## OLS vhTemplate for the per-customer vhost. Mirrors the structure of the
## upstream docker.conf template but with our paths and LSCache wiring.
## Templated vars (envsubst): $user
##
## $VH_NAME, $VH_ROOT, $DOC_ROOT, $SERVER_ROOT are OLS macros — they MUST
## stay literal in the output (not in the envsubst allow-list).

allowSymbolLink           1
enableScript              1
restrained                1
## setUIDMode 2 = DocRoot UID — lsphp suexec's to the OWNER of vhRoot.
## We chown /home/${user} to ${user}:${user} in the entrypoint, so PHP
## runs as the customer per request. Container is still the privsep
## boundary; this is the clean "scripts run as user" model.
setUIDMode                2
vhRoot                    /home/${user}/public_html/
configFile                $SERVER_ROOT/conf/vhosts/$VH_NAME/vhconf.conf

virtualHostConfig  {
  docRoot                 $VH_ROOT

  errorlog /home/${user}/logs/litespeed/error.log {
    useServer             0
    logLevel              WARN
    rollingSize           10M
    keepDays              14
    compressArchive       1
  }

  accesslog /home/${user}/logs/litespeed/access.log {
    useServer             0
    rollingSize           10M
    keepDays              7
    compressArchive       1
  }

  index  {
    useServer             0
    indexFiles            index.php, index.html
    autoIndex             0
  }

  ## LSCache plugin owns Cache-Control / Expires entirely — server-level
  ## expires off so we don't double-emit headers.
  expires  {
    enableExpires         0
  }

  accessControl  {
    allow                 *
  }

  context / {
    location              $DOC_ROOT/
    allowBrowse           1
    rewrite  {
      enable              1
      inherit             0
      autoLoadHtaccess    1
      RewriteFile         .htaccess
    }
    addDefaultCharset     off
  }

  rewrite  {
    enable                1
    autoLoadHtaccess      1
    logLevel              0
    ## Force HTTPS — OLS 1.8 listener-level rewrites don't apply per-vhost,
    ## so the redirect lives here. The RewriteCond guards against an infinite
    ## loop (SERVER_PORT=80 means "this request came in on the HTTP listener,
    ## not HTTPS"). Per-customer .htaccess rules still apply (autoLoadHtaccess).
    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [L,R=301]
  }

  ## Per-vhost LSCache storage. The server-level `module cache` block in
  ## stock httpd_config.conf is already enabled (ls_enabled 1); the LSCWP
  ## plugin flips cache on/off per request via X-LiteSpeed-Cache-Control.
  module cache {
    storagePath           /home/${user}/lscache
    checkPrivateCache     1
    checkPublicCache      1
    enableCache           0
    enablePrivateCache    0
  }
}