"Require https for admin panel." in version 1.9.0

[Cardiff-Paul]

My server has recently updated to version 1.9.0 and I now get "Require https for admin panel." at the login page.

Because this is a local development system it doesn't have an SSL (not even a self-signed one), so if I try to use https I get a browser error reporting SSL_ERROR_RX_RECORD_TOO_LONG. I wasn't expecting that to work.

For now I have commented out the relevant line in /usr/local/lsws/admin/html.open/login.php as there is no configuration option check around it, however that will obviously need to be done each time the file gets updated.

Would it be possible to add a configuration option to disable this functionality please? Ideally something that can also be set by manually editing /usr/local/lsws/conf/httpd_config.conf or some other file so it can be done when we can't get in.

Thank you,
Paul

 

[Cold-Egg]

By default, the webadmin listener is set Secure to yes, and it uses a self-signed cert and key e.g. $SERVER_ROOT/admin/conf/webadmin.key. Did you empty the webadmin SSL config or change any default configs?

 

[Cardiff-Paul]

$SERVER_ROOT/admin/conf/webadmin.key and $SERVER_ROOT/admin/conf/webadmin.crt both exist, dated 12th May 2025.

In WebAdmin Settings > Listeners > adminListener > SSL the Private Key File and Certificate File are set to the paths above, Client Verification is set to "none" and everything else is "Not Set"

In Listeners > Default > SSL everything is "Not Set".

Version 1.8.x worked fine with those settings and I haven't changed anything since it updated to version 1.9.0 (other than editing out the check in login.php).

I don't know what the original defaults were but I think I did change things when it was installed to avoid SSL self-sign certificate browser warnings, which was probably on version 1.6.x or 1.7.x. It's on my local network and not accessible remotely so no SSL keeps things simple.

 

[Cold-Egg]

It should be required in the old version too. Could you double-verify the issue with the upgrade/downgrade command https://docs.openlitespeed.org/installation/upgrade/#method-2-lsupsh-script
If the behavior changes in v1.9.0 only, you can send the issue to support@litespeedtech.com for further review.

 

[Cardiff-Paul]

I have a CentOS 7 dev server for older PHP versions running OpenLiteSpeed 1.7.19 which does not have this issue. The relevant section in $SERVER_ROOT/admin/html.open/login.php in that version is:

$is_https = (isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] == 'on'));
if (!$authorizer->ShowLogin($is_https, $msg)) {
        header('location:/index.php');
        exit();
}

In OpenLiteSpeed 1.9.0 the relevant section in $SERVER_ROOT/admin/html.open/login.php in that version is:

$is_https = (isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] == 'on'));
if (!$is_https) {
    exit('Require https for admin panel.');
}
if (!$authorizer->ShowLogin($msg, $msgType)) {
        header('location:/index.php');
        exit();
}

An additional brute-force check on $is_https that cannot be avoided by config settings has been added which is causing the issue for me. I have commented out the exit() line to allow me to get to the login form.

I don't have anything running v1.8.x and don't really want to roll back my main dev system and risk issues, but v1.8.x behaved the same as v1.7.x so I'm certain the breaking change was added in v1.9.0.

I will email support@litespeedtech.com with a link to this thread. Perhaps you can also follow it up with the dev team.

 

[Cardiff-Paul]

It looks like the answer is "that's how it is". Undocumented breaking change.

[Ticket ID: 341685] OLS 1.9: "Require https for admin panel." in OpenLiteSpeed 1.9.0 - behavior change

Hello, Paul:
Thank you for reaching out.

OpenLiteSpeed 1.9.0 has new admin design and code. HTTPs is secure way to connect. You can easily use self-signed certificate for your local development environment.

Regards
Jackson

I'll just keep editing the index.php because trying to get browsers to accept self-signed certificates is a pain.