OpenLiteSpeed on Ubuntu 24.04 on Azure User Guide
Overview
This guide covers the deployment and configuration of OpenLiteSpeed on Ubuntu 24.04 on Azure using cloudimg Azure Marketplace images. OpenLiteSpeed is the open source edition of the LiteSpeed web server: an event driven, high performance HTTP server that serves static and dynamic content, runs PHP applications through its LSAPI handler, speaks HTTP/2 and HTTP/3 (QUIC), and is administered entirely through a browser based WebAdmin console rather than hand edited configuration files.
The image ships OpenLiteSpeed 1.9 from the official LiteSpeed apt repository (rpms.litespeedtech.com) installed into /usr/local/lsws, together with the lsphp83 (PHP 8.3) runtime. On every fresh customer virtual machine, openlitespeed-firstboot.service mints a strong random WebAdmin password unique to that machine, regenerates the console's self signed certificate, and writes the password to /root/openlitespeed-credentials.txt (mode 0600, readable only by root). No two virtual machines ever share a WebAdmin password, and no usable credential is baked into the image.
What is included:
-
OpenLiteSpeed 1.9 from the official LiteSpeed apt repository, installed to
/usr/local/lsws -
lshttpd.servicesystemd unit auto-starting on boot (serves the default site on TCP 8088 and the WebAdmin console on TCP 7080 over HTTPS) -
openlitespeed-firstboot.servicesystemd oneshot that mints a per-VM WebAdmin password and regenerates the console certificate -
The
lsphp83PHP 8.3 runtime wired as the default LSAPI handler, with themysql,opcacheandcurlextensions -
Brute-force login throttling on the WebAdmin console (five failed attempts blocks the source IP for fifteen minutes)
-
Ubuntu 24.04 LTS base with the latest security patches applied at build time and unattended security upgrades enabled
-
Azure Linux Agent for seamless cloud integration and SSH key injection
-
24/7 cloudimg support with a guaranteed 24 hour response SLA
Prerequisites
-
An active Azure subscription
-
A subscription to the OpenLiteSpeed on Ubuntu 24.04 listing on Azure Marketplace
-
An SSH public key for VM authentication
-
A virtual network and subnet in the target region
Recommended virtual machine size: Standard_B2s (2 vCPU, 4 GB RAM) is ample for evaluation and small sites. Scale up to Standard_D2s_v3 or larger for production traffic.
Step 1: Deploy from the Azure Portal
Navigate to Marketplace in the Azure Portal, search for OpenLiteSpeed, select the cloudimg publisher entry, and click Create.
On the Networking tab attach a network security group that allows inbound TCP 22 from your management IP range, and TCP 7080 from your management IP range for the WebAdmin console. Open TCP 80 and 443 (and/or 8088) to your visitor networks once you have configured the site you want to serve. Restrict TCP 7080 to trusted management addresses only — it is the full administrative console for the server.
Click Review + create, wait for validation, then Create. Deployment takes around two minutes.
Step 2: Deploy from the Azure CLI
RG="openlitespeed-prod"
LOCATION="eastus"
VM_NAME="openlitespeed-01"
ADMIN_USER="azureuser"
GALLERY_IMAGE_ID="/subscriptions/<sub-id>/resourceGroups/azure-cloudimg/providers/Microsoft.Compute/galleries/cloudimgGallery/images/openlitespeed-ubuntu-24-04/versions/<version>"
SSH_KEY="$(cat ~/.ssh/id_rsa.pub)"
az group create --name "$RG" --location "$LOCATION"
az network vnet create \
--resource-group "$RG" \
--name openlitespeed-vnet --address-prefix 10.60.0.0/16 \
--subnet-name default --subnet-prefix 10.60.1.0/24
az vm create \
--resource-group "$RG" \
--name "$VM_NAME" \
--image "$GALLERY_IMAGE_ID" \
--size Standard_B2s \
--admin-username "$ADMIN_USER" \
--ssh-key-values "$SSH_KEY" \
--vnet-name openlitespeed-vnet --subnet default \
--public-ip-sku Standard
Open the WebAdmin console (TCP 7080) and your site ports (TCP 80 / 443) to the appropriate source ranges:
az network nsg rule create \
--resource-group "$RG" \
--nsg-name "${VM_NAME}NSG" \
--name allow-webadmin \
--priority 1010 --access Allow --protocol Tcp --direction Inbound \
--destination-port-ranges 7080 --source-address-prefixes "<your-mgmt-cidr>"
Step 3: Retrieve the per-VM WebAdmin password
The WebAdmin console ships with no known password. On first boot, a strong random password is generated for the admin user and written to /root/openlitespeed-credentials.txt. Read it over SSH:
ssh azureuser@<vm-ip> "sudo cat /root/openlitespeed-credentials.txt"
You will see the per-VM credentials, for example:
ADMIN_USER=admin
ADMIN_PASSWORD=<a strong random per-VM password>
WEBADMIN_PORT=7080
WEBADMIN_URL=https://<vm-ip>:7080/
HTTP_PORT=8088
HTTP_URL=http://<vm-ip>:8088/
Keep this password safe. After your first sign in, you can change it again from the WebAdmin console.
Step 4: Sign in to the WebAdmin console
Browse to https://<vm-ip>:7080/ and accept the self signed certificate warning (the certificate is regenerated uniquely on each VM at first boot). Sign in as admin with the password from Step 3.

After signing in you land on the dashboard, which shows the running server version, uptime, real-time request and connection statistics, and the count of active listeners and virtual hosts.

The WebAdmin console throttles brute-force login attempts: five failed sign ins block the source IP for fifteen minutes. If you are locked out, wait for the block to clear or connect from a different address.
Step 5: Confirm the server is running
SSH into the VM and confirm the lshttpd service is active and listening on the default site port (8088) and the WebAdmin port (7080):
sudo systemctl is-active lshttpd.service
sudo ss -tln | grep -E ':8088|:7080'

Request the default site over HTTP on port 8088 and confirm the WebAdmin login page answers over HTTPS on port 7080:
curl -s -o /dev/null -w 'Default site (:8088): HTTP %{http_code}\n' http://127.0.0.1:8088/
curl -ks -o /dev/null -w 'WebAdmin login page (:7080): HTTP %{http_code}\n' https://127.0.0.1:7080/login.php

Step 6: Verify the per-VM credential
The WebAdmin console authenticates through a PHP form login. Confirm that the per-VM password in the credentials file signs in successfully — a correct sign in answers HTTP 302 (a redirect into the console), while a wrong password is rejected with HTTP 200 and an "Invalid credentials" message:
ADMIN_PASS=$(sudo grep '^ADMIN_PASSWORD=' /root/openlitespeed-credentials.txt | cut -d= -f2-)
CJ=$(mktemp)
curl -ks -c "$CJ" https://127.0.0.1:7080/login.php >/dev/null
curl -ks -o /dev/null -w 'WebAdmin sign in: HTTP %{http_code} (302 = signed in)\n' \
-c "$CJ" -b "$CJ" \
--data-urlencode userid=admin --data-urlencode "pass=$ADMIN_PASS" \
https://127.0.0.1:7080/login.php
rm -f "$CJ"

Step 7: Configure listeners and virtual hosts
OpenLiteSpeed is administered entirely from the WebAdmin console. Two areas cover most day-to-day work:
Listeners define the ports and protocols the server accepts connections on. The image ships a single Default listener bound to TCP 8088. To serve production traffic, add listeners on TCP 80 and TCP 443 (with a certificate) from the Listeners page.

Virtual Hosts map a site's document root, index files, PHP handler, rewrite rules and security to a name. The image ships the sample Example virtual host so PHP is working out of the box; add your own virtual host and map it to a listener to serve your site.

After changing configuration in the console, click the graceful restart control (the circular arrow next to the server status) so the running server picks up the new configuration without dropping live connections.
Step 8: Confirm the software version
Confirm the installed OpenLiteSpeed version and the apt repository it was installed from:
VER=$(sudo /usr/local/lsws/bin/lshttpd -v 2>&1)
echo "$VER" | grep -i litespeed
dpkg-query -W -f='${Package} ${Version}\n' openlitespeed lsphp83

Serving your first site
-
In the WebAdmin console, open Virtual Hosts and add a virtual host with a document root under
/usr/local/lsws/(for example/usr/local/lsws/mysite/html). -
Open Listeners, add a listener on TCP 80 (and TCP 443 with a certificate for HTTPS), and map it to your virtual host.
-
Perform a graceful restart.
-
Upload your site's files to the document root. PHP applications run through the bundled
lsphp83handler with no extra configuration.
For production, front OpenLiteSpeed with a CA-signed certificate on the TCP 443 listener, remove the sample Example virtual host, and restrict the WebAdmin console (TCP 7080) to your management network only.
Security notes
-
No shared credential. The WebAdmin password is generated uniquely on each VM at first boot and stored in
/root/openlitespeed-credentials.txt(mode 0600). Nothing usable is baked into the image. -
Per-VM certificate. The WebAdmin console's self signed certificate is regenerated on each VM at first boot, so no two machines share a certificate or key.
-
Brute-force throttling. Five failed WebAdmin sign ins block the source IP for fifteen minutes.
-
Restrict the console. Expose TCP 7080 only to your management network. Expose your site ports (TCP 80 / 443) to visitors as needed.
-
Patched base. The Ubuntu 24.04 base is fully patched at build time and keeps unattended security upgrades enabled.
Support
This image is published and supported by cloudimg with a 24/7 support offering and a guaranteed 24 hour response SLA. For assistance, contact support through the details on the Azure Marketplace listing.