Introduction
vCanopy OpenLiteSpeed (OLS) offers a server-wide and per-site, IP allow/deny mechanism. This allows you to explicitly allow or deny access to a list of IP addresses and/or subnets to your virtual hosts (which in this context means each of your individual websites).
Below we’ll look at how you use these configuration files on your OLS servers. You’ll need to connect to your server over SSH or SFTP to edit these files. Please see the guides linked below to get started.
Step 1. Generate your SSH Key
Step 2. Add your SSH Key to vCanopy (also see Add default SSH Keys)
Step 3. Connect to your server by SSH as Root user (we like and use Termius)
Three Quick Notes
- Use the server-level configuration to allow/deny to all virtual hosts on your server.
- Individual website settings will NOT override server settings so, for example, you can’t deny an IP for all websites, but then try to allow it for one individual website.
- The configuration files we’ll be using automatically append a “T” to each entry in the allow lists for “trusted” as per the official OpenLiteSpeed documentation.
Allow IP Addresses
There are two individual configurations, one that applies server-wide, and one that is site-specific.
The server-wide configuration is located here:
/usr/local/lsws/conf/ip_allow.conf
The site-specific config is located here (replace “site.url” with your domain name):
/var/www/site.url/ols/ip_allow.conf
ADD YOUR IP/S
To edit either file, open them with nano like so:
nano /usr/local/lsws/conf/ip_allow.conf
nano /var/www/site.url/ols/ip_allow.conf
Add one IP address or subnet per line, then hit CTRL+O followed by Enter to save the file, and CTRL+X to exit nano.
RESTART OLS
For the changes to take effect you will first need to restart OLS.
If you’ve made server-wide changes, restart and regenerate the server configuration with the following command:
gpols httpd
If you’ve made site-specific changes restart and regenerate the website configuration with this command (replace “site.url” with your domain name):
gpols site site.url
Your rule is now in place.
Deny IP Addresses
When denying IPs at the server level it will close its connection so nothing gets hit on the server. If you deny at the site level, a 403 HTTP Error will be served.
Like above, there are two individual configurations, one that applies server-wide, and one that is site-specific.
The server-wide configuration is located here:
/usr/local/lsws/conf/ip_deny.conf
The site-specific config is located here (replace “site.url” with your domain name):
/var/www/site.url/ols/ip_deny.conf
ADD YOUR IP/S
To edit either file, open them with nano like so:
nano /usr/local/lsws/conf/ip_deny.conf
nano /var/www/site.url/ols/ip_deny.conf
Add one IP address or subnet per line, then hit CTRL+O followed by Enter to save the file, and CTRL+X to exit nano.
RESTART OLS
For the changes to take effect you will first need to restart OLS.
If you’ve made server-wide changes, restart and regenerate the server configuration with the following command:
gpols httpd
If you’ve made site-specific changes restart and regenerate the website configuration with this command (replace “site.url” with your domain name):
gpols site site.url
Your rule is now in place.