I recently changed some of my http servers to OpenLiteSpeed from Apache. When changing the servers, I have a problem: OpenLiteSpeed does not have the client authentication feature that Apache has.
I was debating but finally decided to use a reverse proxy in Apache and authenticate clients there. I know “Then, just use Apache. Why you need to use OpenLiteSpeed?”. But I was not comfortable with Apache, because Apache sometimes freezed up a little, once or twice a week. I know my Apache configuration was something bad, but I couldn’t fix it.
I thought the servers would be too slow for the reverse proxy, but my fears were unfounded. It’s very fast and comfortable after the change.
Below is an example to configure Client Side Certificates for Admin console of OpenLiteSpeed。
Premise
Client certificate
=> Certificates of CA : /opt/myCA/cacert.pem
=> Certificate Revocation Lists : /opt/myCA/crl.pem
Setting of Admin Console of OpenLiteSpeed is below. (There is no need to use SSL. )
vi /usr/local/lsws/admin/conf/admin_config.conf
---
enableCoreDump 1
sessionTimeout 3600
errorlog $SERVER_ROOT/admin/logs/error.log {
useServer 0
logLevel INFO
rollingSize 10M
}
accesslog $SERVER_ROOT/admin/logs/access.log {
useServer 0
rollingSize 10M
keepDays 90
}
# add this section
accessControl {
allow 127.0.0.1
}
# change this section
listener adminListener {
# change below two lines
address 127.0.0.1:7080
secure 0
#keyFile $SERVER_ROOT/admin/conf/webadmin.key
#certFile $SERVER_ROOT/admin/conf/webadmin.crt
#clientVerify 0
}
---
systemctl restart lswsConfiguration of Reverse Proxy on Apache
Below is an Apache configuration that accesses the OpenLiteSpeed Admin console “http://127.0.0.1:7080/” via “https://yourdomain.net:8000/”.
mod_proxy and mod_proxy_http modules needed.
Then you are able to protect your site with client certifications.
# Add below to your apache virtual host settings
<IfModule mod_ssl.c>
<VirtualHost _default_:8000>
ServerName yourdomain.net
DocumentRoot /var/www/
ErrorLog ${APACHE_LOG_DIR}/lsws/proxy_error.log
CustomLog ${APACHE_LOG_DIR}/lsws/proxy_access.log common
# Proxy
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:7080/
ProxyPassReverse / http://127.0.0.1:7080/
# If you want tp use Admin Console with SSL
#SSLProxyEngine On
#SSLProxyCheckPeerCN off
#SSLProxyCheckPeerName off
#ProxyPass / https://127.0.0.1:7080/
#ProxyPassReverse / https://127.0.0.1:7080/
SSLEngine on
# Client Side Certificates
SSLCACertificateFile /opt/myCA/cacert.pem
SSLCARevocationFile /opt/myCA/crl.pem
SSLCARevocationCheck chain
SSLVerifyClient require
SSLVerifyDepth 1
# Sever Side Certificates (by letsencrypt)
SSLOptions +StdEnvVars
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/yourdomain.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.net/privkey.pem
</VirtualHost>
</IfModule>The advantages of Client Side Certificates are irreplaceable by other security method. It’s easy to visit a site and easy to revoke your certificate when you lost your computer.
Setting up 2FA, two-step verification, such as Google Authenticator, requires entering credentials every time you visit a site, and there is a risk of phishing scams in the first place. It’s a little bit pain for me.