Litespeed - administration security
Now Litespeed is installed, we need to secure the administration area. We'll do this by adding a SSL connection to the administration port and configuring the server to accept connections to that port from our IP only (or from a group of IPs).
Unless you intend the administration area to be publicly accessed (!) there is no reason for an expensive SSL certificate to issued by a recognised CA. A self signed certificate will be plenty enough for our needs and anyone authorised to access the administration area can be informed of this fact.
Creation of a self signed SSL certificate is beyond this tutorial but I recommend this self signed certificate article as a good start.
Once you have your certificate details create a .ssl directory:
cd ~
mkdir .sslThis is a convenient place to store our local certificates, so simply copy the created certificates to that directory.
Now log in to the Litespeed administration panel:
http://123.45.67.890:31000
Click on the 'Admin Config' or 'Web Console' button:
You will be presented with the Admin area configuration with two tabs: General and Security.
Hovering over the 'I' buttons will give hints and tips regarding that function. Try it now with the Session Timeout 'I' button:
Now you've read the help associated with the Session Timeout, set the value to your needs by click the 'edit' link, changing the value and clicking 'save'. If you do not click 'save' then any changes you have made will be lost.
Once you have clicked 'save' you will notice a new section to the page confirming the modification and giving a link to 'Apply Changes'.
If you were only going to make one change then simply click the link and complete a graceful restart to restart the server with the new configuration.
However, we're going to do some more changes. Click on the 'Security' tab.
You'll see that anyone has Access Control (although we set up iptables to allow only our IP address to access this port, it is still a good idea to set this value. You may have to remove that IP entry in the iptables file or allow multiple IP access).
Click the Access Control 'edit' link and remove the 'ALL' entry for the Allowed List and add your IP (e.g. 123.45.67.890). In the Denied List box, enter 'ALL'. This is shown below:
As the green help box indicates, there are many easy ways to add multiple IPs or blocks of IPs.
Once done, click 'save'. Then click on the main 'Listeners' tab. Listeners are configurable in many ways including which port to listen to (you can have multiple listeners) and how to react. There will be more on this as we add domains to our server configuration but we'll concentrate on the Admin Listener for the moment.
Click on the 'adminListener' link, then click 'edit'. As we want to use our SSL certificate for the admin sessions, change the 'Secure' value from 'no' to 'yes'.
Once done, click 'save' and move on to the 'SSL' tab:
I'm sure you get the idea by now, but click on the SSL Private Key & Certificate 'edit' link and enter the values for your self-signed (or purchased) SSL certificate. In the image below I have used the .ssl folder created earlier but any location will suffice (just not in any public area....).
Your file names may also differ slightly, but the suffixes will be the same (i.e. xxxx.crt and xxxx.key, etc)
There is also no particular need for a chained certificate but I wanted to show you how to fill all the option in correctly.
Click 'save' and then 'Apply Changes'. This will bring you to the Control Panel:
Click 'Apply Changes / Graceful Restart' and confirm you want to restart the server (I know, it can be annoying getting a confirmation box).
Uh oh! It's not logged us back in....
That's because we need to be using the secure https protocol and not http. So in the URL change http to https:
https://123.45.67.890:31000Accept the certificate (if needed) and log back in.
It may have taken a few minutes to go through all of this but once you are familiar with the interface it takes mere seconds to set up secure ports and SSL certificates. The time I have saved not logging in to a terminal via SSH and configuring everything by hand is amazing.
Next we'll learn how to upgrade the server. Then we'll configure Litespeed to navigate our public folder (wherever you decide that might be) and start to serve our domains.
PickledOnion
Digg it | 
del.icio.us | 
reddit | 
StumbleUpon
Subscribe to Feed
Article Comments:
Nathan Farrington 07 Sep, 2007
Thank you so much for writing this tutorial. And congratulations on your new job at SliceHost! I literally spent an entire day setting up SSL with Apache. I spent about 20 minutes with LiteSpeed. THANK YOU!!
PickledOnion 07 Sep, 2007
Hi Nathan,
Thanks for the comment and I'm glad you like Litespeed.
Feel free to get in touch if you have any questions.
PickledOnion.
Donovan Dillon 27 Sep, 2007
Thank you so much PickledOnion! This has to be the most complete and accurate set of configuration aids I have ever encountered. Your aids (and a big helping of motivation from MichaelT on the SliceHost forums) pulled me from the brink of ditching slicehost. SliceHost and its customers are blessed by the privilege of your service!! Thanks again.
Donovan Dillon 27 Sep, 2007
Quick question on this step:
Should those of us without dedicated (static) IP addresses, just follow the steps for the SSL connection to the admin port?
Thanks again PickledOnion. These guides are a godsend.
PickledOnion 27 Sep, 2007
Hey Donovan,
Yes, if you don't have a dedicated IP address, set the connection to allow 'ALL' - as long as you have a decent admin username and password you will be fine.
Those with a static IP have the extra benefit of defining the address to listen to but it is not essential.
PickledOnion.