Password-Protecting The Entire Website

If you want to password-protect your entire web application running on OpenLiteSpeed in RunCloud, you can use the Site Authentication feature from the Tools menu.

RunCloud tools menu to enable site authentication

To enable Site Authentication, follow these steps:

  1. Go to the Tools menu of your web application in RunCloud.
  2. Scroll down to the Site Authentication section.
  3. Click on “Set Password Authentication“.
  4. Enter a username and a password for your web application.
  5. Click on Save Changes.

Now your web application will be password-protected, and visitors will need to enter the username and password before they can access it.

Password protected site RunCloud web application

Password-Protecting a Directory/File

It’s easy to password-protect a web application, but it’s a different case if you want to protect a directory/file only using OpenLiteSpeed.

OpenLiteSpeed (OLS) and LiteSpeed WebServer (LSWS) have major differences in how they support .htaccess.

  • LSWS supports Apache rewrite rules and the majority of Apache directives. It will automatically detect any changes to .htaccess file and will adjust as necessary without any need for a Litespeed service restart.
  • OLS supports Apache rewrite rules but does not support Apache directives. You will need to restart the Litespeed service to load any changes to .htaccess.

Unfortunately, OpenLiteSpeed does not support Apache directives, which means you cannot use .htaccess – you have to use OpenLiteSpeed config to do this.

To do this, follow these steps:

  1. Log in to your server as root via SSH using your terminal.
ssh root@yourIPaddress
  1. Install apache2-utils and use it to create a user and a password for the secret directory using the htpasswd command.
apt-get install apache2-utils -y
htpasswd -cm /etc/lsws-rc/.htpasswd/webappname-secret-path user1234
Setting login credentials via htpasswd utility

In the above example, user1234 is the username of the visitor – you can change it to something specific like employee_1939.

For your convenience, you can also change the webappname-secret-path with the name of your web application, and the path that you want to protect.

  1. Next, you will be asked to enter the password for the user. Type your password and press Enter (it won’t be displayed in the terminal), then type your password once again to confirm it.
  2. Add a custom config to your web application’s OpenLiteSpeed config in RunCloud.
  3. After this, go to the LiteSpeed Config menu under your web application in RunCloud dashboard and add this custom config to the bottom of the existing config. Don’t forget to replace webappname-secret-path with the name of your config file from step 2.
realm SecretDirProtectedArea {
    userDB {
        location /etc/lsws-rc/.htpasswd/webappname-secret-path
        maxCacheSize 200
        cacheTimeout 60
Adding custom realm in LiteSpeed Config.

The above config defines a realm named SecretDirProtectedArea that will be used in the next step. You can change the realm name if needed.

  1. Finally, add the following config at the bottom of your LiteSpeed Config. Here, you can replace my_secret_path with the path of the file or directory that you want to protect.
context /my_secret_path {
    realm SecretDirProtectedArea
    authName Protected
    accessControl {
        allow *

For example if you want to protect a file served at then you will replace /my_secret_path with /info.php. If you want to protect all the files in a particular folder then you can replace it with the path of that folder.

Adding Custom context in LiteSpeed Config.

Optionally, you can add the above configuration multiple times to protect different paths using the same login credentials. After adding all of the necessary config blocks, click on Update Config to save the changes.

Adding Custom context for multiple paths in LiteSpeed Config.

In the above configuration, the file and all the files present inside the directory will be password-protected. Visitors will need to enter the username and password before they can access it.

Protecting site via HTTP authentication.