✅ Project Status: Actively Maintained
OpenLiteSpeed is actively maintained by LiteSpeed Technologies with regular security updates.
OpenLiteSpeed is a high-performance web server with native HTTP/3 (QUIC) support. This guide provides hardening measures for secure deployments.
The admin console (port 7080) should only be accessible from trusted IPs:
# UFW
sudo ufw allow from 192.168.1.0/24 to any port 7080 proto tcp
sudo ufw deny 7080/tcp # Deny all others
# firewalld
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="7080" protocol="tcp" accept'
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port port="7080" protocol="tcp" reject'
# UFW
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
sudo ufw allow 443/udp # HTTP/3 QUIC
# firewalld
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-port=443/udp
sudo firewall-cmd --reload
If not needed, disable the default test page on port 8088:
# Remove or comment out test page listener in config
# Via admin console: Listeners → Test → Delete
sudo /usr/local/lsws/admin/misc/admpass.sh
Via admin console:
Via admin console:
# Configuration files
sudo chown root:root /usr/local/lsws/conf/*.conf
sudo chmod 644 /usr/local/lsws/conf/*.conf
# Admin directory
sudo chown root:root /usr/local/lsws/admin
sudo chmod 755 /usr/local/lsws/admin
OpenLiteSpeed runs as nobody:nogroup by default (Debian/Ubuntu) or nobody:nobody (RHEL).
Create systemd override:
sudo systemctl edit lsws
Add:
[Service]
# Filesystem protection
ProtectSystem=strict
ProtectHome=read-only
PrivateTmp=true
ReadWritePaths=/usr/local/lsws/logs /var/www
# Network restrictions
RestrictAddressFamilies=AF_INET AF_INET6
# Capability restrictions
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=
# System call filtering
SystemCallArchitectures=native
SystemCallFilter=@system-service
# Memory protection
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
# Restrict privileges
NoNewPrivileges=true
RestrictSUIDSGID=true
# Resource limits
LimitNOFILE=65535
CPUQuota=50%
MemoryLimit=512M
# Debian/Ubuntu
sudo apt update && sudo apt upgrade openlitespeed
# RHEL/CentOS
sudo dnf update openlitespeed
Via admin console:
Via admin console:
Add via virtual host configuration or .htaccess:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Via admin console:
Via admin console:
# Allow UDP 443
sudo ufw allow 443/udp
# or
sudo firewall-cmd --permanent --add-port=443/udp
sudo firewall-cmd --reload
Via admin console:
%v %h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"Via admin console:
WARN or higher# /etc/logrotate.d/openlitespeed
/usr/local/lsws/logs/*.log {
daily
rotate 30
compress
delaycompress
missingok
notifempty
create 0644 nobody nogroup
postrotate
systemctl reload lsws
endscript
}
# Test configuration syntax
sudo /usr/local/lsws/bin/lswsctrl config_test
# Check service status
sudo systemctl status lsws
# Check running user
ps aux | grep lsws
# Check open ports
sudo netstat -tlnp | grep -E '80|443|7080'
# Check file permissions
ls -la /usr/local/lsws/conf/
ls -la /usr/local/lsws/admin/
# Check systemd hardening
systemctl show lsws | grep -E "Protect|Private|Restrict"
# Port scan (from external host)
nmap -sV -sC your_server_ip
# SSL test
testssl.sh your_server_ip:443
# HTTP/3 test
curl --http3 -I https://your_server_ip