## shared-ols — the shared OpenLiteSpeed webserver tier. ## ## One OLS container fronting MANY tenants' detached cac-lsphp sidecars — the ## OLS analogue of the shared-httpd container. Runs NO PHP locally: every site's ## PHP goes to its own cac-lsphp:phpNN sidecar over LSAPI (extProcessor type ## lsapi, address :9000). HAProxy stays the TLS/WAF/SNI edge and routes ## OLS-type hostnames here on :443. ## ## Built on the SAME litespeedtech prebuilt base as cac-litespeed / cac-lsphp so ## the OLS build + plumbing (lscgid, cgid socket — see feedback_ols_packaging_landmines) ## are the proven ones. The base is lsphp-tagged but we never run that lsphp; ## the tag just selects the OLS build. Pinned to lsphp83 / OLS 1.8.4. ## ## Config model (established by PoC 2026-06-10): OLS has NO top-level `include`, ## so render-shared-ols-config.sh assembles httpd_config.conf from the panel's ## per-site files at boot + on every change. See that script + the plan. ARG OLS_VERSION=1.8.4 ARG PHPVER=83 FROM litespeedtech/openlitespeed:${OLS_VERSION}-lsphp${PHPVER} ## Tooling the shared tier needs on top of the base: ## - inotify-tools: the .htaccess watcher (spec 5.3) ## - gettext-base: envsubst for render-shared-ols-config.sh ## - openssl: self-signed cert for the :443 listener (HAProxy verifies none) ## - curl/ca-certificates: HEALTHCHECK RUN apt-get update && \ DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ inotify-tools gettext-base openssl ca-certificates curl && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/* ## Snapshot the stock httpd_config.conf so render-shared-ols-config.sh always has ## a pristine base to strip-and-rebuild from (the base image keeps it at conf/). RUN mkdir -p /usr/local/lsws/.conf && \ cp /usr/local/lsws/conf/httpd_config.conf /usr/local/lsws/.conf/httpd_config.conf COPY ./scripts/entrypoint-shared-ols.sh \ ./scripts/render-shared-ols-config.sh \ ./scripts/ols-htaccess-watcher.sh \ /scripts/ RUN chmod +x /scripts/entrypoint-shared-ols.sh /scripts/render-shared-ols-config.sh /scripts/ols-htaccess-watcher.sh COPY ./configs/shared-ols/ /etc/shared-ols-templates/ ## Admin console unreachable from tenant/edge networks (spec 5.2): bind the ## WebAdmin listener to loopback. Same sed as Dockerfile.litespeed. RUN sed -i 's|^[[:space:]]*address[[:space:]]\+\*:| address 127.0.0.1:|' \ /usr/local/lsws/admin/conf/admin_config.conf 2>/dev/null || true EXPOSE 80 443 ## Health: the entrypoint renders a catch-all _health vhost serving /healthz, so ## this passes from boot (zero customer sites) onward. Self-signed :443. HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \ CMD curl -fsSk https://127.0.0.1/healthz || exit 1 ENTRYPOINT ["/scripts/entrypoint-shared-ols.sh"]