Allow or Deny IP Addresses on OpenLiteSpeed

3 min read

Introduction

GridPane OpenLiteSpeed (OLS) offers a server-wide and per-site, IP allow/deny mechanism. This allows you to explicitly allow or deny access to a list of IP addresses and/or subnets to your virtual hosts (which in this context means each of your individual websites).

Below we’ll look at how you use these configuration files on your OLS servers. You’ll need to connect to your server over SSH or SFTP to edit these files. Please see the guides linked below to get started.

Three Quick Notes

  1. Use the server-level configuration to allow/deny to all virtual hosts on your server.
  2. Individual website settings will NOT override server settings so, for example, you can’t deny an IP for all websites, but then try to allow it for one individual website.
  3. The configuration files we’ll be using automatically append a “T” to each entry in the allow lists for “trusted” as per the official OpenLiteSpeed documentation.

Allow IP Addresses

There are two individual configurations, one that applies server-wide, and one that is site-specific.

The server-wide configuration is located here:

/usr/local/lsws/conf/ip_allow.conf

The site-specific config is located here (replace “site.url” with your domain name):

/var/www/site.url/ols/ip_allow.conf

Add Your IP/s

To edit either file, open them with nano like so:

nano /usr/local/lsws/conf/ip_allow.conf
nano /var/www/site.url/ols/ip_allow.conf

Add one IP address or subnet per line, then hit CTRL+O followed by Enter to save the file, and CTRL+X to exit nano.

Restart OLS

For the changes to take effect you will first need to restart OLS.

If you’ve made server-wide changes, restart and regenerate the server configuration with the following command:

gpols httpd

If you’ve made site-specific changes restart and regenerate the website configuration with this command (replace “site.url” with your domain name):

gpols site site.url

Your rule is now in place.

Deny IP Addresses

When denying IPs at the server level it will close its connection so nothing gets hit on the server. If you deny at the site level, a 403 HTTP Error will be served.

Like above, there are two individual configurations, one that applies server-wide, and one that is site-specific.

The server-wide configuration is located here:

/usr/local/lsws/conf/ip_deny.conf

The site-specific config is located here (replace “site.url” with your domain name):

/var/www/site.url/ols/ip_deny.conf

Add Your IP/s

To edit either file, open them with nano like so:

nano /usr/local/lsws/conf/ip_deny.conf
nano /var/www/site.url/ols/ip_deny.conf

Add one IP address or subnet per line, then hit CTRL+O followed by Enter to save the file, and CTRL+X to exit nano.

Restart OLS

For the changes to take effect you will first need to restart OLS.

If you’ve made server-wide changes, restart and regenerate the server configuration with the following command:

gpols httpd

If you’ve made site-specific changes restart and regenerate the website configuration with this command (replace “site.url” with your domain name):

gpols site site.url

Your rule is now in place.