Add cac-litespeed image family (OpenLiteSpeed, native LSAPI)

New paid-tier per-customer image built on litespeedtech/openlitespeed:1.8.4-lsphpNN. Matrix: 8.1-8.5. Native LSAPI suexec to customer uid, server-level LSCache, all WP/WooCommerce extensions (memcached, redis, imagick, mbstring, etc.) baked in. Files: - Dockerfile.litespeed (FROM prebuilt LiteSpeed base, layers wp-cli/composer/mariadb) - configs/litespeed/{httpd_config,site-template,lsphp-overrides}.tpl - scripts/{entrypoint,create-vhost,detect-memory}-litespeed.sh + install-lscache-wp.sh CI: new Build-LiteSpeed-Images matrix job. OLS_VERSION pinned to 1.8.4 (only release with prebuilt images for all 5 PHP versions on Docker Hub). Spec: whp/docs/superpowers/specs/2026-06-01-cac-litespeed-design.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-02 07:32:47 -07:00
parent 1756d496e5
commit 55c28a0c11
10 changed files with 711 additions and 0 deletions
--- a/configs/litespeed/httpd_config.tpl
+++ b/configs/litespeed/httpd_config.tpl
@@ -0,0 +1,48 @@
+## OpenLiteSpeed APPEND fragment — added to the stock httpd_config.conf
+## that ships with litespeedtech/openlitespeed. Keeping the stock config
+## intact preserves all the cgid/lscgid plumbing (CGIRLimit defaults,
+## fileAccessControl defaults, etc.) — when we tried writing a fully
+## custom httpd_config.conf, lscgid never created its IPC socket and
+## every PHP request 503'd. The upstream OLS docker template uses this
+## append pattern too (see setup_docker.sh in litespeedtech/ols-dockerfiles).
+##
+## Rendered at container start by scripts/create-vhost-litespeed.sh via
+## envsubst. Templated vars: $user $domain $vhost_map_aliases.
+
+## --- our listeners (replace stock Default :8088) ---
+listener HTTP {
+  address                 *:80
+  secure                  0
+  map                     siteVH *
+  ## NB: HTTP→HTTPS redirect is in site-template.tpl's rewrite{} block,
+  ## NOT here — OLS 1.8 listener-level rewrites are inert for vhTemplate
+  ## members. Don't move it back to this listener.
+}
+
+listener HTTPS {
+  address                 *:443
+  secure                  1
+  keyFile                 /usr/local/lsws/conf/cert/self.key
+  certFile                /usr/local/lsws/conf/cert/self.crt
+  sslProtocol             24
+  enableSpdy              15
+  enableQuic              0
+  map                     siteVH *
+}
+
+## --- our vhost via vhTemplate (upstream's working pattern) ---
+## The template file is /usr/local/lsws/conf/templates/site.conf — written
+## by create-vhost-litespeed.sh at the same time as this fragment.
+vhTemplate site {
+  templateFile            conf/templates/site.conf
+  listeners               HTTP, HTTPS
+  note                    cac-litespeed per-customer vhost
+
+  ## vhDomain: customer's domain + serveralias list + `*` catchall so
+  ## ip-only requests (e.g. HAProxy backend health check by container_name)
+  ## still resolve. WHP/HAProxy filters hostnames upstream — no risk to
+  ## allowing the catchall here.
+  member siteVH {
+    vhDomain              ${domain}${vhost_map_aliases}, *
+  }
+}