Customizing OpenLiteSpeed

Wildcard *.domain.com with OpenLiteSpeed

This guide is an extension of the Apache version and applies to a server running OpenLiteSpeed.

Use step 1 in the other guide to set up the DNS in the same manner.

2. Use the tool Admin Level -> Custom HTTPD Configuration -> domain.com to edit the Apache configuration and add this code into the top text area:

vhAliases *.|DOMAIN|

---

In a similar fashion to the Apache guide, if you want normal control of other subdomains and the full domain, you'd use the zzzz subdomain method:

|*if SUB="zzzz"|
vhAliases *.|DOMAIN|
|*endif|

How to set up webmail.example.com with OpenLiteSpeed

Similar to the apache version of this guide, OpenLiteSpeed has the ability to set up a webmail.domain.com subdomain using the templates.

In this example, we'll be setting it up for RoundCube.

1. You'll need to set up the server section for the webmail subdomain. This can be accomplished by adding a 2nd server section below the domain's main one.

Edit /usr/local/directadmin/data/templates/custom/cust_openlitespeed.CUSTOM.8.pre to add this to the file

virtualHost webmail.|SDOMAIN|-|VH_PORT| {
|CUSTOM|
 user                    webapps
 group                   webapps
 vhRoot                  /var/www/html
 allowSymbolLink         1
 enableScript            1
 restrained              1
 setUIDMode              2
 # listeners  listener1, listener2, listener3
 listeners |LISTENERS|
 
 #VirtualHost config settings
 docRoot                   /var/www/html/roundcube
 vhDomain                  webmail.|SDOMAIN|
 vhAliases                 webmail.|SDOMAIN|
 adminEmails               |ADMIN|
 enableGzip                1
 enableIpGeo               1

 errorlog |APACHELOGDIR|/|LOG_NAME|.error.log {
   useServer               0
   logLevel                NOTICE
   rollingSize             0
 }
 accesslog |APACHELOGDIR|/|LOG_NAME|.log {
   useServer               0
   logFormat               %a %l %u %t "%r" %>s %O "%{Referer}i" "%{User-Agent}i"
   logHeaders              5
   rollingSize             0
 }
 accesslog |APACHELOGDIR|/|LOG_NAME|.bytes {
   useServer               0
   logFormat               %O %I
   rollingSize             0
 }

 scripthandler  {
   add                     lsapi:|SCRIPTHANDLER| inc
   add                     lsapi:|SCRIPTHANDLER| php
   add                     lsapi:|SCRIPTHANDLER| phtml
   add                     lsapi:|SCRIPTHANDLER| php|PHP1_RELEASE|
 }

 phpIniOverride  {
   php_admin_flag engine |PHP|
   php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f |PHP_EMAIL|"
   |CLI_PHP_MAIL_LOG|
 }

 rewrite  {
   enable                  1
   autoLoadHtaccess        1
   |FORCE_SSL_REDIRECT|
 }

 |*if SSL_TEMPLATE="1"|
 vhssl  {
   |CUSTOM6|
   keyFile                 |KEY|
   certFile                |CERT|
   certChain               1
   sslProtocol             |SSLPROTOCOL|
 }
 |*endif|

 # include aliases
 include /usr/local/lsws/conf/httpd-alias.conf
}

Save, exit, then run:

cd /usr/local/directadmin/custombuild
./build rewrite_confs

to rewrite the User openlitespeed.conf files.

2. You'll also need to setup the dns portion.

cd /usr/local/directadmin/data/templates
cp dns_a.conf custom
cd custom
echo "webmail=|IP|" >> dns_a.conf

This will set up the** webmail A record for new DNS zones.**

For existing DNS zones, you'll have to manually add the** webmail A** record to point to the domain's IP.

Global and per domain CUSTOM templates

Ability to set global override tokens in core OpenLiteSpeed templates.

---

openlitespeed_listener.conf:

/usr/local/directadmin/data/templates/custom/openlitespeed_listener.conf.CUSTOM.1.pre/usr/local/directadmin/data/templates/custom/openlitespeed_listener.conf.CUSTOM.1.post ... /usr/local/directadmin/data/templates/custom/openlitespeed_listener.conf.CUSTOM.7.pre/usr/local/directadmin/data/templates/custom/openlitespeed_listener.conf.CUSTOM.7.post

To change the 'sslProtocol 30' to let say 28 :

Create: /usr/local/directadmin/data/templates/custom/openlitespeed_listener.conf.CUSTOM.2.pre/usr/local/directadmin/data/templates/custom/openlitespeed_redirect_vhost.conf.CUSTOM.2.pre/usr/local/directadmin/data/templates/custom/openlitespeed_vhost.conf.CUSTOM.2.pre/usr/local/directadmin/data/templates/custom/openlitespeed_ips.conf.CUSTOM.2.pre

where the CUSTOM.2 choice in this particular case, is merely any token set after the original "|?SSLPROTOCOL=30|" value is set, to load it internally.

The |? tokens don't output anything, and thus can be set anywhere you need to set in order to overwrite a variable.

Set each with code:

|?SSLPROTOCOL=28|

Any template file not controlled by DA wouldn't be affected by this.

For example, the /usr/local/lsws/conf/httpd-vhosts.conf would not be controlled by tokens, so you'd just copy your customized version to:

/usr/local/directadmin/custombuild/custom/openlitespeed/conf/httpd-vhosts.conf

with the "sslProtocol 28 change" set in there.

Adding security headers to get A+ rating

This guide is similar to the apache guide for adding security headers, but is tailored to the OpenLitespeed webserver. You may refer to the mentioned Apache guide for generalized information regarding security headers and online tools for testing them. Here are the instructions for accomplishing the same with OpenLitespeed:

1. Copy the vhost template:

cp -p /usr/local/directadmin/data/templates/openlitespeed_vhost.conf /usr/local/directadmin/data/templates/custom/

2. Edit the /usr/local/directadmin/data/templates/custom/openlitespeed_vhost.conf file and after |CONTEXTS| directive add following code:

context / {
    location      $DOC_ROOT/
    allowBrowse     1
    extraHeaders   Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  }
  context / {
    location        $DOC_ROOT/
    allowBrowse     1
    extraHeaders   X-Content-Type-Options nosniff
  }
  context / {
    location       $DOC_ROOT/
    allowBrowse    1
    extraHeaders    X-XSS-Protection 1;mode=block
  }
  context / {
    location    $DOC_ROOT/
    allowBrowse    1
    extraHeaders  X-Frame-Options SAMEORIGIN
  }
  context / {
    location      $DOC_ROOT/
    allowBrowse   1
    extraHeaders   Referrer-Policy strict-origin
  }

  context / {
    location     $DOC_ROOT/
    allowBrowse   1
    extraHeaders  Expect-CT enforce, max-age=21600
}
  context / {
    location    $DOC_ROOT/
    allowBrowse    1
    extraHeaders  Permissions-Policy 'geolocation=*, midi=(), sync-xhr=(self "https://|DOMAIN|" "https://www.|DOMAIN|"), microphone=(), camera=(), magnetometer=(), gyroscope=(), payment=(), fullscreen=(self "https://|DOMAIN|" "https://www.|DOMAIN|")'
}
  context / {
    location    $DOC_ROOT/
    allowBrowse   1
    extraHeaders  Content-Security-Policy default-src https:; font-src https: data:; img-src https: data:; script-src https:; style-src https:;
}

3. And rewrite configs:

cd /usr/local/directadmin/custombuild/
./build rewrite_confs

How to adjust environment values with OpenLiteSpeed

The environment values that are usually adjusted with .htaccess for apache will not work with OpenLiteSpeed. The proper way of applying them for OpenLiteSpeed is to modify the OLS config files. For example, SetEnv MAGICK_THREAD_LIMIT 1 from .htaccess will translate to the OLS config template file /usr/local/directadmin/data/templates/custom/openlitespeed/conf/httpd-phplimits.conf like so:

env MAGICK_THREAD_LIMIT=1

Then apply the changes via CustomBuild:

cd /usr/local/directadmin/custombuild/
./build openlitespeed
./build rewrite_confs