Admin Listeners

Admin Listeners are dedicated to the Admin Server. Secure (SSL) listeners are recommended for the Admin Server.

Table of Contents

General

Listener Name | IP Address | Port | Secure | 

SSL Private Key & Certificate

Private Key File | Certificate File | Chained Certificate | CA Certificate Path | CA Certificate File | 

SSL Protocol

SSL Protocol Version | Ciphers | Enable ECDH Key Exchange | Enable DH Key Exchange | DH Parameter | 

Security & Features

SSL Renegotiation Protection | 

Client Verification

Client Verification | Verify Depth | Client Revocation Path | Client Revocation File | 

Listener NameGo to top
Description: A unique name for this listener.
IP AddressGo to top
Description: Specifies the IP of this listener. All available IP addresses are listed. IPv6 addresses are enclosed in "[]". To listen on all IPv4 IP addresses, select ANY. To listen on all IPv4 and IPv6 IP addresses, select [ANY]. In order to serve both IPv4 and IPv6 clients, an IPv4-mapped IPv6 address should be used instead of a plain IPv4 address. An IPv4-mapped IPv6 address is written as [::FFFF:x.x.x.x].
Syntax: Select from drop down list
Tips: [Security] If your machine has multiple IPs on different sub-networks, you can select a specific IP to only allow traffic from the corresponding sub-network.
PortGo to top
Description: Specifies the TCP port of the listener. Only the super user ("root") can use ports lower than 1024. Port 80 is the default HTTP port. Port 443 is the default HTTPS port.
Syntax: Integer number
SecureGo to top
Description: Specifies whether this is a secure (SSL) listener. For secure listeners, additional SSL settings need to be set properly.
Syntax: Select from radio box
SSL Private Key & CertificateGo to top
Description: Every SSL listener requires a paired SSL private key and SSL certificate. Multiple SSL listeners can share the same key and certificate. You can generate SSL private keys yourself using an SSL software package, such as OpenSSL. SSL certificates can also be purchased from an authorized certificate issuer like VeriSign or Thawte. You can also sign the certificate yourself. That certificate will not be trusted by web browsers and should not be used on public web sites containing critical data. However, a self-signed certificate is good enough for internal use, e.g. for encrypting traffic to LiteSpeed Web Server's WebAdmin console.
Private Key FileGo to top
Description: Specifies the file name of the SSL private key file. The key file should not be encrypted.
Syntax: File name which can be an absolute path or relative to $SERVER_ROOT.
Tips: [Security] The private key file should be placed in a secured directory that allows read-only access to the user the server runs as.
Certificate FileGo to top
Description: Specifies the file name of the SSL certificate file.
Syntax: File name which can be an absolute path or relative to $SERVER_ROOT.
Tips: [Security] The certificate file should be placed in a secured directory, which allows read-only access to the user that the server runs as.
Chained CertificateGo to top
Description: Specifies whether the certificate is a chained certificate or not. The file that stores a certificate chain must be in PEM format, and the certificates must be in the chained order, from the lowest level (the actual client or server certificate) to the highest level (root) CA.
Syntax: Select from radio box
CA Certificate PathGo to top
Description: Specifies the directory where the certificates of certification authorities (CAs) are kept. Those certificates are used for client certificate authentication and constructing the server certificate chain, which will be sent to browsers in addition to the server certificate.
Syntax: path
CA Certificate FileGo to top
Description: Specifies the file that contains all certificates of certification authorities (CAs) for chained certificates. This file is simply the concatenation of PEM-encoded certificate files, in order of preference. This can be used as an alternative or in addition to CA Certificate Path. Those certificates are used for client certificate authentication and constructing the server certificate chain, which will be sent to browsers in addition to the server certificate.
Syntax: File name which can be an absolute path or relative to $SERVER_ROOT.
SSL ProtocolGo to top
Description: Customizes SSL protocols accepted by the listener.
SSL Protocol VersionGo to top
Description: Specifies which version of SSL protocol will be used. You can choose from SSL v3.0 and TLS v1.0. Since OpenSSL 1.0.1, TLS v1.1 and TLS v1.2 are also supported.
CiphersGo to top
Description: Specifies the cipher suite to be used to negotiate the SSL handshake. LSWS supports cipher suites implemented in SSL v3.0, TLS v1.0, and TLS v1.2.
Syntax: Colon-separated string of cipher specifications. LSWS supports all cipher suites implemented in SSL v3.0, TLS v1.0, and TLS v1.2.
Example: ECDHE-RSA-AES128-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
Tips: [Security] We recommend ECDHE-RSA-AES128-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
Enable ECDH Key ExchangeGo to top
Description: Allows use of Elliptic Curve Diffie-Hellman key exchange for further SSL encryption.
Syntax: Select from radio box
Tips: [Security] ECDH key exchange is more secure than using just an RSA key. ECDH and DH key exchange are equally secure. [Performance] Enabling ECDH key exchange will increase CPU load and is slower than using just an RSA key.
Enable DH Key ExchangeGo to top
Description: Allows use of Diffie-Hellman key exchange for further SSL encryption.
Syntax: Select from radio box
Tips: [Security] DH key exchange is more secure than using just an RSA key. ECDH and DH key exchange are equally secure. [Performance] Enabling DH key exchange will increase CPU load and is slower than ECDH key exchange and RSA. ECDH key exchange is preferred when available.
DH ParameterGo to top
Description: Specifies the location of the Diffie-Hellman parameter file necessary for DH key exchange.
Syntax: File name which can be an absolute path or relative to $SERVER_ROOT.
SSL Renegotiation ProtectionGo to top
Description: Specifies whether to enable SSL Renegotiation Protection to defend against SSL handshake-based attacks. The default value is "Yes".
Syntax: Select from radio box
Client VerificationGo to top
Description: Enterprise Edition Only Specifies the type of client certifcate authentication. Available types are:
  • None: No client certificate is required.
  • Optional: Client certificate is optional.
  • Require: The client must has valid certificate.
  • Optional_no_ca: Same as optional.
The default is "None".
Syntax: Select from drop down list
Tips: "None" or "Require" are recommended.
Verify DepthGo to top
Description: Enterprise Edition Only Specifies how deeply a certificate should be verified before determining that the client does not have a valid certificate. The default is "1".
Syntax: Select from drop down list
Client Revocation PathGo to top
Description: Enterprise Edition Only Specifies the directory containing PEM-encoded CA CRL files for revoked client certificates. The files in this directory have to be PEM-encoded. These files are accessed through hash file names, hash-value.rN. Please refer to openSSL or Apache mod_ssl documentation regarding creating the hash filename.
Syntax: path
Client Revocation FileGo to top
Description: Enterprise Edition Only Specifies the file containing PEM-encoded CA CRL files enumerating revoked client certificates. This can be used as an alternative or in addition to Client Revocation Path.
Syntax: File name which can be an absolute path or relative to $SERVER_ROOT.

STAY CONNECTED