configs/shared-ols/httpd_config_base.tpl

## ---- shared-ols append (do not edit below) ----
## Server-level config for the SHARED OpenLiteSpeed tier. Appended to the
## stock httpd_config.conf AFTER render-shared-ols-config.sh strips the stock
## listeners, vhTemplate docker, AND the stock `extProcessor lsphp` +
## `scriptHandler` (so this server NEVER runs PHP locally — every site's PHP
## goes to its own detached cac-lsphp sidecar over LSAPI). Rendered with
## envsubst; only ${LSCACHE_ROOT} is substituted here.

serverName                shared-ols

## Real client IP behind HAProxy. HAProxy sets X-Forwarded-For (the real
## client) and X-Forwarded-Proto. Mode 1 = always use X-Forwarded-For as the
## client IP. HAProxy is the ONLY thing that ever connects to this tier (it's on
## client-net with no host-published ports) and it OVERWRITES X-Forwarded-For
## with %[src] (set-header, not add-header), so a client can't spoof it — mode 1
## is safe here and matches the working standalone litespeed config.
## NOTE: mode 2 ("trusted IP only") does NOT mean "trust the proxy header" — it
## extracts the real IP ONLY when the connecting peer is in a TRUSTED access
## list, which this tier never configured. With mode 2 + no trusted IP, OLS kept
## HAProxy's container IP as REMOTE_ADDR for every request, so WP security
## plugins saw all tenants as one IP and blocking it locked everyone out.
useIpInProxyHeader        1

## LSCache enabled at MODULE scope for the whole tier (dedicated cache volume,
## ephemeral across rebuilds; OLS auto-keys a per-vhost subdir under storagePath).
## enableCache/enablePrivateCache ON here means the cache module is ACTIVE, but a
## response is only cached if it's marked cacheable — the LiteSpeed Cache WP
## plugin sets X-LiteSpeed-Cache-Control headers, and checkPublic/PrivateCache +
## ignoreRespCacheCtrl=0 make OLS honor them. No plugin → nothing cached (safe).
module cache {
  storagePath             ${LSCACHE_ROOT}
  checkPrivateCache       1
  checkPublicCache        1
  maxCacheObjSize         10000000
  maxStaleAge             200
  qsCache                 1
  reqCookieCache          1
  respCookieCache         1
  ignoreReqCacheCtrl      0
  ignoreRespCacheCtrl     0
  enableCache             1
  enablePrivateCache      1
}
## ---- end shared-ols server append ----
feat(shared-ols): shared OpenLiteSpeed tier image (webserver-only, fronts cac-lsphp sidecars) One OLS container fronting many tenants' detached cac-lsphp sidecars — the OLS analogue of shared-httpd. Runs NO PHP locally; every site's PHP goes to its own sidecar over LSAPI (extProcessor type lsapi, address <sidecar>:9000). Key design fact (established by PoC): OLS has NO top-level 'include' directive, so render-shared-ols-config.sh assembles httpd_config.conf from the panel's per-site files (vhconf.conf + site.meta) at boot and on every change — the 'include' OLS lacks. Per-site detail uses the OLS-native configFile + vhost-scoped extprocessor model. LSCache is module-level (a configFile-loaded vhost rejects a bare cache{} block); the WP LiteSpeed plugin controls cacheability via X-LiteSpeed-Cache-Control headers. - Dockerfile.shared-ols: litespeed base + inotify-tools/envsubst/openssl, admin bound to loopback, :80/:443 self-signed, healthz HEALTHCHECK. - entrypoint-shared-ols.sh: cert + health vhost + render + watcher, then daemon-mode OLS supervision (reused from cac-litespeed so self-restarts don't kill PID 1). - render-shared-ols-config.sh: strip stock (incl local lsphp) + append base + per-site stanzas + listeners with all maps + catch-all health vhost. - ols-htaccess-watcher.sh: inotify debounce+floor -> lswsctrl restart (spec 5.3). - configs/shared-ols/{httpd_config_base,vhconf}.tpl. - CI: Build-Shared-OLS job. Verified locally end-to-end: zero-site boot healthy on :443; add site via the panel contract -> Host-routed to the right sidecar (SAPI=litespeed); real client IP + HTTPS behind X-Forwarded headers; LSCache miss->hit; .htaccess change triggers graceful restart; unknown Host hits health catch-all (200). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-10 01:22:14 -07:00			`## ---- shared-ols append (do not edit below) ----`
			`## Server-level config for the SHARED OpenLiteSpeed tier. Appended to the`
			`## stock httpd_config.conf AFTER render-shared-ols-config.sh strips the stock`
			## listeners, vhTemplate docker, AND the stock `extProcessor lsphp` +
			## `scriptHandler` (so this server NEVER runs PHP locally — every site's PHP
			`## goes to its own detached cac-lsphp sidecar over LSAPI). Rendered with`
			`## envsubst; only ${LSCACHE_ROOT} is substituted here.`

			`serverName shared-ols`

			`## Real client IP behind HAProxy. HAProxy sets X-Forwarded-For (the real`
fix(shared-ols): useIpInProxyHeader 2->1 so real client IP reaches lsphp Mode 2 ("trusted IP only") extracts the real client IP from X-Forwarded-For ONLY when the connecting peer is in a TRUSTED access-control list — which this tier never configured (accessControl is `allow ALL`, no trusted designation). So OLS kept HAProxy's container IP (172.18.0.34) as REMOTE_ADDR for EVERY request across ALL tenants. WP security plugins (Wordfence etc.) then saw all traffic as one IP; blocking it locked every site — and the admin — out. HAProxy already sends X-Forwarded-For and is the ONLY peer that connects to this tier (client-net, no host-published ports), and it OVERWRITES XFF with %[src] (set-header), so spoofing is impossible. Mode 1 (always trust XFF) is correct and safe here — it matches the working standalone configs/litespeed config which has always used 1. Verified on whp01: lsphp now receives the forwarded client IP end-to-end (REMOTE_ADDR=<real-ip>, was 172.18.0.34). Live-hotpatched whp01+whp02 pending this image rebuild. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-11 07:55:42 -07:00			`## client) and X-Forwarded-Proto. Mode 1 = always use X-Forwarded-For as the`
			`## client IP. HAProxy is the ONLY thing that ever connects to this tier (it's on`
			`## client-net with no host-published ports) and it OVERWRITES X-Forwarded-For`
			`## with %[src] (set-header, not add-header), so a client can't spoof it — mode 1`
			`## is safe here and matches the working standalone litespeed config.`
			`## NOTE: mode 2 ("trusted IP only") does NOT mean "trust the proxy header" — it`
			`## extracts the real IP ONLY when the connecting peer is in a TRUSTED access`
			`## list, which this tier never configured. With mode 2 + no trusted IP, OLS kept`
			`## HAProxy's container IP as REMOTE_ADDR for every request, so WP security`
			`## plugins saw all tenants as one IP and blocking it locked everyone out.`
			`useIpInProxyHeader 1`
feat(shared-ols): shared OpenLiteSpeed tier image (webserver-only, fronts cac-lsphp sidecars) One OLS container fronting many tenants' detached cac-lsphp sidecars — the OLS analogue of shared-httpd. Runs NO PHP locally; every site's PHP goes to its own sidecar over LSAPI (extProcessor type lsapi, address <sidecar>:9000). Key design fact (established by PoC): OLS has NO top-level 'include' directive, so render-shared-ols-config.sh assembles httpd_config.conf from the panel's per-site files (vhconf.conf + site.meta) at boot and on every change — the 'include' OLS lacks. Per-site detail uses the OLS-native configFile + vhost-scoped extprocessor model. LSCache is module-level (a configFile-loaded vhost rejects a bare cache{} block); the WP LiteSpeed plugin controls cacheability via X-LiteSpeed-Cache-Control headers. - Dockerfile.shared-ols: litespeed base + inotify-tools/envsubst/openssl, admin bound to loopback, :80/:443 self-signed, healthz HEALTHCHECK. - entrypoint-shared-ols.sh: cert + health vhost + render + watcher, then daemon-mode OLS supervision (reused from cac-litespeed so self-restarts don't kill PID 1). - render-shared-ols-config.sh: strip stock (incl local lsphp) + append base + per-site stanzas + listeners with all maps + catch-all health vhost. - ols-htaccess-watcher.sh: inotify debounce+floor -> lswsctrl restart (spec 5.3). - configs/shared-ols/{httpd_config_base,vhconf}.tpl. - CI: Build-Shared-OLS job. Verified locally end-to-end: zero-site boot healthy on :443; add site via the panel contract -> Host-routed to the right sidecar (SAPI=litespeed); real client IP + HTTPS behind X-Forwarded headers; LSCache miss->hit; .htaccess change triggers graceful restart; unknown Host hits health catch-all (200). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-10 01:22:14 -07:00
			`## LSCache enabled at MODULE scope for the whole tier (dedicated cache volume,`
			`## ephemeral across rebuilds; OLS auto-keys a per-vhost subdir under storagePath).`
			`## enableCache/enablePrivateCache ON here means the cache module is ACTIVE, but a`
			`## response is only cached if it's marked cacheable — the LiteSpeed Cache WP`
			`## plugin sets X-LiteSpeed-Cache-Control headers, and checkPublic/PrivateCache +`
			`## ignoreRespCacheCtrl=0 make OLS honor them. No plugin → nothing cached (safe).`
			`module cache {`
			`storagePath ${LSCACHE_ROOT}`
			`checkPrivateCache 1`
			`checkPublicCache 1`
			`maxCacheObjSize 10000000`
			`maxStaleAge 200`
			`qsCache 1`
			`reqCookieCache 1`
			`respCookieCache 1`
			`ignoreReqCacheCtrl 0`
			`ignoreRespCacheCtrl 0`
			`enableCache 1`
			`enablePrivateCache 1`
			`}`
			`## ---- end shared-ols server append ----`