diff --git a/configs/shared-ols/httpd_config_base.tpl b/configs/shared-ols/httpd_config_base.tpl index 0b7e09e..6158943 100644 --- a/configs/shared-ols/httpd_config_base.tpl +++ b/configs/shared-ols/httpd_config_base.tpl @@ -23,13 +23,20 @@ useIpInProxyHeader 1 ## LSCache enabled at MODULE scope for the whole tier (dedicated cache volume, ## ephemeral across rebuilds; OLS auto-keys a per-vhost subdir under storagePath). -## enableCache/enablePrivateCache ON here means the cache module is ACTIVE, but a -## response is only cached if it's marked cacheable — the LiteSpeed Cache WP -## plugin sets X-LiteSpeed-Cache-Control headers, and checkPublic/PrivateCache + -## ignoreRespCacheCtrl=0 make OLS honor them. No plugin → nothing cached (safe). +## PUBLIC (anonymous) caching ONLY: enableCache 1 + checkPublicCache 1 let OLS +## serve cacheable, non-logged-in responses marked by the LiteSpeed Cache WP +## plugin's X-LiteSpeed-Cache-Control headers (ignoreRespCacheCtrl=0 honors them). +## +## PRIVATE caching is intentionally OFF (enablePrivateCache 0 + checkPrivateCache 0). +## Logged-in / cookie-bearing pages must NEVER be cached at the tier. We previously +## left enablePrivateCache=1 assuming "no plugin -> nothing cached," but that was +## WRONG: with private storage + reqCookieCache on, OLS privately cached logged-in +## responses regardless of plugin, serving stale wp-admin (e.g. a "failed update" +## nag that persisted for the full privateExpireInSeconds TTL). Keeping private +## cache off guarantees logged-in pages are always served fresh. module cache { storagePath ${LSCACHE_ROOT} - checkPrivateCache 1 + checkPrivateCache 0 checkPublicCache 1 maxCacheObjSize 10000000 maxStaleAge 200 @@ -39,6 +46,6 @@ module cache { ignoreReqCacheCtrl 0 ignoreRespCacheCtrl 0 enableCache 1 - enablePrivateCache 1 + enablePrivateCache 0 } ## ---- end shared-ols server append ----