Messenger Service

Messenger service - MESSENGER
Display a message to a blocked connecting IP address to inform the user that they are blocked by the firewall. The service is provided by two daemons running on ports providing either an HTML or TEXT message. The iptables module ipt_REDIRECT is required.
Default: 0 Range: 0-1

Use for temporary blocks - MESSENGER_TEMP
Show the message to temporary IP address blocks.
Default: 1 Range: 0-1

Use for permanent blocks - MESSENGER_PERM
Show the message permanent IP address blocks.
Default: 1 Range: 0-1

User account to run under - MESSENGER_USER
The user account to run the messenger service servers under. We recommend you use a specific non-privileged, non-shell account. If you are using a user other than csf you will have to add it manually eg. useradd csf -r -s /bin/false
Default: csf

Maximum child connections - MESSENGER_CHILDREN
The maximum concurrent connections allowed to each service server.
Default: 10 Range: 2-200

Rate limit for connections - MESSENGER_RATE
Limit the rate at which connections can be made to the messenger service servers. See the iptables man page for the correct --limit rate syntax.
Default: 100/s

Burst limit for connections - MESSENGER_BURST
The maximum initial number of packets to match.
Default: 150

Secure

• Perl module IO::Socket::SSL version 1.83 or newer is required for secure messenger support. Older OS like Centos 6 would need to use CPAN to install a newer version.
• To test that HTTPS support is working properly you can browse to a site on the server accessing the messenger port directly: https://www.example.com:8887

HTTPS HTML message port - MESSENGER_HTTPS
Set this to the port that will receive the HTTPS HTML message. You should configure this port to be >1023 and different from the TEXT and HTML port. Do NOT enable access to this port in TCP_IN. This option requires the perl module IO::Socket::SSL at a version level that supports SNI (1.83+). Additionally the version of openssl on the server must also support SNI. The option uses existing SSL certificates on the server for each domain to maintain a secure connection without browser warnings. It uses SNI to choose the correct certificate to use for each client connection.
Default: 8887

HTTPS HTML ports redirected - MESSENGER_HTTPS_IN
This comma separated list are the HTTPS HTML ports that will be redirected for the blocked IP address. If you are using per application blocking (LF_TRIGGER) then only the relevant block port will be redirected to the messenger port. Recommended setting 443 plus any end-user control panel SSL ports.
Default: 443,7081,8443

Virtualhost SSL definitions - MESSENGER_HTTPS_CONF
This option points to the file(s) containing the Apache VirtualHost SSL definitions. This can be a file glob if there are multiple files to search. Only Apache v2 SSL VirtualHost definitions are supported. Default: /etc/httpd/conf/plesk.conf.d/vhosts/*.conf

Default private key - MESSENGER_HTTPS_KEY
The following options can be specified to provide a default fallback certificate to be used if either SNI is not supported or a hosted domain does not have an SSL certificate. If a fallback is not provided, one of the certs obtained from MESSENGER_HTTPS_CONF will be used.
Default: /etc/pki/tls/private/localhost.key

Default certificate - MESSENGER_HTTPS_CRT
The following options can be specified to provide a default fallback certificate to be used if either SNI is not supported or a hosted domain does not have an SSL certificate. If a fallback is not provided, one of the certs obtained from MESSENGER_HTTPS_CONF will be used.
Default: /etc/pki/tls/certs/localhost.crt

Unsecure

HTML message port - MESSENGER_HTML
The port that will receive the HTML message. You should configure this port to be greater than 1023 and different from the TEXT port. Do NOT enable access to this port in TCP_IN
Default: 8888 Range: 1023-65535

HTML ports redirected - MESSENGER_HTML_IN
The HTML ports (comma separated) that will be redirected for the blocked IP address. If you are using per application blocking (LF_TRIGGER) then only the relevant block port will be redirected to the messenger port.
Default: 80,7080,8880

TEXT message port - MESSENGER_TEXT
The port that will receive the TEXT message. You should configure this port to be greater than 1023 and different from the HTML port. Do NOT enable access to this port in TCP_IN.
Default: 8889 Range: 1023-65535

TEXT ports redirected - MESSENGER_TEXT_IN
The TEXT ports that will be redirected for the blocked IP address. If you are using per application blocking (LF_TRIGGER) then only the relevant block port will be redirected to the messenger port.
Default: 21

reCAPTCHA unblock

• To test that Google reCaptcha support is working properly you can browse to a site on the server accessing the messenger port directly: http://www.example.com:8888
• When configuring a new Google reCAPTCHA API key set, you must ensure that the option for "Verify the origin of reCAPTCHA solutions" under advanced settings is unchecked so that the same reCAPTCHA can be used for all domains hosted on the server.

Recaptcha site key - RECAPTCHA_SITEKEY
The RECAPTCHA options provide a way for end-users that have blocked themselves in the firewall to unblock themselves. A valid Google ReCAPTCHA (v2) is required for this feature from: https://www.google.com/recaptcha/intro/index.html This feature requires the installation of the LWP::UserAgent perl module. Note: An unblock will fail if the end-users IP is located in a netblock, blocklist or CC_* deny entry
Default: empty

Recaptcha secret - RECAPTCHA_SECRET
When configuring a new reCAPTCHA API key set, you must ensure that the option for Domain Name Validation is unticked so that the same reCAPTCHA can be used for all domains hosted on the server. lfd then checks that the hostname of the request resolves to an IP on this server.
Default: empty

Recaptcha NAT - RECAPTCHA_NAT
If the server uses NAT then resolving the hostname to hosted IPs will likely not succeed. In that case, the external IP addresses must be listed as comma separated comma separated list here. Default: empty

Related Pages