Listeners
 
Table of Contents
General Listener Name   IP Address   Port   Binding   Secure   
Virtual Host Mappings Virtual Host   Domains   
SSL Private Key & Certificate Private Key File   Certificate File   Chained Certificate   CA Certificate Path   CA Certificate File   Client Verification   Verify Depth   Client Revocation Path   Client Revocation File   
SSL Protocol SSL Version   Encryption Level   
 
Listener NameGo to top
Description: A unique name for this listener.
IP AddressGo to top
Description: Specifies the IP of the listener. All available IP address is listed, IPv6 address is enclosed in "[]". To listen on all IPv4 IP address, ANY should be selected; to listen on all IPv4 and IPv6 IP address, [ANY] should be selected. In order to serve both IPv4 and IPv6 clients, an IPv4-mapped IPv6 address should be used instead of a plain IPv4 address, which looks like [::FFFF:x.x.x.x].
Syntax: Select from drop down list
Tips: [Security] If your machine has multiple IPs which are on different sub networks, you can select a specific IP to only allow traffic from corresponding sub network.
PortGo to top
Description: Specifies the TCP port of the listener. Only super user (root) can use port lower than 1024. Port 80 is the default HTTP port; port 443 is the default HTTPS port.
Syntax: Integer number
BindingGo to top
Description: [Enterprise Edition Only] Specifies which lshttpd child process the listener is assigned to. Enterprise Edition spawns multiple children processes to take advantage of multiple CPUs in a SMP system, different child process can be used to handle requests to different listener by manually associating a listener with a process. By default, a listener is assigned to all children processes.
Syntax: Select from checkbox
SecureGo to top
Description: Specifies whether this is a secure (SSL) listener. For secure listeners, additional SSL settings need to be set properly.
Syntax: Select from radio box
Virtual Host MappingsGo to top
Description: Specifies the relationship between the listener and virtual hosts. Listener and virtual hosts are associated by domain names. A HTTP request will be routed to a virtual host with matching domain name. One listener can map to multiple virtual hosts on different domain names. One virtual host can also be mapped from different listeners. One listener can allow one catchall virtual host with domain name "*". When there is no explicitly matched domain name, listener will forward the request to that catchall virtual host.
Tips: [Performance] Only add necessary mappings. If the listener is dedicated to only one virtual host, then only set the catchall mapping with "*".
Virtual HostGo to top
Description: Specifies the name of a virtual host.
Syntax: Select from drop down list
DomainsGo to top
Description: Specifies the mapping domain names. Domain name is case insensitive and the leading "www." will be removed. The wildcard characters "*" and "?" are allowed, "?" only matches one character, "*" matches any numbers of characters. For example, "*.mydomain.com" will match all subdomains of mydomain.com. Duplicated domain names are not allowed. * is a catchall domain name, which will match any unmatched domain name.
Syntax: comma-separated list.
Tips: [Performance] If a listener is dedicated to one virtual host, always use * for domain name to avoid unnecessary checking. Domain names with wildcard characters should be avoided whenever possible.
SSL Private Key & CertificateGo to top
Description: Every SSL listener requires a pair of SSL private key and SSL certificate. Multiple SSL listeners can share same key and certificate. SSL private key can be generated by yourself using SSL software package, such as OpenSSL. SSL certificate can be purchased from an authorized certificate issuer like VeriSign or Thawte. You can also sign the certificate by yourself, but that certificate is not trusted and not supposed to be used on public web sites containing critical data. However, the self signed certificate is good enough for internal use, for e.g., for encrypting traffic for the web administration console of LiteSpeed server.
Private Key FileGo to top
Description: Specifies the file name of the SSL private key file. The key file should not be encrypted.
Syntax: File name which can be an absolute path or relative to $SERVER_ROOT.
Tips: [Security] The private key file should be placed in a secured directory that allows only readable access by whom the server running as.
Certificate FileGo to top
Description: Specifies the file name of the SSL certificate file.
Syntax: File name which can be an absolute path or relative to $SERVER_ROOT.
Tips: [Security] The certificate file should be placed in a secured directory, which allows only readable access by the user that the server running as.
Chained CertificateGo to top
Description: Specifies whether the certificate is a chained certificate or not. The file that stores a certificate chain must be in PEM format, and the certificates must be in the chained order, from the lowest level (the actual client or server certificate), to the highest level (root) CA.
Syntax: Select from radio box
CA Certificate PathGo to top
Description: Specifies the directory where the Certificates of Certification Authorities (CAs) are being kept. Those certificates are for constructing the server certificate chain, which will be sent to browsers in addition to the server certificate. Those certificates will be used for client certificate authentication as well.
Syntax: path
CA Certificate FileGo to top
Description: Specifies the file contains all certificates of Certification Authorities (CAs) for chained certificates. It is simply the concatenation of PEM-encoded Certificate files, in order of preference. This can be used alternatively or additionally to CA Certificate Path. Those certificates are for constructing the server certificate chain, which will be sent to browsers in addition to the server certificate. Those certificates will be used for client certificate authentication as well.
Syntax: File name which can be an absolute path or relative to $SERVER_ROOT.
Client VerificationGo to top
Description: [Enterprise Edition Only] Specifies the type of client certifcate authentication. Available types are
  • none: no client certificate is required
  • optional: client certificate is optional
  • require: the client must has valid certificate
  • optional_no_ca: same as optional
    • In practise, you should really use "none" or "require". Default is none.
Syntax: Select from drop down list
Verify DepthGo to top
Description: [Enterprise Edition Only] Specifies the maximum depth of CA Certificates in It sets how deeply the certificate should be verified before determine that the clients don't have a valid certificate. Default is 1.
Syntax: Select from drop down list
Client Revocation PathGo to top
Description: [Enterprise Edition Only] Specifies the directory containing PEM-encoded CA CRLs files for revoked client certificates. The files in this directory have to be PEM-encoded and are accessed through hash filenames, hash-value.rN. Please refer to openSSL or Apache mod_ssl documentation regarding creating the hash filename.
Syntax: path
Client Revocation FileGo to top
Description: [Enterprise Edition Only] Specifies the file contains PEM-encoded CA CRLs for revoked client certificates. This can be used alternatively and/or additionally to Client Revocation Path.
Syntax: File name which can be an absolute path or relative to $SERVER_ROOT.
SSL ProtocolGo to top
Description: Customizes SSL Protocols accepted by the listener.
SSL VersionGo to top
Description: Specifies which version of SSL protocol will be used. You can choose from SSLv2, SSLv3 and TLSv1.
Tips: [Security] Enable SSLv2 only if you have to because it is flawed.
Encryption LevelGo to top
Description: Specifies the strength level of SSL encryption.
Syntax: Check all the encryption method that you want to accept.
Tips: [Security & Performance] Stronger encryption consumes more CPU cycles. eNULL means no encryption at all, therefore has the best performance.