Read More

Admin Listeners SSL

Admin Listeners are dedicated to the Admin Server. Secure (SSL) listeners are recommended for the Admin Server.

Table of Contents

SSL Private Key & Certificate

Private Key File | Certificate File | Chained Certificate | CA Certificate Path | CA Certificate File

SSL Protocol

Ciphers | Enable ECDH Key Exchange | Enable DH Key Exchange | DH Parameter

Security & Features

SSL Renegotiation Protection | Enable Session Cache | Enable Session Tickets | ALPN | Open HTTP3/QUIC (UDP) port

Client Verification

Client Verification | Verify Depth | Client Revocation Path | Client Revocation File

SSL Private Key & Certificate

Description

Every SSL listener requires a paired SSL private key and SSL certificate. Multiple SSL listeners can share the same key and certificate.

You can generate SSL private keys yourself using an SSL software package, such as OpenSSL. SSL certificates can also be purchased from an authorized certificate issuer like VeriSign or Thawte. You can also sign the certificate yourself. Self-signed certificates will not be trusted by web browsers and should not be used on public websites containing critical data. However, a self-signed certificate is good enough for internal use, e.g. for encrypting traffic to LiteSpeed Web Server's WebAdmin Console.

Private Key File

Description

The filename of the SSL private key file. The key file should not be encrypted.

Syntax

Filename which can be an absolute path or a relative path to $SERVER_ROOT.

Tips

The private key file should be placed in a secured directory that allows read-only access to the user the server runs as.

Certificate File

Description

The filename of the SSL certificate file.

Syntax

Filename which can be an absolute path or a relative path to $SERVER_ROOT.

Tips

The certificate file should be placed in a secured directory, which allows read-only access to the user that the server runs as.

Chained Certificate

Description

Specifies whether the certificate is a chained certificate or not. The file that stores a certificate chain must be in PEM format, and the certificates must be in the chained order, from the lowest level (the actual client or server certificate) to the highest level (root) CA.

Syntax

Select from radio box

CA Certificate Path

Description

Specifies the directory where the certificates of certification authorities (CAs) are kept. Those certificates are used for client certificate authentication and constructing the server certificate chain, which will be sent to browsers in addition to the server certificate.

Syntax

path

CA Certificate File

Description

Specifies the file that contains all certificates of certification authorities (CAs) for chained certificates. This file is simply the concatenation of PEM-encoded certificate files, in order of preference. This can be used as an alternative or in addition to CA Certificate Path. Those certificates are used for client certificate authentication and constructing the server certificate chain, which will be sent to browsers in addition to the server certificate.

Syntax

Filename which can be an absolute path or a relative path to $SERVER_ROOT.

SSL Protocol

Description

Customizes SSL protocols accepted by the listener.

Ciphers

Description

Specifies the cipher suite to be used when negotiating the SSL handshake. LSWS supports cipher suites implemented in SSL v3.0, TLS v1.0, TLS v1.2, and TLS v1.3.

Syntax

Colon-separated string of cipher specifications.

Example

ECDHE-RSA-AES128-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

Tips

We recommend leaving this field blank to use our default cipher which follows SSL cipher best practices.

Enable ECDH Key Exchange

Description

Allows use of Elliptic Curve Diffie-Hellman key exchange for further SSL encryption.

Syntax

Select from radio box

Tips

ECDH key exchange is more secure than using just an RSA key. ECDH and DH key exchange are equally secure.

Enabling ECDH key exchange will increase CPU load and is slower than using just an RSA key.

Enable DH Key Exchange

Description

Allows use of Diffie-Hellman key exchange for further SSL encryption.

Syntax

Select from radio box

Tips

DH key exchange is more secure than using just an RSA key. ECDH and DH key exchange are equally secure.

Enabling DH key exchange will increase CPU load and is slower than ECDH key exchange and RSA. ECDH key exchange is preferred when available.

DH Parameter

Description

Specifies the location of the Diffie-Hellman parameter file necessary for DH key exchange.

Syntax

Filename which can be an absolute path or a relative path to $SERVER_ROOT.

SSL Renegotiation Protection

Description

Specifies whether to enable SSL Renegotiation Protection to defend against SSL handshake-based attacks. The default value is "Yes".

Syntax

Select from radio box

Tips

This setting can be enabled at the listener and virtual host levels.

Enable Session Cache

Description

Enables session id caching using OpenSSL's default setting. Default value is "No".

Syntax

Select from radio box

Enable Session Tickets

Description

Enables session tickets using OpenSSL's default session ticket setting. Server-level setting must be set to "Yes" for Virtual Host setting to take effect.

Default values:
Server-level: Yes
VH-Level: Yes

Syntax

Select from radio box

ALPN

Description

Selectively enable HTTP/3, HTTP/2, and SPDY HTTP network protocols.

If you wish to disable SPDY, HTTP/2, and HTTP3, check "None" and leave all other boxes unchecked.

Default value: All enabled

Syntax

Select from checkbox

Tips

This setting can be set at the listener and virtual host levels.

Open HTTP3/QUIC (UDP) port

Description

Allows the use of the HTTP3/QUIC network protocol for virtual hosts mapped to this listener. For this setting to take effect, Enable HTTP3/QUIC must also be set to Yes at the server level. Default value is Yes.

Tips

When this setting is set to Yes, HTTP3/QUIC can still be disabled at the virtual host level through the Enable HTTP3/QUIC setting.

Client Verification

Description

Specifies the type of client certifcate authentication. Available types are:

  • None: No client certificate is required.
  • Optional: Client certificate is optional.
  • Require: The client must has valid certificate.
  • Optional_no_ca: Same as optional.
The default is "None".

Syntax

Select from drop down list

Tips

"None" or "Require" are recommended.

Verify Depth

Description

Specifies how deeply a certificate should be verified before determining that the client does not have a valid certificate. The default is "1".

Syntax

Select from drop down list

Client Revocation Path

Description

Specifies the directory containing PEM-encoded CA CRL files for revoked client certificates. The files in this directory have to be PEM-encoded. These files are accessed through hash filenames, hash-value.rN. Please refer to openSSL or Apache mod_ssl documentation regarding creating the hash filename.

Syntax

path

Client Revocation File

Description

Specifies the file containing PEM-encoded CA CRL files enumerating revoked client certificates. This can be used as an alternative or in addition to Client Revocation Path.

Syntax

Filename which can be an absolute path or a relative path to $SERVER_ROOT.

Privacy Policy

Privacy Policy

LiteSpeed Technologies, Inc. (aka “LiteSpeed”) is committed to protecting your privacy. This policy ("Privacy Policy" or "Policy") explains our practices for our site, www.litespeedtech.com ("Site"). You can visit most pages of the Site without giving us any information about yourself, but sometimes we do need information to provide services that you request. By using this Site or any products or services provided through the Site, you expressly consent to the use and disclosure of information as described in this Privacy Policy.

LiteSpeed reserves the right to revise, modify, add, or remove provisions to this Privacy Policy at any time. If we make changes to this Privacy Policy, we will update the Effective Date to note the date of such changes. LiteSpeed encourages you to review this Privacy Policy periodically for any changes. IF YOU DO NOT AGREE WITH ANY OF THE TERMS BELOW, YOU SHOULD NOT USE THIS SITE OR THE PRODUCTS OR SERVICES OFFERED BY LITESPEED TECHNOLOGIES AT THIS SITE.

Collection of Information

Personal Information.

LiteSpeed will ask you for certain “Personal Information” when you complete registration or product information request forms on the Site, including but not limited to your name, address, telephone number, email address, and credit card information. You can always choose not to provide us with the requested information, however, you may not be able to complete the transaction or use our products or services if you do not provide the information requested.

Non-Personal Information.

LiteSpeed may collect non-personally identifiable information from you such as the type of browser you use, your operating system, the screen resolution of your browser, your ISP, your IP address, which pages you view on the Site and the time and duration of your visits to the Site (collectively, “Non-Personal Information”). LiteSpeed may associate Non-Personal Information with Personal Information if you register with the Site.

User Communications.

If you communicate with us, we may collect information relating to that communication whether it takes the form of email, fax, letter, forum posting, blog comments, testimonials or any other form of communication between you and LiteSpeed or Submitted by you to the Site (collectively, “User Communications”).

Server Information.

If you use one of our software products such as LiteSpeed Web Server or LiteSpeed Web ADC, we may collect certain information concerning such software and concerning the server upon which the software operates. This information includes: (a) the licensed or unlicensed status of the software; (b) the source from which the license for the software was obtained (i.e., LiteSpeed or a LiteSpeed affiliate); or (c) information about the server upon which the software is installed including (i) the public IP address, (ii) the operating system and (iii) the use of any virtualization technologies on such server ((a) through (c) collectively, “Server Information”). Additionally, “Server Information” may also include information collected from you by LiteSpeed in the event that you request technical support services including without limitation, IP addresses, usernames, and passwords necessary to login to SSH, the root directory of the server upon which you installed the LiteSpeed software and any affected accounts including email accounts, control panel accounts, MySQL accounts, CMS accounts and other accounts.

Use and Storage of Collected Information

LiteSpeed may use Personal Information to create and authenticate your account, to respond to your requests, to provide you with customer and technical support, or to provide you with information regarding our products, services, partners, and company. You may update your Personal Information with us at any time, but we may maintain records of any Personal Information you disclose to us indefinitely, unless otherwise requested as outlined below.

We may use User Communications in the same ways we use Personal Information. If you communicate with us for a particular purpose, we may use your User Communications for that purpose. For example, if you contact us for technical support, we may use your communications to provide technical support to you. We may maintain records of User Communications you transmit to us indefinitely, unless otherwise requested as outlined below.

LiteSpeed may use Non-Personal Information to maintain, evaluate, improve and provide our Site, the Services and any other LiteSpeed products and services. We may retain Non-Personal Information indefinitely.

We may use Server Information to provide you with technical support services and to maintain, evaluate, improve and provide LiteSpeed products and services. We may also use such information to investigate unlicensed (and therefore unauthorized) uses of our software. LiteSpeed may maintain Server Information indefinitely, with the exception of usernames, passwords, and other login information given in connection with support service requests. Such login information will be purged when the ticket is closed.

Disclosure of Collected Information

LiteSpeed will only disclose Personal Information to third parties if acting under a good faith belief that such action is necessary, including but not limited to: (a) to resolve disputes, investigate problems, or comply with laws or regulations; (b) to enforce our Terms of Service; (c) to protect and defend the rights, property, or safety of our company or our users; or (d) in the event of a merger, acquisition or sale of all or substantially all LiteSpeed assets. Other than this limited activity, we do not share, sell, or rent any personal information to third parties.

You will receive notice in the form of modifications to this Policy when information about you might go to third parties other than as described in this Policy, and you always have the opportunity to contact us as set forth below if you do not wish your information to go to third parties.

LiteSpeed cannot be responsible for protecting your information if you share such information in publicly available sections of the Site such as the user forums, blog comments, or testimonials section. You should use your own judgment in disclosing this information on the Site.

Use of Cookies

“Cookies” are small pieces of information that your browser stores on your computer on behalf of a website that you have visited. Cookies may be used in order to complete transactions on our site. You can always choose not to accept cookies with the settings of your web browser, however, you may not be able to complete these transactions if you do not accept cookies.

Security of Personal Information

We use reasonable security methods to protect your personal information from unauthorized access, use or disclosure. No data transmission over the Internet or any wireless network can be guaranteed to be perfectly secure. While we try to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk.

LiteSpeed uses industry-standard SSL-encryption to protect sensitive data.

In the event that LiteSpeed becomes aware of a security breach, unauthorized disclosure or inadvertent disclosure concerning your information, you agree that LiteSpeed may notify you of such an event using the Personal Information previously provided.

You are responsible for maintaining your account’s security.

GDPR Statement

LiteSpeed Technologies values your users’ privacy. Although our software does not directly collect any personally identifiable information from visitors to your site, LiteSpeed may still be considered a data processor, as user information may be temporarily cached and/or logged, as outlined in this document.

Servers

LiteSpeed Web Server, OpenLiteSpeed, LiteSpeed Web ADC, and related software may record IP addresses as a part of normal logging. An access log and an error log may record visitor IP addresses and URL visited. The logs are stored locally on the system where LiteSpeed server software is installed and are not transferred to or accessed by LiteSpeed employees in any way, except as necessary in providing routine technical support if you request it. This logging may be turned off through configuration. It is up to individual server administrators to come up with their own schedule for removing such logs from the file system.

Cache Solutions

Our cache plugins potentially store a duplicate copy of every web page on display on your site. The pages are stored locally on the system where LiteSpeed server software is installed and are not transferred to or accessed by LiteSpeed employees in any way, except as necessary in providing routine technical support if you request it. All cache files are temporary, and may easily be purged before their natural expiration, if necessary, via a Purge All command. It is up to individual site administrators to come up with their own cache expiration rules.

LSCache for WordPress

In addition to caching, our WordPress plugin has an Image Optimization feature. When optimization is requested, images are transmitted to a remote LiteSpeed server, processed, and then transmitted back for use on your site. LiteSpeed keeps copies of optimized images for 7 days (in case of network stability issues) and then permanently deletes them.

Similarly, the WordPress plugin has a Reporting feature whereby a site owner can transmit an environment report to our server so that we may better provide technical support.

Neither of these features collects any visitor data. Only server and site data is involved.

Support Services

Sometimes, when you request technical support, LiteSpeed may ask for login credentials to various areas of your site. You may refuse to share such credentials, however refusal may impact LiteSpeed’s ability to provide the requested support services.

Upon completion of a support ticket, LiteSpeed immediately deletes all login credentials you may have shared.

Any user data encountered by LiteSpeed is kept strictly confidential. We never provide your support ticket information to any third party without your explicit consent.

Contact Us

If you would like to update information that you have voluntarily provided to us, stop receiving information from us, or exercise any of the rights granted to you under Privacy Laws, including the EU’s General Data Protection Regulation, please e-mail info@litespeedtech.com.