jknapp
87f154cdc8
All checks were successful
Cloud Apache Container / Build-and-Push (74) (push) Successful in 1m19s
Cloud Apache Container / Build-and-Push (80) (push) Successful in 2m35s
Cloud Apache Container / Build-and-Push (81) (push) Successful in 1m16s
Cloud Apache Container / Build-and-Push (82) (push) Successful in 1m29s
Cloud Apache Container / Build-and-Push (83) (push) Successful in 2m2s
Cloud Apache Container / Build-and-Push (84) (push) Successful in 2m15s
Cloud Apache Container / Build-and-Push (85) (push) Successful in 2m22s
Cloud Apache Container / Build-FPM-Images (74) (push) Successful in 2m30s
Cloud Apache Container / Build-FPM-Images (80) (push) Successful in 1m14s
Cloud Apache Container / Build-FPM-Images (81) (push) Successful in 2m6s
Cloud Apache Container / Build-FPM-Images (82) (push) Successful in 2m20s
Cloud Apache Container / Build-FPM-Images (83) (push) Successful in 3m20s
Cloud Apache Container / Build-FPM-Images (84) (push) Successful in 2m19s
Cloud Apache Container / Build-FPM-Images (85) (push) Successful in 2m41s
Cloud Apache Container / Build-LiteSpeed-Images (81) (push) Successful in 43s
Cloud Apache Container / Build-LiteSpeed-Images (82) (push) Successful in 1m16s
Cloud Apache Container / Build-LiteSpeed-Images (83) (push) Successful in 29s
Cloud Apache Container / Build-LiteSpeed-Images (84) (push) Successful in 56s
Cloud Apache Container / Build-LiteSpeed-Images (85) (push) Successful in 2m2s
Cloud Apache Container / Build-Shared-httpd (push) Successful in 51s
OLS runs as the customer user end-to-end (server-level user/group set by create-vhost-litespeed.sh), so lsphp inherits that uid without per-request suEXEC. Eliminates the per-httpd-worker lsphp instance fan-out — one shared lsphp parent now serves all httpd workers via the shared socket. Combined with opcache.memory_consumption 128→32M, brain-jar measured shmem dropped from ~880 MiB → 32 MiB and memory.current from ~1.1 GiB → 67 MiB at the 1.5 GiB cap. No new oom_kills since the change. Safe because cac-litespeed is one-customer-per-container — the container boundary is the privsep boundary. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
98 lines
3.4 KiB
Smarty
98 lines
3.4 KiB
Smarty
## OLS vhTemplate for the per-customer vhost. Mirrors the structure of the
|
|
## upstream docker.conf template but with our paths and LSCache wiring.
|
|
## Templated vars (envsubst): $user
|
|
##
|
|
## $VH_NAME, $VH_ROOT, $DOC_ROOT, $SERVER_ROOT are OLS macros — they MUST
|
|
## stay literal in the output (not in the envsubst allow-list).
|
|
|
|
allowSymbolLink 1
|
|
enableScript 1
|
|
restrained 1
|
|
## No setUIDMode — OLS itself runs as ${user} (set at server level by
|
|
## create-vhost-litespeed.sh), so lsphp inherits that uid without needing
|
|
## suEXEC per request. This is the key to single-lsphp-instance topology:
|
|
## with setUIDMode 2, each httpd worker had to lscgid-spawn its own lsphp
|
|
## (= N opcache shmem segments). Without it, ONE persistent lsphp parent
|
|
## serves all httpd workers via the shared socket, and LSAPI children-mode
|
|
## actually works (1 parent + N children = 1 shmem segment).
|
|
##
|
|
## Safe because cac-litespeed is one-customer-per-container — the container
|
|
## boundary IS the privsep boundary.
|
|
vhRoot /home/${user}/public_html/
|
|
configFile $SERVER_ROOT/conf/vhosts/$VH_NAME/vhconf.conf
|
|
|
|
virtualHostConfig {
|
|
docRoot $VH_ROOT
|
|
|
|
## Drop-in log paths matching cac:phpNN (Apache+FPM bundled) so existing
|
|
## WHP log-gathering code (whp-traffic-aggregator.php, process-log-review.php,
|
|
## customer-facing log views) keeps working unchanged for migrated sites.
|
|
## Customer's "Apache access log" is just OLS's access log under the same
|
|
## filename. No `.log` suffix — matches the bundled cac convention.
|
|
errorlog /home/${user}/logs/apache/error_log {
|
|
useServer 0
|
|
logLevel WARN
|
|
rollingSize 10M
|
|
keepDays 14
|
|
compressArchive 1
|
|
}
|
|
|
|
accesslog /home/${user}/logs/apache/access_log {
|
|
useServer 0
|
|
rollingSize 10M
|
|
keepDays 7
|
|
compressArchive 1
|
|
}
|
|
|
|
index {
|
|
useServer 0
|
|
indexFiles index.php, index.html
|
|
autoIndex 0
|
|
}
|
|
|
|
## LSCache plugin owns Cache-Control / Expires entirely — server-level
|
|
## expires off so we don't double-emit headers.
|
|
expires {
|
|
enableExpires 0
|
|
}
|
|
|
|
accessControl {
|
|
allow *
|
|
}
|
|
|
|
context / {
|
|
location $DOC_ROOT/
|
|
allowBrowse 1
|
|
rewrite {
|
|
enable 1
|
|
inherit 0
|
|
autoLoadHtaccess 1
|
|
RewriteFile .htaccess
|
|
}
|
|
addDefaultCharset off
|
|
}
|
|
|
|
rewrite {
|
|
enable 1
|
|
autoLoadHtaccess 1
|
|
logLevel 0
|
|
## Force HTTPS — OLS 1.8 listener-level rewrites don't apply per-vhost,
|
|
## so the redirect lives here. The RewriteCond guards against an infinite
|
|
## loop (SERVER_PORT=80 means "this request came in on the HTTP listener,
|
|
## not HTTPS"). Per-customer .htaccess rules still apply (autoLoadHtaccess).
|
|
RewriteCond %{SERVER_PORT} 80
|
|
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [L,R=301]
|
|
}
|
|
|
|
## Per-vhost LSCache storage. The server-level `module cache` block in
|
|
## stock httpd_config.conf is already enabled (ls_enabled 1); the LSCWP
|
|
## plugin flips cache on/off per request via X-LiteSpeed-Cache-Control.
|
|
module cache {
|
|
storagePath /home/${user}/lscache
|
|
checkPrivateCache 1
|
|
checkPublicCache 1
|
|
enableCache 0
|
|
enablePrivateCache 0
|
|
}
|
|
}
|