jknapp
19db8f170a
One OLS container fronting many tenants' detached cac-lsphp sidecars — the
OLS analogue of shared-httpd. Runs NO PHP locally; every site's PHP goes to
its own sidecar over LSAPI (extProcessor type lsapi, address <sidecar>:9000).
Key design fact (established by PoC): OLS has NO top-level 'include' directive,
so render-shared-ols-config.sh assembles httpd_config.conf from the panel's
per-site files (vhconf.conf + site.meta) at boot and on every change — the
'include' OLS lacks. Per-site detail uses the OLS-native configFile +
vhost-scoped extprocessor model. LSCache is module-level (a configFile-loaded
vhost rejects a bare cache{} block); the WP LiteSpeed plugin controls
cacheability via X-LiteSpeed-Cache-Control headers.
- Dockerfile.shared-ols: litespeed base + inotify-tools/envsubst/openssl,
admin bound to loopback, :80/:443 self-signed, healthz HEALTHCHECK.
- entrypoint-shared-ols.sh: cert + health vhost + render + watcher, then
daemon-mode OLS supervision (reused from cac-litespeed so self-restarts
don't kill PID 1).
- render-shared-ols-config.sh: strip stock (incl local lsphp) + append base +
per-site stanzas + listeners with all maps + catch-all health vhost.
- ols-htaccess-watcher.sh: inotify debounce+floor -> lswsctrl restart (spec 5.3).
- configs/shared-ols/{httpd_config_base,vhconf}.tpl.
- CI: Build-Shared-OLS job.
Verified locally end-to-end: zero-site boot healthy on :443; add site via the
panel contract -> Host-routed to the right sidecar (SAPI=litespeed); real
client IP + HTTPS behind X-Forwarded headers; LSCache miss->hit; .htaccess
change triggers graceful restart; unknown Host hits health catch-all (200).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
39 lines
1.8 KiB
Smarty
39 lines
1.8 KiB
Smarty
## ---- shared-ols append (do not edit below) ----
|
|
## Server-level config for the SHARED OpenLiteSpeed tier. Appended to the
|
|
## stock httpd_config.conf AFTER render-shared-ols-config.sh strips the stock
|
|
## listeners, vhTemplate docker, AND the stock `extProcessor lsphp` +
|
|
## `scriptHandler` (so this server NEVER runs PHP locally — every site's PHP
|
|
## goes to its own detached cac-lsphp sidecar over LSAPI). Rendered with
|
|
## envsubst; only ${LSCACHE_ROOT} is substituted here.
|
|
|
|
serverName shared-ols
|
|
|
|
## Real client IP behind HAProxy. HAProxy sets X-Forwarded-For (the real
|
|
## client) and X-Forwarded-Proto. Mode 2 = trust the proxy header. HAProxy is
|
|
## the only thing that ever connects to this tier (it's not publicly exposed),
|
|
## so trusting the header from the docker-network peer is safe — same trust
|
|
## model as the shared httpd's RemoteIPInternalProxy.
|
|
useIpInProxyHeader 2
|
|
|
|
## LSCache enabled at MODULE scope for the whole tier (dedicated cache volume,
|
|
## ephemeral across rebuilds; OLS auto-keys a per-vhost subdir under storagePath).
|
|
## enableCache/enablePrivateCache ON here means the cache module is ACTIVE, but a
|
|
## response is only cached if it's marked cacheable — the LiteSpeed Cache WP
|
|
## plugin sets X-LiteSpeed-Cache-Control headers, and checkPublic/PrivateCache +
|
|
## ignoreRespCacheCtrl=0 make OLS honor them. No plugin → nothing cached (safe).
|
|
module cache {
|
|
storagePath ${LSCACHE_ROOT}
|
|
checkPrivateCache 1
|
|
checkPublicCache 1
|
|
maxCacheObjSize 10000000
|
|
maxStaleAge 200
|
|
qsCache 1
|
|
reqCookieCache 1
|
|
respCookieCache 1
|
|
ignoreReqCacheCtrl 0
|
|
ignoreRespCacheCtrl 0
|
|
enableCache 1
|
|
enablePrivateCache 1
|
|
}
|
|
## ---- end shared-ols server append ----
|