3 Commits

Author	SHA1	Message	Date
jknapp	2837d40f00	cac-litespeed: forward real client IP to logs and PHP behind HAProxy ... OLS had no equivalent of the Apache cac:phpNN mod_remoteip wiring (configs/remote_ip.conf + RemoteIPInternalProxy), so every migrated LiteSpeed site logged HAProxy's docker-bridge IP and handed that same internal IP to lsphp as $_SERVER['REMOTE_ADDR']. That silently broke traffic analytics, WP security plugins, brute-force detection, Coraza source-IP correlation, geo, and rate-limiting. Add server-level `useIpInProxyHeader 1` to the httpd_config append fragment. OLS then rewrites the remote IP from X-Forwarded-For for both logging and the LSAPI REMOTE_ADDR before PHP sees it. Value 1 mirrors the Apache trust model (container is only reachable via HAProxy, never bound publicly). Confirmed HAProxy customer backends are mode http with `option forwardfor` and set X-Forwarded-For to the resolved real client IP. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-04 15:51:25 -07:00
jknapp	03cca745f7	feat(litespeed): wire up dynamic LSAPI tuning + idle reduction ... Two correctness fixes and a tuning improvement. CORRECTNESS: 1. Strip the stock 'extProcessor lsphp' from httpd_config.conf before appending ours. Previously the stock block (hard-coded PHP_LSAPI_CHILDREN=10 regardless of container memory) always won because our APPEND fragment didn't include an extProcessor block. detect-memory-litespeed.sh was computing LSAPI_CHILDREN but never plumbing it anywhere — silent dead code. 2. Bump LSPHP_WORKER_ESTIMATE_MB from 96 → 115 per the 2026-06-02 memory-sizing finding (vantagehealth OOM-spawn loop). Each lsphp carries ~115 MB shmem-rss accounted per worker. 115 MB matches the real per-worker baseline. TUNING (idle reduction, the original ask): - LSAPI_MAX_IDLE_CHILDREN=2 (was CHILDREN/2 = 5 default) - LSAPI_MAX_IDLE=60s (was 300s default) - PHP_LSAPI_MAX_REQUESTS=500 (recycle workers, prevents bloat) - memSoftLimit=1024M / memHardLimit=1500M per worker (RLIMIT_AS; catches runaway scripts at the worker level, cgroup still backstops the container) Effective LSAPI_CHILDREN per container: 2 GiB → ~17 (was 10 — brain-jar was saturating) 1 GiB → ~8 512 MiB → ~3 (cap-marginal per the memory note; bump container if site grows) Dropped LSAPI_MEM_SOFT/HARD computation in detect-memory: AVAILABLE/CHILDREN was conflating VSZ with RSS-budget arithmetic and would have killed legitimate workers. The 1024/1500 hard-coded values in the template comfortably fit typical Divi/WooCommerce VSZ (280-365 MB). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-02 16:36:25 -07:00
jknapp	55c28a0c11	Add cac-litespeed image family (OpenLiteSpeed, native LSAPI) ... New paid-tier per-customer image built on litespeedtech/openlitespeed:1.8.4-lsphpNN. Matrix: 8.1-8.5. Native LSAPI suexec to customer uid, server-level LSCache, all WP/WooCommerce extensions (memcached, redis, imagick, mbstring, etc.) baked in. Files: - Dockerfile.litespeed (FROM prebuilt LiteSpeed base, layers wp-cli/composer/mariadb) - configs/litespeed/{httpd_config,site-template,lsphp-overrides}.tpl - scripts/{entrypoint,create-vhost,detect-memory}-litespeed.sh + install-lscache-wp.sh CI: new Build-LiteSpeed-Images matrix job. OLS_VERSION pinned to 1.8.4 (only release with prebuilt images for all 5 PHP versions on Docker Hub). Spec: whp/docs/superpowers/specs/2026-06-01-cac-litespeed-design.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-02 07:32:47 -07:00