jknapp
8dbfdf599a
All checks were successful
Cloud Apache Container / Build-and-Push (74) (push) Successful in 1m26s
Cloud Apache Container / Build-and-Push (80) (push) Successful in 1m24s
Cloud Apache Container / Build-and-Push (81) (push) Successful in 1m20s
Cloud Apache Container / Build-and-Push (82) (push) Successful in 1m22s
Cloud Apache Container / Build-and-Push (83) (push) Successful in 1m21s
Cloud Apache Container / Build-and-Push (84) (push) Successful in 1m20s
Cloud Apache Container / Build-and-Push (85) (push) Successful in 1m19s
Cloud Apache Container / Build-FPM-Images (74) (push) Successful in 1m17s
Cloud Apache Container / Build-FPM-Images (80) (push) Successful in 1m20s
Cloud Apache Container / Build-FPM-Images (81) (push) Successful in 1m18s
Cloud Apache Container / Build-FPM-Images (82) (push) Successful in 1m16s
Cloud Apache Container / Build-FPM-Images (83) (push) Successful in 1m17s
Cloud Apache Container / Build-FPM-Images (84) (push) Successful in 1m22s
Cloud Apache Container / Build-FPM-Images (85) (push) Successful in 1m19s
Cloud Apache Container / Build-LiteSpeed-Images (81) (push) Successful in 56s
Cloud Apache Container / Build-LiteSpeed-Images (82) (push) Successful in 34s
Cloud Apache Container / Build-LiteSpeed-Images (83) (push) Successful in 29s
Cloud Apache Container / Build-LiteSpeed-Images (84) (push) Successful in 29s
Cloud Apache Container / Build-LiteSpeed-Images (85) (push) Successful in 30s
Cloud Apache Container / Build-LSPHP-Images (81) (push) Successful in 27s
Cloud Apache Container / Build-LSPHP-Images (82) (push) Successful in 25s
Cloud Apache Container / Build-LSPHP-Images (83) (push) Successful in 26s
Cloud Apache Container / Build-LSPHP-Images (84) (push) Successful in 26s
Cloud Apache Container / Build-LSPHP-Images (85) (push) Successful in 28s
Cloud Apache Container / Build-Shared-httpd (push) Successful in 26s
Cloud Apache Container / Build-Shared-OLS (push) Successful in 25s
Mode 2 ("trusted IP only") extracts the real client IP from X-Forwarded-For
ONLY when the connecting peer is in a TRUSTED access-control list — which this
tier never configured (accessControl is `allow ALL`, no trusted designation).
So OLS kept HAProxy's container IP (172.18.0.34) as REMOTE_ADDR for EVERY
request across ALL tenants. WP security plugins (Wordfence etc.) then saw all
traffic as one IP; blocking it locked every site — and the admin — out.
HAProxy already sends X-Forwarded-For and is the ONLY peer that connects to
this tier (client-net, no host-published ports), and it OVERWRITES XFF with
%[src] (set-header), so spoofing is impossible. Mode 1 (always trust XFF) is
correct and safe here — it matches the working standalone configs/litespeed
config which has always used 1.
Verified on whp01: lsphp now receives the forwarded client IP end-to-end
(REMOTE_ADDR=<real-ip>, was 172.18.0.34). Live-hotpatched whp01+whp02 pending
this image rebuild.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
45 lines
2.2 KiB
Smarty
45 lines
2.2 KiB
Smarty
## ---- shared-ols append (do not edit below) ----
|
|
## Server-level config for the SHARED OpenLiteSpeed tier. Appended to the
|
|
## stock httpd_config.conf AFTER render-shared-ols-config.sh strips the stock
|
|
## listeners, vhTemplate docker, AND the stock `extProcessor lsphp` +
|
|
## `scriptHandler` (so this server NEVER runs PHP locally — every site's PHP
|
|
## goes to its own detached cac-lsphp sidecar over LSAPI). Rendered with
|
|
## envsubst; only ${LSCACHE_ROOT} is substituted here.
|
|
|
|
serverName shared-ols
|
|
|
|
## Real client IP behind HAProxy. HAProxy sets X-Forwarded-For (the real
|
|
## client) and X-Forwarded-Proto. Mode 1 = always use X-Forwarded-For as the
|
|
## client IP. HAProxy is the ONLY thing that ever connects to this tier (it's on
|
|
## client-net with no host-published ports) and it OVERWRITES X-Forwarded-For
|
|
## with %[src] (set-header, not add-header), so a client can't spoof it — mode 1
|
|
## is safe here and matches the working standalone litespeed config.
|
|
## NOTE: mode 2 ("trusted IP only") does NOT mean "trust the proxy header" — it
|
|
## extracts the real IP ONLY when the connecting peer is in a TRUSTED access
|
|
## list, which this tier never configured. With mode 2 + no trusted IP, OLS kept
|
|
## HAProxy's container IP as REMOTE_ADDR for every request, so WP security
|
|
## plugins saw all tenants as one IP and blocking it locked everyone out.
|
|
useIpInProxyHeader 1
|
|
|
|
## LSCache enabled at MODULE scope for the whole tier (dedicated cache volume,
|
|
## ephemeral across rebuilds; OLS auto-keys a per-vhost subdir under storagePath).
|
|
## enableCache/enablePrivateCache ON here means the cache module is ACTIVE, but a
|
|
## response is only cached if it's marked cacheable — the LiteSpeed Cache WP
|
|
## plugin sets X-LiteSpeed-Cache-Control headers, and checkPublic/PrivateCache +
|
|
## ignoreRespCacheCtrl=0 make OLS honor them. No plugin → nothing cached (safe).
|
|
module cache {
|
|
storagePath ${LSCACHE_ROOT}
|
|
checkPrivateCache 1
|
|
checkPublicCache 1
|
|
maxCacheObjSize 10000000
|
|
maxStaleAge 200
|
|
qsCache 1
|
|
reqCookieCache 1
|
|
respCookieCache 1
|
|
ignoreReqCacheCtrl 0
|
|
ignoreRespCacheCtrl 0
|
|
enableCache 1
|
|
enablePrivateCache 1
|
|
}
|
|
## ---- end shared-ols server append ----
|