Litespeed on Debian 11 – Amazon AWS

This example is with the FREE OpenLiteSpeed license (not LiteSpeed).

There are variations on these examples. This shows one domain with a paid SSL certificate.

OpenLitespeed on Debian 11 – Amazon AWS

EC2 Menu

EC2 Menu

Install Debian Packages

My examples use root login, rather than “sudo …….” commands.

In this example, do not install Apache 2 and the usual PHP packages. If you do, phpmyadmin will not work. We will only install lsphp packages with OpenLiteSpeed, and mariadb. We will not complicate things, so no use of memcached.

You may configure the website root directory anywhere. We will use /usr/local/lsws/domain.com in the example.

SSL certificates will go to /usr/local/lsws/conf/cert as three files – .crt, .key, and .pem will simply be the two bundled files.

You will run a small shell script to ensure the domain.com directory and WordPress files are owner: nobody, and group: nogroup.

Fixes to help when using the vi editor on Debian:

set -o vi
export EXINIT='set noautoindent'

[To allow vi editor to copy and paste with the mouse:]

vi /etc/vim/vimrc.local
let skip_defaults_vim = 1
if has('mouse')
  set mouse=r
endif

[save and exit]

Some Debian .bashrc things that I change: (replace \u@domain with your own string)

You can place the set -o vi and EXINT lines into .bashrc if you wish. This example is for when you type sudo su and use root access.

cd ~
vi .bashrc

[uncomment: alias rm="rm -i", and uncomment mv command as well, which lets you still use rm -f but stops accidental removes.]
[you can also put the  set -o vi and export EXINIT into the same file]
[save and exit, then log back in to enable the change]
export PS1='[\u@domain: \w # '

Under the ~ directory, this is where you mkdir .aws and create the config file for using aws services.
For example,

cd ~
mkdir .aws
chmod 2775 .aws
vi config
[default]
region=ap-southeast-2
aws_access_key_id=AAAAAAAAAAAAAAAAAAA
aws_secret_access_key=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
          --> a blank line
          --> a 2nd blank line
[save and exit]

[Use your IAM S3 access credentials for AAAAAA and BBBBBB above - see my article on setting up EC2 preliminaries]
aws configure
[Just press the Enter key for each prompt. Then test with a bucket you know, for instance, aws s3 ls s3://MYBUCKET/]

References

OpenLiteSpeed on Debian
phpmyadmin
If you wish to use Let’s Encrypt:
OpenLiteSpeed Certbot

NOTE: mariadb-server

apt-get install mariadb-server will fix the error of not installing it

Some things to be aware of and action during the installation:

As per standard Debian installtion, do your disk swap space and time zone:
echo "vm.swappiness=10" >> /etc/sysctl.conf
echo "vm.vfs_cache_pressure=200" >> /etc/sysctl.conf
sysctl -w vm.swappiness=10
sysctl -w vm.vfs_cache_pressure=200
dd if=/dev/zero of=/swapfile bs=1024 count=1048576
mkswap /swapfile
chmod 600 /swapfile
swapon /swapfile
echo "/swapfile swap swap defaults 0 0" >> /etc/fstab
free -m

a="Australia/Brisbane";export a;echo $a
ln -sf /usr/share/zoneinfo/$a /etc/localtime
date
Check for updates with "apt update" and "apt upgrade".
Also do: "apt install zip".
Check you have wget, via apt install wget.
Open port 7080 in your EC2 Security Group.
Temporarily open 8080 until later after you make sure you change from 8080 to 80 (for http) calls.
You may set 7080 to your own static IP address if you have one.
The Security group will already need to have https open on port 443.
When we install phpmyadmin, it will go under /usr/local/lsws/domain.com/phpmyadmin.
Although you will need to use "systemctl enabe lsws", we do not use systemctl to restart lsws. Rather, we use "/usr/local/lsws/bin/lswsctrl restart".

Immediately after the installation, we use:
/usr/local/lsws/admin/misc/admpass.sh  for use "admin"
---> add your password here

Then use domain.com:7080 and permit the browser to use an insecure mode. Then we put in the OpenLiteSpeed configurations for domain.com, PHP8 (using the recommended version only) and SSL.

If there are other files conflicting with the domain.com root directory, simply use domain.com:7080/login.php.

After you install WordPress, re-save or set the permalinks as per standard practice for page/post names, then you must restart lsws for it to take effect.

Our main reference: OpenLiteSpeed – Debian

cd /home/admin
wget -O - https://repo.litespeed.sh | sudo bash
apt-get install openlitespeed
[note: if the OLS website has a different version of lsphp, then use that one]
apt-get install lsphp81 lsphp81-common lsphp81-curl lsphp81-mysql lsphp81-opcache lsphp81-imap lsphp81-opcache

At this point, set the admin password:

/usr/local/lsws/admin/misc/admpass.sh

Then restart OLS:

/usr/local/lsws/bin/lswsctrl restart
domain.com:7080
[or if issues, domain.com:7080/login.php]

At this point we create the website root/parent directory. You may vary on this.

[The website domain.com will be set up later in the admin console. But we still add the SSL certificates manually:]

cd /usr/local/lsws/conf/cert

[copy your .crt, .key, .pem (bundle) here. I usually edit the bundle to make sure it only has two paragraphs, not the three.]



cd /usr/local/lsws
cp -pr Example domain.com
chown nobody ./domain.com
chgrp nogroup ./domain.com
chmod 2775 domain.com
cd domain.com
pwd

vi chdir.sh
#!/bin/sh
chown -R nobody *
chgrp -R nogroup *
find . -type d -exec chmod 2775 {} \;
find . -type f -exec chmod 0664 {} \;
if [ -f "./.htaccess" ] ; then
chown nobody .htaccess
chgrp nogroup .htaccess
chmod 664 .htaccess
fi
chmod 777 *.sh
chown root chdir.sh
chgrp root chdir.sh
chmod 770 chdir.sh
exit

[save and exit]

chmod 775 chdir.sh
./chdir.sh

[Notes: you can copy the /usr/local/lsws/domain.com/html files to domain.com (e.g. cd into ./html and cp -pr * ..) for the defaults or create your own index.html file with a single sentence like "testing domain.com"]
[If you copy the html files, you will likely need to run domain.com:7080/login.php]

The DNS entries already point the A record to the domain name, so :7080 will work even though the domain has not been setup in OLS or WordPress as yet.

This is gritty work to go through, but the steps are simple enough. We have to use the :7080 admin console, as the file ownerships and permissions are quite complex.

See the PDF buttons below for settings.

Reference: phpMyAdmin

See my Debian 11 or Linux 2023 notes to install phpMyAdmin. There is no need to reproduce all those details here.

I put phpmyadmin under /usr/local/lsws/domain.com and in the Virtual Host > Context tab, I set it to the URL /usr/local/lsws/domain.com/phpmyadmin.

My PDF screen shots below show /usr/share/phpMyAdmin so you will need to modify to the correct entry. This example is not showing multiple domains, so it is ok to have phpmyadmin under the domain.com directory.

For Mariadb, simply install with apt install mariadb-server. There is no need to install mysqli or the mariadb-client packages.

Then as per Debian or Linux2023, do the secure installation, stop and start mariadb, and “systemctl enable mariadb”.

This may help with WordPress:  OpenLiteSpeed WordPress

One creates /usr/local/lsws/newdomain.com or a subdomain, /usr/local/subdomain.com, as if it were the primary domain.

One can “cd /usr/local/lsws/conf/vhosts” and do a “cp -pr domain.com newdomain.com” then edit the config files in the newdomain.com directory to replace domain.com with newdomain.com entries.

Then map the added domain to the same port 80 listener, and add the new domain the same way in the :7080 interface settings as you did for domain.com.

The SSL certificates need to be installed of course. You would keep the same phpmyadmin entry from domain.com’s entry.

You then have the appropriate DNS records for either the newdomain or the subdomain depending on your registrar/host provider’s way of doing it.

Basically you need a subdomain to point to the same A record and if that is not allowed, you can always move records to Amazon Route53 where it is configurable. (See my multi-domain article on Linux 2023.)

cd /usr/local/lsws/lsphp81/etc/php/8.1/litespeed
vi php.ini

[change the values you normally do - or see my Linux2023 notes for WordPress values]

[save and exit]

[Note: if you cannot find the file, go to the lsws php version you are using, then issue the "find . -name php.ini -print" commmand to find it.]

[Your need to reboot the server as for some reason the changes do not come into effect, either by Amazon's EC2 instance stop and start, or via the reboot command:]

 /usr/local/lsws/bin/lswsctrl stop
sync;sync;reboot

These are the PDF downloads you need to configure a standard installation

Simply go through each entry to ensure you have the same, and replace domain.com with your own domain.

I forget which is first, creating the virtual host then the listener, or the other way around. You will know from the error messages.

I ended up putting phpmyadmin under /usr/local/lsws/phpmyadmin.

I have not been able to add multiple domains – I was able to install a second domain with Let’s Encrypt, but from that point on, the server would not accept the primary domain, even when deleting and re-configuring from scratch.

Virtual Hosts > Example (this is the default OLS gives you)

When you do Virtual Hosts domain.com you simply use the + button in the grey coloured bar to add the VH.

The Rewrite Rules:

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://domain.au/$1 [R,L]

The Header Operations:
Notice that I put phpmyadmin under /usr/share/phpMyAdmin as I usually do with apache or httpd servers. You can put it elsewhere though.
The thing to remember is not to install php, but only lsphp.
Also, we cannot compile PHP from OLS (or the enterprise litespeed) unless we have more then 2GB memory. If we have 1GB and 1GB swap space, it will terminate the compilation.

Just check the SSL filenames are correct, e.g. crt, key, rather than assigning key to crt by mistake etc.

There will be some 2047M edits to make, some log entries, the rewrite and header entries, and use if index.php, index.html entries,  and use of .htaccess etc.

Tidy up anything you left lying around, such as temporary use of port 8080 or various self-help files.

Remember to backup your WordPress database, your WordPress installation directory, or if it is included under the lsws directories, try this:

[First we check there are no faulty files that the ls command cannot read"]
cd /
ls -lR

[Now backup the files ou need:]
cd /usr/local
tar cvf lsws.tar ./lsws

mv lsws.tar /home/admin
chmod 777 /home/admin/lsws.tar

[Then download the .tar file with FileZilla or whichever program you like using.]

[If wordpress were elsewhere, e.g. /var/www/html where you previously created those directories with chmod 2775 and nobody & nogroup ownerships:]

cd /usr/local
tar cvf lsws.tar ./lsws
mv lsws.tar /home/admin
chmod 777 /home/admin/lsws.tar
cd /var/www
tar cvf html.tar ./html
mv html.tar /home/admin
chmod 777 /home/admin/html/tar

[Then after downloading, delete the tar files. You can test the files open on your PC with tar xvf... and of course you can use any naming conventions etc. It is about backups. Then on Amazon, do a snapshot when ready. This gives us a true moment in time disaster recovery backup.]

THIS APPLIES TO PAID SSL CERTIFICATES
If I test Let’s Encrypt I’ll add this later.
Add the second domain exactly as you did the first, (see exceptions below) but the listener for port 443 could be called “domains” or “wordpress” rather than the single domain name.
(You do need to add vhosts before you can add the listener details.)
You can also use /var/www/domain.com if you wish, but set up the www and domain.com directories to 2775, nobody, nogroup.

Then in the port 80 listener, Example, you have to enable rewrite to ON, and use the same rules:

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Exceptions:

Where you added unique names, like lsphp.sock, or lsphp, change these to unique names for each domain. e.g. domain_lsphp, and domain2_lsphp and so on.

THIS IS NOT YET WORKING – keeping these notes for reference

The system was completely corrupted, even when deleting and confiuring the primary domain from scratch.

Question is: was the site hacked during the configurations? I installed pip:

apt-get install python3-venv
(already have python3)
python3 -m venv /opt/certbot/
/opt/certbot/bin/pip install --upgrade pip
apt install certbot
certbot certonly --non-interactive --agree-tos -m shawlw.au@gmail.com --webroot -w /usr/local/lsws/domain2.com -d domain2.com -d www.domain2.com --dry-run

As there is only port 80 access at first to the domain, (a paid SSL has immediate access) you add the intended domain name to the Default Listener.

Under Listener Default > General, add a Virtual Host Mappings with VHost name: domain2.com (whatever your name actually is), with Domains:

*,domain2.com,www.domain2.com

Do not set anything for the SSL fields as we are using port 80 on this.

Your listener list will be “Default” and the existing domain.com which has an paid SSL (if not, keep the above principles in mind for the first domain name your make.

Then in your previous domain.com configurations, change the listener name for domain.com to something like “wordpress” or any name, as you will have multiple domains on the listener using port 443.

Then under Listener wordpress > general (now renamed in the Address Settings) add the Virtual Host for domain2.com

The domains list will be: *,domain2.com,www.domain2.com

This is confusing, but your SSL certificates will be listed under Listener wordpress > SSL as the first domain.com. This is ok.

And your domain2.com SSL will be showing the same (I know, but it is ok).

Then, in your Virtual Hosts > Summary, you add domain2.com (perhaps under /usr/local/lsws/domain2.com)

Here you add /usr/local/lsws/domain2.com, /usr/local/lsws/conf/vhosts/domain2.com/vhconf.conf and so forth.

You can do this too: cd /usr/local/lsws/conf/vhosts and mkdir domain2.com with the same permissions as domain.com

After Let’s Encrypt is installed, you have to come back and edit the new virtual host to put in the SSL certificates.

For example: /etc/letsencrypt/live/domain2.com/privkey.pem, and fullchain.pem.

You must keep the port 80 mappings for each new domain or http:// will not redirect to https://, However the original domain does not.

If you have prior lines in a .htaccess file like this:

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://domain.com/$1 [R,L]

Then remove these lines (you can keep RewriteEninge on if you wish)

It is best to remove any prior configs in .htaccess and start fresh with the basic WordPress paragraph:

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.

RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

Then, after wordpress is isntalled, you need to softlink phpmyadmin.

For example:

cd /var/www/domain.com
ln -s /var/www/phpmyadmin phpmyadmin

And then remove index.html if you were using that previously for testing.

and in WordPress Settings > Permalinks save to some other value, then clock Plain, and resave.

Restart lsws