cloud-hosting-platform/cloud-apache-container
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
114 Commits 2 Branches 0 Tags
8dbfdf599a429d281600bbd74812e4f39267acb1
Commit Graph

2 Commits

Author SHA1 Message Date
jknapp
8dbfdf599a fix(shared-ols): useIpInProxyHeader 2->1 so real client IP reaches lsphp
All checks were successful
Cloud Apache Container / Build-and-Push (74) (push) Successful in 1m26s
Details
Cloud Apache Container / Build-and-Push (80) (push) Successful in 1m24s
Details
Cloud Apache Container / Build-and-Push (81) (push) Successful in 1m20s
Details
Cloud Apache Container / Build-and-Push (82) (push) Successful in 1m22s
Details
Cloud Apache Container / Build-and-Push (83) (push) Successful in 1m21s
Details
Cloud Apache Container / Build-and-Push (84) (push) Successful in 1m20s
Details
Cloud Apache Container / Build-and-Push (85) (push) Successful in 1m19s
Details
Cloud Apache Container / Build-FPM-Images (74) (push) Successful in 1m17s
Details
Cloud Apache Container / Build-FPM-Images (80) (push) Successful in 1m20s
Details
Cloud Apache Container / Build-FPM-Images (81) (push) Successful in 1m18s
Details
Cloud Apache Container / Build-FPM-Images (82) (push) Successful in 1m16s
Details
Cloud Apache Container / Build-FPM-Images (83) (push) Successful in 1m17s
Details
Cloud Apache Container / Build-FPM-Images (84) (push) Successful in 1m22s
Details
Cloud Apache Container / Build-FPM-Images (85) (push) Successful in 1m19s
Details
Cloud Apache Container / Build-LiteSpeed-Images (81) (push) Successful in 56s
Details
Cloud Apache Container / Build-LiteSpeed-Images (82) (push) Successful in 34s
Details
Cloud Apache Container / Build-LiteSpeed-Images (83) (push) Successful in 29s
Details
Cloud Apache Container / Build-LiteSpeed-Images (84) (push) Successful in 29s
Details
Cloud Apache Container / Build-LiteSpeed-Images (85) (push) Successful in 30s
Details
Cloud Apache Container / Build-LSPHP-Images (81) (push) Successful in 27s
Details
Cloud Apache Container / Build-LSPHP-Images (82) (push) Successful in 25s
Details
Cloud Apache Container / Build-LSPHP-Images (83) (push) Successful in 26s
Details
Cloud Apache Container / Build-LSPHP-Images (84) (push) Successful in 26s
Details
Cloud Apache Container / Build-LSPHP-Images (85) (push) Successful in 28s
Details
Cloud Apache Container / Build-Shared-httpd (push) Successful in 26s
Details
Cloud Apache Container / Build-Shared-OLS (push) Successful in 25s
Details 
Mode 2 ("trusted IP only") extracts the real client IP from X-Forwarded-For
ONLY when the connecting peer is in a TRUSTED access-control list — which this
tier never configured (accessControl is `allow ALL`, no trusted designation).
So OLS kept HAProxy's container IP (172.18.0.34) as REMOTE_ADDR for EVERY
request across ALL tenants. WP security plugins (Wordfence etc.) then saw all
traffic as one IP; blocking it locked every site — and the admin — out.

HAProxy already sends X-Forwarded-For and is the ONLY peer that connects to
this tier (client-net, no host-published ports), and it OVERWRITES XFF with
%[src] (set-header), so spoofing is impossible. Mode 1 (always trust XFF) is
correct and safe here — it matches the working standalone configs/litespeed
config which has always used 1.

Verified on whp01: lsphp now receives the forwarded client IP end-to-end
(REMOTE_ADDR=<real-ip>, was 172.18.0.34). Live-hotpatched whp01+whp02 pending
this image rebuild.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-06-11 07:58:07 -07:00
jknapp
19db8f170a feat(shared-ols): shared OpenLiteSpeed tier image (webserver-only, fronts cac-lsphp sidecars) 
One OLS container fronting many tenants' detached cac-lsphp sidecars — the
OLS analogue of shared-httpd. Runs NO PHP locally; every site's PHP goes to
its own sidecar over LSAPI (extProcessor type lsapi, address <sidecar>:9000).

Key design fact (established by PoC): OLS has NO top-level 'include' directive,
so render-shared-ols-config.sh assembles httpd_config.conf from the panel's
per-site files (vhconf.conf + site.meta) at boot and on every change — the
'include' OLS lacks. Per-site detail uses the OLS-native configFile +
vhost-scoped extprocessor model. LSCache is module-level (a configFile-loaded
vhost rejects a bare cache{} block); the WP LiteSpeed plugin controls
cacheability via X-LiteSpeed-Cache-Control headers.

- Dockerfile.shared-ols: litespeed base + inotify-tools/envsubst/openssl,
  admin bound to loopback, :80/:443 self-signed, healthz HEALTHCHECK.
- entrypoint-shared-ols.sh: cert + health vhost + render + watcher, then
  daemon-mode OLS supervision (reused from cac-litespeed so self-restarts
  don't kill PID 1).
- render-shared-ols-config.sh: strip stock (incl local lsphp) + append base +
  per-site stanzas + listeners with all maps + catch-all health vhost.
- ols-htaccess-watcher.sh: inotify debounce+floor -> lswsctrl restart (spec 5.3).
- configs/shared-ols/{httpd_config_base,vhconf}.tpl.
- CI: Build-Shared-OLS job.

Verified locally end-to-end: zero-site boot healthy on :443; add site via the
panel contract -> Host-routed to the right sidecar (SAPI=litespeed); real
client IP + HTTPS behind X-Forwarded headers; LSCache miss->hit; .htaccess
change triggers graceful restart; unknown Host hits health catch-all (200).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-06-10 01:22:14 -07:00