## ---- shared-ols append (do not edit below) ----
## Server-level config for the SHARED OpenLiteSpeed tier. Appended to the
## stock httpd_config.conf AFTER render-shared-ols-config.sh strips the stock
## listeners, vhTemplate docker, AND the stock `extProcessor lsphp` +
## `scriptHandler` (so this server NEVER runs PHP locally — every site's PHP
## goes to its own detached cac-lsphp sidecar over LSAPI). Rendered with
## envsubst; only ${LSCACHE_ROOT} is substituted here.

serverName                shared-ols

## Real client IP behind HAProxy. HAProxy sets X-Forwarded-For (the real
## client) and X-Forwarded-Proto. Mode 1 = always use X-Forwarded-For as the
## client IP. HAProxy is the ONLY thing that ever connects to this tier (it's on
## client-net with no host-published ports) and it OVERWRITES X-Forwarded-For
## with %[src] (set-header, not add-header), so a client can't spoof it — mode 1
## is safe here and matches the working standalone litespeed config.
## NOTE: mode 2 ("trusted IP only") does NOT mean "trust the proxy header" — it
## extracts the real IP ONLY when the connecting peer is in a TRUSTED access
## list, which this tier never configured. With mode 2 + no trusted IP, OLS kept
## HAProxy's container IP as REMOTE_ADDR for every request, so WP security
## plugins saw all tenants as one IP and blocking it locked everyone out.
useIpInProxyHeader        1

## LSCache enabled at MODULE scope for the whole tier (dedicated cache volume,
## ephemeral across rebuilds; OLS auto-keys a per-vhost subdir under storagePath).
## enableCache/enablePrivateCache ON here means the cache module is ACTIVE, but a
## response is only cached if it's marked cacheable — the LiteSpeed Cache WP
## plugin sets X-LiteSpeed-Cache-Control headers, and checkPublic/PrivateCache +
## ignoreRespCacheCtrl=0 make OLS honor them. No plugin → nothing cached (safe).
module cache {
  storagePath             ${LSCACHE_ROOT}
  checkPrivateCache       1
  checkPublicCache        1
  maxCacheObjSize         10000000
  maxStaleAge             200
  qsCache                 1
  reqCookieCache          1
  respCookieCache         1
  ignoreReqCacheCtrl      0
  ignoreRespCacheCtrl     0
  enableCache             1
  enablePrivateCache      1
}
## ---- end shared-ols server append ----