Messenger Service

Messenger service - MESSENGER
Display a message to a blocked connecting IP address to inform the user that they are blocked by the firewall. The service is provided by two daemons running on ports providing either an HTML or TEXT message. The iptables module ipt_REDIRECT is required.
Default: 0 Range: 0-1

Use for temporary blocks - MESSENGER_TEMP
Show the message to temporary IP address blocks.
Default: 1 Range: 0-1

Use for permanent blocks - MESSENGER_PERM
Show the message permanent IP address blocks.
Default: 1 Range: 0-1

User account to run under - MESSENGER_USER
The user account to run the messenger service servers under.
Default: csf

Maximum child connections - MESSENGER_CHILDREN
The maximum concurrent connections allowed to each service server.
Default: 10 Range: 2-200

Rate limit for connections - MESSENGER_RATE
Limit the rate at which connections can be made to the messenger service servers. See the iptables man page for the correct --limit rate syntax.
Default: 100/s

Burst limit for connections - MESSENGER_BURST
The maximum initial number of packets to match.
Default: 150

Messenger V3

MESSENGERV3 - MESSENGERV3
This option is available on any server running Apache v2.4+ or Litespeed. This uses the web server http daemon to provide the web server functionality for the MESSENGER HTML and HTTPS services. It uses a fraction of the resources that the lfd inbuilt service uses and overcomes the memory overhead of using the MESSENGER HTTPS service.
Default: 0

MESSENGERV3LOCATION - MESSENGERV3LOCATION
The file or directory where the additional web server configuration file should be included.
Default: /etc/httpd/conf.d

MESSENGERV3RESTART - MESSENGERV3RESTART
The command to restart the web server.
Default: systemctl restart httpd

MESSENGERV3TEST - MESSENGERV3TEST
The command to test the validity of the web server configuration. If using Litespeed, set to empty.
Default: /usr/sbin/apachectl -t

MESSENGERV3HTTPS_CONF - MESSENGERV3HTTPS_CONF
The main httpd.conf file for either Apache or Litespeed.
Default: /etc/httpd/conf/httpd.conf

MESSENGERV3WEBSERVER - MESSENGERV3WEBSERVER
Set to apache for servers running Apache v2.4+ or litespeed for Litespeed.
Default: apache

MESSENGERV3PERMS - MESSENGERV3PERMS
On creation, set the MESSENGER_USER public_html directory permissions to. Note: If you precreate this directory the following setting will be ignored.
Default: 711

MESSENGERV3GROUP - MESSENGERV3GROUP
On creation, set the MESSENGER_USER public_html directory group user to. Note: If you precreate this directory the following setting will be ignored.
Default: apache

MESSENGERV3PHPHANDLER - MESSENGERV3PHPHANDLER
The web server configuration to allow PHP scripts to run. If left empty, the MESSENGER service will try to configure this. If this does not work, this should be set as an "Include /home/csf/csf_php.conf" or similar file which must contain appropriate web server configuration to allow PHP scripts to run. This line will be included within each MESSENGER VirtualHost container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf webserver template files.
Default: Include /home/csf/csf_php.conf

Secure

• Perl module IO::Socket::SSL version 1.83 or newer is required for secure messenger support. Older OS like Centos 6 would need to use CPAN to install a newer version.
• To test that HTTPS support is working properly you can browse to a site on the server accessing the messenger port directly: https://www.example.com:8887

HTTPS HTML message port - MESSENGER_HTTPS
Set this to the port that will receive the HTTPS HTML message. You should configure this port to be >1023 and different from the TEXT and HTML port. Do NOT enable access to this port in TCP_IN. This option requires the perl module IO::Socket::SSL at a version level that supports SNI (1.83+). Additionally the version of openssl on the server must also support SNI. The option uses existing SSL certificates on the server for each domain to maintain a secure connection without browser warnings. It uses SNI to choose the correct certificate to use for each client connection.
Default: 8887

HTTPS HTML ports redirected - MESSENGER_HTTPS_IN
This comma separated list are the HTTPS HTML ports that will be redirected for the blocked IP address. If you are using per application blocking (LF_TRIGGER) then only the relevant block port will be redirected to the messenger port. Recommended setting 443 plus any end-user control panel SSL ports.
Default: 443,7081,8443

Virtualhost SSL definitions - MESSENGER_HTTPS_CONF
This option points to the file(s) containing the Apache VirtualHost SSL definitions. This can be a file glob if there are multiple files to search. Only Apache v2 SSL VirtualHost definitions are supported. Default: /etc/httpd/conf/plesk.conf.d/vhosts/*.conf

Default private key - MESSENGER_HTTPS_KEY
The following options can be specified to provide a default fallback certificate to be used if either SNI is not supported or a hosted domain does not have an SSL certificate. If a fallback is not provided, one of the certs obtained from MESSENGER_HTTPS_CONF will be used.
Default: /etc/pki/tls/private/localhost.key

Default certificate - MESSENGER_HTTPS_CRT
The following options can be specified to provide a default fallback certificate to be used if either SNI is not supported or a hosted domain does not have an SSL certificate. If a fallback is not provided, one of the certs obtained from MESSENGER_HTTPS_CONF will be used.
Default: /etc/pki/tls/certs/localhost.crt

Unsecure

HTML message port - MESSENGER_HTML
The port that will receive the HTML message. You should configure this port to be greater than 1023 and different from the TEXT port. Do NOT enable access to this port in TCP_IN
Default: 8888 Range: 1023-65535

HTML ports redirected - MESSENGER_HTML_IN
The HTML ports (comma separated) that will be redirected for the blocked IP address. If you are using per application blocking (LF_TRIGGER) then only the relevant block port will be redirected to the messenger port.
Default: 80,7080,8880

TEXT message port - MESSENGER_TEXT
The port that will receive the TEXT message. You should configure this port to be greater than 1023 and different from the HTML port. Do NOT enable access to this port in TCP_IN.
Default: 8889 Range: 1023-65535

TEXT ports redirected - MESSENGER_TEXT_IN
The TEXT ports that will be redirected for the blocked IP address. If you are using per application blocking (LF_TRIGGER) then only the relevant block port will be redirected to the messenger port.
Default: 21

reCAPTCHA unblock

• To test that Google reCaptcha support is working properly you can browse to a site on the server accessing the messenger port directly: http://www.example.com:8888

Recaptcha site key - RECAPTCHA_SITEKEY
The RECAPTCHA options provide a way for end-users that have blocked themselves in the firewall to unblock themselves. A valid Google ReCAPTCHA (v2) is required for this feature from: https://www.google.com/recaptcha/intro/index.html This feature requires the installation of the LWP::UserAgent perl module. Note: An unblock will fail if the end-users IP is located in a netblock, blocklist or CC_* deny entry
Default: empty

Recaptcha secret - RECAPTCHA_SECRET
When configuring a new reCAPTCHA API key set, you must ensure that the option for Domain Name Validation is unticked so that the same reCAPTCHA can be used for all domains hosted on the server. lfd then checks that the hostname of the request resolves to an IP on this server.
Default: empty

Recaptcha NAT - RECAPTCHA_NAT
If the server uses NAT then resolving the hostname to hosted IPs will likely not succeed. In that case, the external IP addresses must be listed as comma separated comma separated list here. Default: empty

How to get a reCAPTCHA API key

  1. Signup for the reCaptcha v2 API key here. You must ensure that the option for "Verify the origin of reCAPTCHA solutions" under advanced settings is unchecked so that the same reCAPTCHA can be used for all domains hosted on the server.
  2. Navigate to Juggernaut Firewall -> Settings -> Messenger Service and enter the site and secret keys under the reCAPTCHA site key and reCAPTCHA secret settings.