Installing & Activating the CyberPanel .htaccess Module
What is the .htaccess Module?
The CyberPanel .htaccess Module (cyberpanel_ols.so) is a paid add-on that enables Apache .htaccess file processing on OpenLiteSpeed servers. It allows you to use Apache-style configuration directives without switching to Apache or LiteSpeed Enterprise.
This module is separate from the custom OpenLiteSpeed binary. For details on the custom binary and how these products differ, see: CyberPanel Custom OpenLiteSpeed – Installation & Product Guide.
Pricing
| Term | Price |
|---|---|
| 1 Year | $59 |
| 2 Years | $106 (10% off) |
| 3 Years | $142 (20% off) |
| Lifetime | $199 (one-time, never expires) |
Purchase: cyberpanel.net/cyberpanel-htaccess-module
What’s Included (v2.7.0 — 18 Features)
| # | Feature | Directives |
|---|---|---|
| 1 | PHP Config | php_value, php_flag, php_admin_value, php_admin_flag |
| 2 | Response Headers | Header set|append|merge|add|unset |
| 3 | Request Headers | RequestHeader set|unset |
| 4 | Error Documents | ErrorDocument 404 /path |
| 5 | Redirects | Redirect, RedirectMatch (301-410, regex) |
| 6 | FilesMatch | <FilesMatch "regex">Header...</FilesMatch> |
| 7 | Expires | ExpiresActive, ExpiresByType |
| 8 | Environment | SetEnv, SetEnvIf, SetEnvIfNoCase, BrowserMatch |
| 9 | Legacy Access Control | Order, Allow from, Deny from (with CIDR) |
| 10 | Brute Force Protection | BruteForceProtection, throttle, whitelist, custom paths |
| 11 | HTTP Basic Auth | AuthType Basic, AuthName, AuthUserFile, Require valid-user|user |
| 12 | Apache 2.4 Require | Require all granted|denied, Require ip, Require not ip, Require host |
| 13 | AddDefaultCharset | AddDefaultCharset UTF-8|Off |
| 14 | SSLRequireSSL | SSLRequireSSL (force HTTPS, 403 for HTTP) |
| 15 | Files Blocks | <Files "name"> with Header/Auth directives inside |
| 16 | Satisfy | Satisfy Any|All (auth vs IP interaction) |
| 17 | Limit Blocks | <Limit>, <LimitExcept> with HTTP methods |
| 18 | Group Auth | AuthGroupFile, Require group (.htgroups format) |
Works On
- CyberPanel
- Plesk (with OLS)
- cPanel (with OLS)
- Any server running OpenLiteSpeed
Step 1: Purchase a License
- Go to cyberpanel.net/cyberpanel-htaccess-module
- Select your plan (1 Year, 2 Years, 3 Years, or Lifetime)
- Complete payment via Stripe, PayPal, or cryptocurrency
- You will receive a license key in the format:
CP-OLS-XXXX-XXXX-XXXX-XXXX
If you paid via cryptocurrency, your license will be activated manually by our team within 24 hours. You will receive the license key via email.
Step 2: Install the Custom OLS Binary
The .htaccess module requires the CyberPanel custom OpenLiteSpeed binary to function. If you are on CyberPanel, this is already installed automatically via upgrades.
For manual installation or other panels, follow the instructions in our Custom OpenLiteSpeed Installation Guide.
Step 3: Install the .htaccess Module
The module file (cyberpanel_ols.so) may already be present if you upgraded CyberPanel or installed the custom OLS binary. If not, download it manually:
Ubuntu / Debian
cd /tmp wget -q https://cyberpanel.net/cyberpanel_ols-2.7.0-x86_64-ubuntu.so # Stop OLS /usr/local/lsws/bin/lswsctrl stop # Install module cp cyberpanel_ols-2.7.0-x86_64-ubuntu.so /usr/local/lsws/modules/cyberpanel_ols.so chmod 755 /usr/local/lsws/modules/cyberpanel_ols.so # Start OLS /usr/local/lsws/bin/lswsctrl start
RHEL 9 / AlmaLinux 9 / Rocky Linux 9
cd /tmp wget -q https://cyberpanel.net/cyberpanel_ols-2.7.0-x86_64-rhel9.so /usr/local/lsws/bin/lswsctrl stop cp cyberpanel_ols-2.7.0-x86_64-rhel9.so /usr/local/lsws/modules/cyberpanel_ols.so chmod 755 /usr/local/lsws/modules/cyberpanel_ols.so /usr/local/lsws/bin/lswsctrl start
RHEL 8 / AlmaLinux 8 / Rocky Linux 8
cd /tmp wget -q https://cyberpanel.net/cyberpanel_ols-2.7.0-x86_64-rhel8.so /usr/local/lsws/bin/lswsctrl stop cp cyberpanel_ols-2.7.0-x86_64-rhel8.so /usr/local/lsws/modules/cyberpanel_ols.so chmod 755 /usr/local/lsws/modules/cyberpanel_ols.so /usr/local/lsws/bin/lswsctrl start
Verify Module Installed
ls -la /usr/local/lsws/modules/cyberpanel_ols.so # Should show the file with 755 permissions
Step 4: Activate Your License
Once you have your license key (CP-OLS-XXXX-XXXX-XXXX-XXXX), activate it on your server:
# Save license key to file echo "CP-OLS-XXXX-XXXX-XXXX-XXXX" > /usr/local/lsws/cyberpanel_ols.license # Set correct permissions chmod 600 /usr/local/lsws/cyberpanel_ols.license chown lsadm:lsadm /usr/local/lsws/cyberpanel_ols.license # Restart OpenLiteSpeed to apply /usr/local/lsws/bin/lswsctrl restart
Replace CP-OLS-XXXX-XXXX-XXXX-XXXX with your actual license key.
How License Validation Works
- The module reads the license key from
/usr/local/lsws/cyberpanel_ols.license - It validates against
platform.cyberpersons.com/api/v1/validate-licenseevery 24 hours - If the license is valid, all .htaccess features are enabled
- If the license is invalid or expired, premium features are disabled (graceful degradation — the server keeps running)
Step 5: Verify Everything Works
Test .htaccess Header Processing
# Add a test header to any website's .htaccess echo 'Header set X-Htaccess-Test "Working"' >> /home/example.com/public_html/.htaccess # Test with curl curl -I https://example.com | grep X-Htaccess-Test # Expected: X-Htaccess-Test: Working # Clean up test header sed -i '/X-Htaccess-Test/d' /home/example.com/public_html/.htaccess
Test PHP Directives
# Add PHP directive to .htaccess
echo 'php_value memory_limit 512M' >> /home/example.com/public_html/.htaccess
# Create test PHP file
echo '<?php echo ini_get("memory_limit"); ?>' > /home/example.com/public_html/memtest.php
# Test
curl https://example.com/memtest.php
# Expected: 512M
# Clean up
rm /home/example.com/public_html/memtest.php
sed -i '/memory_limit/d' /home/example.com/public_html/.htaccess
Test Brute Force Protection
# Add to .htaccess cat >> /home/example.com/public_html/.htaccess << 'EOF' BruteForceProtection On BruteForceAllowedAttempts 5 BruteForceWindow 300 BruteForceAction block EOF # Verify shared memory files created after a POST to wp-login.php ls -la /dev/shm/ols/ # Should show BFProt.shm and BFProt.lock
Features Enabled by License
When your license is valid, all 18 feature categories work. When invalid/expired, features are disabled but the server continues running normally.
| Feature | Valid License | No / Expired License |
|---|---|---|
| PHP Configuration (php_value, php_flag, php_admin_value, php_admin_flag) | Enabled | Disabled |
| Header / RequestHeader directives | Enabled | Disabled |
| SetEnv / SetEnvIf / BrowserMatch | Enabled | Disabled |
| ErrorDocument / Redirect / RedirectMatch | Enabled | Disabled |
| Expires / FilesMatch / Files blocks | Enabled | Disabled |
| Access Control (Order/Allow/Deny + Apache 2.4 Require) | Enabled | Disabled |
| WordPress Brute Force Protection | Enabled | Disabled |
| HTTP Basic Auth / Group Auth | Enabled | Disabled |
| AddDefaultCharset / SSLRequireSSL | Enabled | Disabled |
| Satisfy / Limit / LimitExcept | Enabled | Disabled |
.htaccess Examples
Here are common .htaccess configurations that work with this module:
Security Headers
Header set X-Frame-Options "SAMEORIGIN" Header set X-Content-Type-Options "nosniff" Header set X-XSS-Protection "1; mode=block" Header set Referrer-Policy "strict-origin-when-cross-origin" Header set Strict-Transport-Security "max-age=31536000" Header unset Server Header unset X-Powered-By
CORS Headers
Header set Access-Control-Allow-Origin "*" Header set Access-Control-Allow-Methods "GET, POST, OPTIONS" Header set Access-Control-Allow-Headers "Content-Type, Authorization"
PHP Settings
php_value memory_limit 256M php_value max_execution_time 300 php_value upload_max_filesize 100M php_value post_max_size 100M php_flag display_errors off php_flag log_errors on
IP Access Control
# Block all except specific IPs Order deny,allow Deny from all Allow from 192.168.1.0/24 Allow from 10.0.0.0/8
Cache Control
ExpiresActive On ExpiresByType image/jpeg A31557600 ExpiresByType image/png A31557600 ExpiresByType text/css A2592000 ExpiresByType application/javascript A2592000 ExpiresByType text/html A0
WordPress Brute Force Protection (Recommended)
BruteForceProtection On BruteForceAllowedAttempts 5 BruteForceWindow 300 BruteForceAction block
Behind Cloudflare or a CDN, add:
BruteForceXForwardedFor On
HTTP Basic Authentication (v2.5+)
Protect directories with username/password using Apache-compatible .htpasswd files.
# Protect staging site AuthType Basic AuthName "Staging Site" AuthUserFile /home/example.com/.htpasswd Require valid-user # Admin-only access AuthType Basic AuthName "Admin Panel" AuthUserFile /home/example.com/.htpasswd Require user admin superadmin
Create .htpasswd:
htpasswd -cm /home/example.com/.htpasswd admin htpasswd -m /home/example.com/.htpasswd editor
Supported hash formats: Apache MD5 ($apr1$), SHA1 ({SHA}), crypt(3) ($1$/$5$/$6$).
Apache 2.4 Require Directives (v2.6+)
Modern Apache 2.4 access control. Can coexist with legacy Order/Allow/Deny syntax.
# Allow everyone Require all granted # Block everyone Require all denied # Allow specific IPs (multiple = OR logic) Require ip 192.168.1.0/24 Require ip 10.8.0.0/24 # Blacklist pattern Require all granted Require not ip 185.130.5.0/24
Key: Multiple Require ip lines use OR logic. Require not ip always takes priority over positive rules.
AddDefaultCharset (v2.7+)
AddDefaultCharset UTF-8 AddDefaultCharset Off
SSLRequireSSL — Force HTTPS (v2.7+)
Returns 403 Forbidden for plain HTTP requests.
SSLRequireSSL
Files Blocks (v2.7+)
Exact filename matching with Header/Auth directives inside.
# Protect wp-config.php
<Files "wp-config.php">
Header set X-Protected "true"
</Files>
# Password-protect .htpasswd
<Files ".htpasswd">
AuthType Basic
AuthName "Protected"
AuthUserFile /home/site/.htpasswd
Require valid-user
</Files>
Satisfy Directive (v2.7+)
Controls whether auth AND IP rules both apply, or either one is sufficient.
# Office IPs skip password, everyone else needs login Satisfy Any AuthType Basic AuthName "Login Required" AuthUserFile /home/site/.htpasswd Require valid-user Order deny,allow Deny from all Allow from 192.168.1.0/24
Limit / LimitExcept Blocks (v2.7+)
Scope auth to specific HTTP methods.
# Require auth only for write methods
<LimitExcept GET HEAD OPTIONS>
AuthType Basic
AuthName "Write Access"
AuthUserFile /home/site/.htpasswd
Require valid-user
</LimitExcept>
Group Authentication (v2.7+)
Group-based auth using Apache .htgroups file format.
AuthType Basic AuthName "Staff Area" AuthUserFile /home/site/.htpasswd AuthGroupFile /home/site/.htgroups Require group admins editors
.htgroups file format:
admins: alice bob charlie editors: dave eve
Multiple groups in Require group use OR logic — user in ANY listed group is allowed.
Troubleshooting
Module not loading
# Check module file exists ls -la /usr/local/lsws/modules/cyberpanel_ols.so # Check OLS configuration references it grep cyberpanel_ols /usr/local/lsws/conf/httpd_config.conf # Restart OLS /usr/local/lsws/bin/lswsctrl restart
License not activating
# Check license file exists and has correct content cat /usr/local/lsws/cyberpanel_ols.license # Should show: CP-OLS-XXXX-XXXX-XXXX-XXXX # Check permissions ls -la /usr/local/lsws/cyberpanel_ols.license # Should be: -rw------- lsadm lsadm # Check server can reach validation endpoint curl -s https://platform.cyberpersons.com/api/v1/validate-license # Should return a JSON response (even if error, connectivity is confirmed)
Headers not appearing
- Verify .htaccess is readable by the
nobodyuser - Check syntax — quotes must be balanced
- Test with curl directly (bypass CDN):
curl -I https://example.com | grep X-Frame - Check OLS error log:
cat /usr/local/lsws/logs/error.log
Brute force protection not triggering
- Ensure
BruteForceProtection Onis in the site’s .htaccess - Check shared memory files:
ls -la /dev/shm/ols/ - Verify it’s a POST request to a protected endpoint (wp-login.php or xmlrpc.php)
- Check logs:
grep BruteForce /usr/local/lsws/logs/error.log - Reset all counters:
rm -f /dev/shm/ols/BFProt.* && /usr/local/lsws/bin/lswsctrl restart
Performance
| Metric | Value |
|---|---|
| Overhead per request | < 1ms |
| Memory per cached .htaccess | ~2KB |
| Memory per tracked IP (brute force) | ~64 bytes |
| Cache invalidation | Automatic (mtime-based) |
Managing Your License
- View your license: platform.cyberpersons.com — My Licenses
- Your license key works on any server — it is NOT tied to a specific IP address. Simply copy the license file to your new server.
- Renew before expiry — if your license expires, features are disabled but your server keeps running.
Getting Help
- Support: [email protected]
- Knowledge Base: cyberpanel.net/KnowledgeBase
- Forums: forums.cyberpanel.net
- Purchase: cyberpanel.net/cyberpanel-htaccess-module
