Skip to content

Access Control

Apache users can utilize directives in .htaccess to control access to certain directories or files, like so:

Order Deny,Allow
Deny from all

However, OpenLiteSpeed only supports .htaccess for rewrite rules, and not for directives. So, OpenLiteSpeed provides other methods for controlling access.

Deny Access to a Directory with Rewrite Rules

Let's say we want to deny access to the /test/ directory The simplest way is to use a rewrite rule, like this one:

RewriteRule ^/test/.*$ - [F,L]

You can put the rule in .htaccess or use the Rewrite tab in WebAdmin, like so:

Once the new rewrite rule is added, restart OpenLiteSpeed to make it take effect, and test by visiting the site again:

As you can see access to the /test/ directory is now denied for all visitors.

Auto Load from .htaccess

If Auto Load from .htaccess is set to Yes, then use this rule instead:

RewriteRule ^test/.*$ - [F,L]

The difference is the forward slash. Please take a look at our documentation on Apache rewrite rules for more details about this difference.

Allow Access to a Directory for a single IP with Rewrite Rules

You can customize the above rewrite rule to allow access only for a certain IP address, like so:

RewriteCond %{REMOTE_ADDR} !^192\.0\.2\.0
RewriteRule ^test/.*$ - [F,L]

This set of rules will only allow access to /test/ directory if the visitor IP is 192.0.2.0.

Tip

If you have CloudFlare or a reverse proxy over your site, you must make sure that Server Configuration > General > Use Client IP in Header is properly set , otherwise you will always see CloudFlare's IP.

Controlling Access to a Directory with A Static Context

Set Accessible to No to deny access to everyone.

You can exert more granular control on a URI's access by setting Accessible to Yes. Use Access Allowed and Access Denied to filter the types of visitors to allow and deny access, like so:

Controlling Access to Files

By manipulating context settings or rewrite rules, you can also control access to specific file types or individual files.

Example

To deny access to file types .ini and .log, use the following Rewrite Rule:

RewriteRule ^/.*\.(log|ini)$ - [F,L]

Static Context:

Example

To deny access to the WordPress file xmlpc.php, use the following Rewrite Rule:

RewriteRule xmlpc.php$ - [F,L]

Static Context:

Block Multiple Files at Once

There are two ways to block multiple files, and both of them require you to separate file names with |.

Using a Context

URI:

exp:error_log|wp-config-sample.php|readme.html|readme.txt|license.txt|install.php|wp-config.php|php.ini|php5.ini|bb-config.php

Location:

$DOC_ROOT/$0

Accessible: No

With Rewrite Rules
RewriteCond %{REQUEST_URI} error_log|wp-config-sample.php|readme.html|readme.txt|license.txt|install.php|wp-config.php|php.ini|php5.ini|bb-config.php [NC]
RewriteRule .* - [F,L]

Sitemap.xml access control example:

RewriteCond %{HTTP_USER_AGENT} !.*(google|Bing).* [NC,OR]
RewriteRule sitemap.xml$ - [F,L]

To restrict your sitemap so that it is viewable only to known good bots, like Google, you can use the above rule. The [NC] flag is non-case-sensitive, and the [OR] flag on the first line is needed to match Google OR Bing.