From 2837d40f00620c35b1914d53831605119a8bafa8 Mon Sep 17 00:00:00 2001 From: jknapp Date: Thu, 4 Jun 2026 15:51:25 -0700 Subject: [PATCH] cac-litespeed: forward real client IP to logs and PHP behind HAProxy OLS had no equivalent of the Apache cac:phpNN mod_remoteip wiring (configs/remote_ip.conf + RemoteIPInternalProxy), so every migrated LiteSpeed site logged HAProxy's docker-bridge IP and handed that same internal IP to lsphp as $_SERVER['REMOTE_ADDR']. That silently broke traffic analytics, WP security plugins, brute-force detection, Coraza source-IP correlation, geo, and rate-limiting. Add server-level `useIpInProxyHeader 1` to the httpd_config append fragment. OLS then rewrites the remote IP from X-Forwarded-For for both logging and the LSAPI REMOTE_ADDR before PHP sees it. Value 1 mirrors the Apache trust model (container is only reachable via HAProxy, never bound publicly). Confirmed HAProxy customer backends are mode http with `option forwardfor` and set X-Forwarded-For to the resolved real client IP. Co-Authored-By: Claude Opus 4.8 (1M context) --- configs/litespeed/httpd_config.tpl | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/configs/litespeed/httpd_config.tpl b/configs/litespeed/httpd_config.tpl index 0e3d050..7d25bc8 100644 --- a/configs/litespeed/httpd_config.tpl +++ b/configs/litespeed/httpd_config.tpl @@ -10,6 +10,21 @@ ## envsubst. Templated vars: $user $domain $vhost_map_aliases $PHPVER ## $LSAPI_CHILDREN (computed by detect-memory-litespeed.sh) +## --- real client IP behind HAProxy --- +## OLS equivalent of the Apache cac:phpNN mod_remoteip wiring +## (configs/remote_ip.conf + RemoteIPInternalProxy in entrypoint.sh). Without +## this, OLS records HAProxy's docker-bridge IP as the peer: every site's +## access_log and lsphp $_SERVER['REMOTE_ADDR'] collapse to one internal IP, +## silently breaking traffic analytics, WP security plugins, brute-force +## detection, Coraza source-IP correlation, geo, and rate-limiting. +## 1 = trust X-Forwarded-For (the container is only reachable via HAProxy; +## it is never bound to a public address). Mirrors the Apache side, which +## trusts the whole docker subnet via RemoteIPInternalProxy $docker_network. +## When enabled, OLS rewrites the remote IP for BOTH logging and the LSAPI +## REMOTE_ADDR before PHP sees it — so the default access_log format already +## records the real visitor; no LogFormat change needed. +useIpInProxyHeader 1 + ## --- our listeners (replace stock Default :8088) --- listener HTTP { address *:80