualHost SSL definitions. This can be a file glob if there are multiple files to search.
Only Apache v2 SSL VirtualHost definitions are supported.
Default: /etc/httpd/conf/plesk.conf.d/vhosts/*.conf
Default private key - MESSENGER_HTTPS_KEY
The following options can be specified to provide a default fallback certificate to be used if either SNI is not supported or a hosted domain does not have an SSL certificate.
If a fallback is not provided, one of the certs obtained from MESSENGER_HTTPS_CONF will be used.
Default: /etc/pki/tls/private/localhost.key
Default certificate - MESSENGER_HTTPS_CRT
The following options can be specified to provide a default fallback certificate to be used if either SNI is not supported or a hosted domain does not have an SSL certificate.
If a fallback is not provided, one of the certs obtained from MESSENGER_HTTPS_CONF will be used.
Default: /etc/pki/tls/certs/localhost.crt
HTML message port - MESSENGER_HTML
The port that will receive the HTML message. You should configure this port to be greater than 1023 and different from
the TEXT port. Do NOT enable access to this port in TCP_IN.
Default: 8888 Range: 1023-65535
HTML ports redirected - MESSENGER_HTML_IN
The HTML ports (comma separated) that will be redirected for the blocked IP address. If you are using per application
blocking (LF_TRIGGER) then only the relevant block port will be redirected to the messenger port.
Default: 80,7080,8880
TEXT message port - MESSENGER_TEXT
The port that will receive the TEXT message. You should configure this port to be greater than 1023 and different from
the HTML port. Do NOT enable access to this port in TCP_IN.
Default: 8889 Range: 1023-65535
TEXT ports redirected - MESSENGER_TEXT_IN
The TEXT ports that will be redirected for the blocked IP address. If you are using per application blocking
(LF_TRIGGER) then only the relevant block port will be redirected to the messenger port.
Default: 21
Recaptcha site key - RECAPTCHA_SITEKEY
The RECAPTCHA options provide a way for end-users that have blocked themselves in the firewall to unblock themselves.
A valid Google ReCAPTCHA (v2) is required for this feature from: https://www.google.com/recaptcha/intro/index.html
This feature requires the installation of the LWP::UserAgent perl module. Note: An unblock will fail if the end-users IP is located in a netblock, blocklist or CC_* deny entry
Default: empty
Recaptcha secret - RECAPTCHA_SECRET
When configuring a new reCAPTCHA API key set, you must ensure that the option for Domain Name Validation is unticked so that the same reCAPTCHA can be used for all domains hosted on the server.
lfd then checks that the hostname of the request resolves to an IP on this server.
Default: empty
Recaptcha NAT - RECAPTCHA_NAT
If the server uses NAT then resolving the hostname to hosted IPs will likely not succeed.
In that case, the external IP addresses must be listed as comma separated list here.
Default: empty
Juggernaut Firewall -> Settings -> Messenger Service and enter the site and secret keys under the reCAPTCHA site key and reCAPTCHA secret settings.