From d1c3cfadc0441580d6ab219d76f4b56962adabcd Mon Sep 17 00:00:00 2001
From: jknapp <jknapp85@gmail.com>
Date: Tue, 2 Jun 2026 10:53:44 -0700
Subject: [PATCH] feat(litespeed): make log paths drop-in compatible with
 cac:phpNN
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OLS now writes:
  access -> /home/$user/logs/apache/access_log
  error  -> /home/$user/logs/apache/error_log
  PHP    -> /home/$user/logs/php-fpm/error.log

Matches the cac:phpNN bundled image convention exactly, so existing WHP
log-gathering code (whp-traffic-aggregator.php, process-log-review.php)
works for migrated sites without any panel-side changes. Customer-facing
paths are stable across migrations — "where do I find my access log?"
gets the same answer regardless of image family.

Server-level OLS logs (/usr/local/lsws/logs/) are unchanged — those are
internal diagnostics, not customer-relevant.

PHP error_log is set via a runtime-rendered tiny ini in lsphp's scan dir
(can't be in the static lsphp-overrides.ini because the path is
per-customer).

Customers on the four whp01 migrations (alphaone, peptides, shadowdao,
brain-jar) need a container recreate after CI publishes the new tags.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 configs/litespeed/site-template.tpl |  9 ++++++--
 scripts/entrypoint-litespeed.sh     | 36 +++++++++++++++++++++++++----
 2 files changed, 39 insertions(+), 6 deletions(-)

diff --git a/configs/litespeed/site-template.tpl b/configs/litespeed/site-template.tpl
index 973a3b9..ad4a429 100644
--- a/configs/litespeed/site-template.tpl
+++ b/configs/litespeed/site-template.tpl
@@ -19,7 +19,12 @@ configFile                $SERVER_ROOT/conf/vhosts/$VH_NAME/vhconf.conf
 virtualHostConfig  {
   docRoot                 $VH_ROOT
 
-  errorlog /home/${user}/logs/litespeed/error.log {
+  ## Drop-in log paths matching cac:phpNN (Apache+FPM bundled) so existing
+  ## WHP log-gathering code (whp-traffic-aggregator.php, process-log-review.php,
+  ## customer-facing log views) keeps working unchanged for migrated sites.
+  ## Customer's "Apache access log" is just OLS's access log under the same
+  ## filename. No `.log` suffix — matches the bundled cac convention.
+  errorlog /home/${user}/logs/apache/error_log {
     useServer             0
     logLevel              WARN
     rollingSize           10M
@@ -27,7 +32,7 @@ virtualHostConfig  {
     compressArchive       1
   }
 
-  accesslog /home/${user}/logs/litespeed/access.log {
+  accesslog /home/${user}/logs/apache/access_log {
     useServer             0
     rollingSize           10M
     keepDays              7
diff --git a/scripts/entrypoint-litespeed.sh b/scripts/entrypoint-litespeed.sh
index e5e86b6..192ae3d 100644
--- a/scripts/entrypoint-litespeed.sh
+++ b/scripts/entrypoint-litespeed.sh
@@ -33,7 +33,12 @@ if ! id -u "$user" >/dev/null 2>&1; then
 fi
 
 mkdir -p "/home/$user/public_html"
-mkdir -p "/home/$user/logs/litespeed"
+## Log dirs mirror cac:phpNN exactly — apache/ for web server access+error,
+## php-fpm/ for PHP errors. OLS isn't Apache and lsphp isn't php-fpm, but
+## the customer-facing paths stay identical so log-gathering, analytics,
+## and the customer's "where do I find my access log?" mental model all
+## just work without per-image-family special cases.
+mkdir -p "/home/$user/logs/apache" "/home/$user/logs/php-fpm"
 mkdir -p "/home/$user/lscache"
 
 mkdir -p /tmp/lshttpd/swap
@@ -56,6 +61,21 @@ fi
 ## ---- render httpd_config + vhconf from templates ----
 /scripts/create-vhost-litespeed.sh
 
+## ---- point PHP error_log at the same customer-visible path that
+## cac:phpNN uses for php-fpm errors. Drop-in compat: customer code that
+## was tailing /home/$user/logs/php-fpm/error.log on the old image will
+## see lsphp's PHP errors in the exact same file on the new image.
+## Rendered as a tiny ini in lsphp's scan dir; PHP merges it after the
+## production-tuning overrides at startup.
+SCAN_DIR=$(/usr/local/lsws/lsphp${PHPVER}/bin/lsphp -i 2>/dev/null | awk -F'=> ' '/^Scan this dir/ {print $2; exit}')
+if [ -n "$SCAN_DIR" ]; then
+  cat > "$SCAN_DIR/99-user-error-log.ini" <<EOF
+; rendered at container start by entrypoint-litespeed.sh
+error_log = /home/${user}/logs/php-fpm/error.log
+log_errors = On
+EOF
+fi
+
 ## ---- ownership: OLS master/workers run as nobody; lsphp suexecs to the
 ## customer per request (setUIDMode 2 in httpd_config.tpl). So the customer
 ## owns everything under /home/$user — clean ownership model, no nobody
@@ -63,6 +83,9 @@ fi
 chown -R nobody:nogroup /usr/local/lsws/logs /usr/local/lsws/conf/cert /tmp/lshttpd 2>/dev/null || true
 chown -R "$user:$user" "/home/$user"
 chmod 755 "/home/$user"
+## logs/apache and logs/php-fpm are written by OLS (running as the customer
+## via setUIDMode 2) so they need to be customer-owned, not nobody. The
+## chown -R above already covers them since they're under /home/$user.
 
 ## ---- drop healthz so docker HEALTHCHECK passes before customer files
 ## Always rewrite as customer; suexec lsphp will read it as that uid too.
@@ -131,10 +154,15 @@ OLS_PID=$!
 
 ## Stream OLS + customer logs to PID-1 stdout so `docker logs` works.
 touch /usr/local/lsws/logs/error.log /usr/local/lsws/logs/access.log
-touch "/home/$user/logs/litespeed/error.log" "/home/$user/logs/litespeed/access.log"
+touch "/home/$user/logs/apache/error_log" "/home/$user/logs/apache/access_log"
+touch "/home/$user/logs/php-fpm/error.log"
+chown "$user:$user" "/home/$user/logs/apache/error_log" \
+                    "/home/$user/logs/apache/access_log" \
+                    "/home/$user/logs/php-fpm/error.log"
 tail -F /usr/local/lsws/logs/error.log \
         /usr/local/lsws/logs/access.log \
-        "/home/$user/logs/litespeed/error.log" \
-        "/home/$user/logs/litespeed/access.log" 2>/dev/null &
+        "/home/$user/logs/apache/error_log" \
+        "/home/$user/logs/apache/access_log" \
+        "/home/$user/logs/php-fpm/error.log" 2>/dev/null &
 
 wait "$OLS_PID"