After installing OpenLitespeed with DirectAdmin you may want to access the OpenLitespeed Admin Dashboard to view or check settings, etc. The dashboard is accessed by changing the access port to 7080 – serverdomain.com:7080, but you will generally find that you are unable to access the dashboard. Although the default access setting for the OpenLitespeed Admin Dashboard is enabled in the /usr/local/lsws/conf/httpd-defaults.conf
file, dashboard access will be blocked when accessed as the port not been opened within your server firewall settings.
In this guide, we will show you how to enable access to the OpenLitespeed Admin Dashboard by opening the port in ConfigServer Security & Firewall (CSF), disable access to the Admin Dashboard by changing the option in the httpd-defaults.conf
file and closing the port in ConfigServer Security & Firewall (CSF) and how to lock down access to the Admin Dashboard to only allow access to your IP address or range of IP addresses.
How to Enable, Disable and Control Access to the Web Admin Dashboard with OpenLitespeed and DirectAdmin
Enable OLS Admin Dashboard
Since DirectAdmin Version 1.61.0, ConfigServer Security & Firewall (CSF) is now fully integrated into the DirectAdmin control panel and is installed by default when using the ./setup.sh auto
install command. However, you will still need to add the port 7080 to the CSF configuration file csf.conf
to enable OpenLitespeed Admin Dashboard access.
You can manually edit the CSF configuration file using /etc/csf/csf.conf
or the easiest way to complete this is using ConfigServer Security & Firewall GUI which can be found under the Extra Features section in the DirectAdmin dashboard.
Scroll down to the csf – ConfigServer Firewall section and click the Firewall Configuration to edit the CSF configuration file.
In the configuration file move down to the IPv4 Port Settings and add 7080 in the TCP_IN = option.
If your server uses IPv6 you will need to add the port 7080 to the TCP6_IN = under the IPv6 Port Settings as well.
Once you have added the 7080 port to the IPv4 and IPv6 Port Settings, scroll down to the bottom of the configuration file and click the Change button to apply the changes to the configuration file, open access to the port and restart CSF.
Now when you visit the OpenLitespeed Admin Dashboard using the link serverdomain.com:7080, you will be presented with the login screen.
That’s it, you have successfully enabled access to the OpenLitespeed Admin Dashboard by adding the port to the CSF configuration file.
Disable OLS Admin Dashboard
To disable access to the OpenLitespeed Admin Dashboard fully you will need to change the setting disableWebAdmin from 0 to 1 in the httpd-defaults.conf
file.
However, as we discussed in our guide How to Add HTTP Security Headers, DirectAdmin splits the OpenLiteSpeed configuration file into multiple include files (or templates) with the httpd-defaults.conf
being one, that come together to create single configuration file when the ./build rewrite_confs
command is issued.
This also means if we directly edit the httpd-defaults.conf
file it will be overwritten every time the ./build rewrite_confs
command is issued. We will therefore need to utilise the custom OpenLitespeed configuration option built into custombuild by creating a copy of the httpd-defaults.conf
file.
We will firstly need to access the custombuild folder and then create the custom OpenLitespeed folder using the following commands.
cd /usr/local/directadmin/custombuild/ mkdir -p custom/openlitespeed/conf
Now we will need to copy over the httpd-defaults.conf
file to the custom OpenLitespeed folder using the following command.
cp -p configure/openlitespeed/conf/httpd-defaults.conf custom/openlitespeed/conf/
After we have copied over the file, we can now edit it using the following command.
nano /usr/local/directadmin/custombuild/custom/openlitespeed/conf/httpd-defaults.conf
In the httpd-defaults.conf
file scroll down to the disableWebAdmin option and change the existing setting from 0 to 1. After change the setting you will need to rewrite the OpenLitespeed configuration files using the follow command.
./build rewrite_confs
Now, using the section above – Enable OLS Admin Dashboard – remove the port 7080 from the ConfigServer Security & Firewall (CSF) configuration file in TCP_IN = section under the IPv4 Port Settings and TCP6_IN = section under the IPv6 Port Settings and click the Change button to apply the changes to the configuration file, remove access to the port and restart CSF.
That’s it, you have successfully removed access to the OpenLitespeed Admin Dashboard using a custom httpd-defaults.conf
template and remove the port from the CSF configuration file.
Enable OLS Admin Dashboard Access Control
Sometimes you might want to retain access to the OpenLitespeed Admin Dashboard but would like to limit access to your own IP address or range of IP addresses. Using the in-built option within OpenLitespeed we are able to allow access to the dashboard by allowing or blocking specific IP addresses using the “Allowed List” or “Denied List”.
If the OpenLitespeed Admin Dashboard wasn’t set to read only mode with DirectAdmin you could simply log into the dashboard and navigate to the WebAdmin Settings and in the General tab, add your IP address or addresses to the Access Control section and then apply a graceful restart.
However as we cannot set the IP address directly in the dashboard we will need to adjust the setting using the admin_config.conf
. When we disabled access to the dashboard using custom OpenLitespeed configuration option we created a template. Unfortunately, there is no template to adjust the admin settings in the OpenLitespeed Admin Dashboard so we will need to edit the file directly.
In order to add your own IP address to the “Allowed List” or “Denied List” to OpenLitespeed access the admin_config.conf
file using the following command.
nano /usr/local/lsws/admin/conf/admin_config.conf
Now scroll down to the accessControl block and change it to add your own IP address or addresses to the allow section which will add these to the “Allowed List”. Make sure the deny section has ALL listed which will block access to any IP address not listed in the allow section above. Once added your admin_config.conf
file will look similar to the example below.
accessControl { allow IPADDRESS, IPADDRESS, IPADDRESS deny ALL }
Note
The access control “Allowed List” is compatible with both IPv4 and IPv6 addresses. As well as accepting individual IP addresses, you can also add subnet to both IPv4 and IPv6 addresses.
With your IP address or addresses added to the “Allowed List” we will need to ensure the admin_config.conf
file doesn’t get overwritten when using the ./build rewrite_confs
command. We can protect the file using the chattr
utility which can set or unset certain attributes of a file, to secure against accidental deletion or modification. To
In order to protect the file and make it read-only we can set the +i attribute using the following command.
chattr +i /usr/local/lsws/admin/conf/admin_config.conf
Note
If in the future you want to remove read-only access from the admin_config.conf
file you can replace the +i command with -i so the command will be chattr -i /usr/local/lsws/admin/conf/admin_config.conf
.
When you try to access the admin_config.conf
file now, you will see the File ‘/usr/local/lsws/admin/conf/admin_config.conf’ is unwritable message meaning the file is now read-only. In order for the changes to take effect we will need to gracefully restart OpenLitespeed using the following command.
service lsws restart && service lsws status
Now log into the OpenLitespeed Admin Dashboard and navigate to the WebAdmin Settings section and under the General tab, scroll down to the Access Control section you will see your IP address or addresses have now been added to the “Allowed List” and “Denied List” show ALL.
When the OpenLitespeed Admin Dashboard is accessed from an IP address not in the “Allowed List”, it will automatically be blocked with a 403 Forbidden error.
That’s it. You have enabled access to the OpenLitespeed Admin Dashboard by opening the port in ConfigServer Security & Firewall (CSF) and locked down access to the Admin Dashboard by allowing access with your own IP address or range of IP addresses.