Hi everyone,
I'm looking for advice from people with real-world experience running LiteSpeed Enterprise under heavy traffic or during attacks.
I have an interesting situation.
With Apache + Nginx (reverse proxy) I use Nginx rate limiting to protect WooCommerce. When someone starts flooding dynamic requests (especially WooCommerce filters, search, AJAX requests, or other expensive PHP endpoints), Nginx throttles the requests before they ever reach Apache/PHP.
The result is:
Apache never knows an attack is happening.
CPU usage stays relatively low.
PHP-FPM isn't overloaded.
MariaDB remains stable.
The website continues working normally for legitimate visitors.
Even during fairly aggressive attacks the server stays responsive.
The problem starts when I run LiteSpeed Enterprise directly.
If somebody floods WooCommerce filter requests or sends a large number of dynamic requests, LiteSpeed processes them until CPU, PHP workers or database resources become exhausted.
Eventually:
the website becomes unavailable,
PHP workers get saturated,
server load increases dramatically,
in some cases even SSH becomes slow or unavailable.
My goal is not simply to block IP addresses after the attack has already overloaded the server.
Instead, I want behaviour similar to Nginx Rate Limit, where the requests are rejected before consuming significant server resources.
My questions
Is it possible to achieve similar protection using LiteSpeed Enterprise?
Which LiteSpeed features should I configure?
Per Client Throttling?
Connection Soft/Hard Limits?
Request Rate Limiting?
Rewrite Rules?
ModSecurity?
reCAPTCHA?
Something else?
Can LiteSpeed reject excessive dynamic requests before PHP is started?
Has anyone successfully protected WooCommerce filter pages, AJAX endpoints, search requests or other expensive dynamic URLs from resource exhaustion?
Is LiteSpeed capable of providing protection comparable to Nginx rate limiting, or is an external reverse proxy (such as Nginx, HAProxy or Cloudflare) still recommended for this type of attack?
My environment
LiteSpeed Enterprise
WordPress
WooCommerce
PHP 8.3
MariaDB
Approximately 200 WordPress websites on one server
Some WooCommerce stores receive a significant amount of traffic
I'm particularly interested in hearing from people who have dealt with real DDoS attacks or Layer 7 (HTTP) attacks against WooCommerce.
Any configuration examples or best practices would be greatly appreciated.
Thanks!
I'm looking for advice from people with real-world experience running LiteSpeed Enterprise under heavy traffic or during attacks.
I have an interesting situation.
With Apache + Nginx (reverse proxy) I use Nginx rate limiting to protect WooCommerce. When someone starts flooding dynamic requests (especially WooCommerce filters, search, AJAX requests, or other expensive PHP endpoints), Nginx throttles the requests before they ever reach Apache/PHP.
The result is:
Apache never knows an attack is happening.
CPU usage stays relatively low.
PHP-FPM isn't overloaded.
MariaDB remains stable.
The website continues working normally for legitimate visitors.
Even during fairly aggressive attacks the server stays responsive.
The problem starts when I run LiteSpeed Enterprise directly.
If somebody floods WooCommerce filter requests or sends a large number of dynamic requests, LiteSpeed processes them until CPU, PHP workers or database resources become exhausted.
Eventually:
the website becomes unavailable,
PHP workers get saturated,
server load increases dramatically,
in some cases even SSH becomes slow or unavailable.
My goal is not simply to block IP addresses after the attack has already overloaded the server.
Instead, I want behaviour similar to Nginx Rate Limit, where the requests are rejected before consuming significant server resources.
My questions
Is it possible to achieve similar protection using LiteSpeed Enterprise?
Which LiteSpeed features should I configure?
Per Client Throttling?
Connection Soft/Hard Limits?
Request Rate Limiting?
Rewrite Rules?
ModSecurity?
reCAPTCHA?
Something else?
Can LiteSpeed reject excessive dynamic requests before PHP is started?
Has anyone successfully protected WooCommerce filter pages, AJAX endpoints, search requests or other expensive dynamic URLs from resource exhaustion?
Is LiteSpeed capable of providing protection comparable to Nginx rate limiting, or is an external reverse proxy (such as Nginx, HAProxy or Cloudflare) still recommended for this type of attack?
My environment
LiteSpeed Enterprise
WordPress
WooCommerce
PHP 8.3
MariaDB
Approximately 200 WordPress websites on one server
Some WooCommerce stores receive a significant amount of traffic
I'm particularly interested in hearing from people who have dealt with real DDoS attacks or Layer 7 (HTTP) attacks against WooCommerce.
Any configuration examples or best practices would be greatly appreciated.
Thanks!