Three fixes:
1. Replace admpass.sh calls with direct htpasswd writes — the script
is interactive-only (no --password flag) and hangs forever in
automation. Write admin htpasswd directly with openssl passwd.
2. Fix httpd_config.conf template — OLS requires virtualHost {} blocks
with vhRoot/configFile, not bare include of vhconf.conf files.
Add proper _backend virtualHost block, map it to Backend listener,
use self-signed cert for Secure listener until real certs exist.
3. Fix addOLSListenerMap to only add maps to Default and Secure
listeners (not Backend which is reserved for the admin panel).
4. Fix default PHP detection to read from wo.conf config instead
of picking first installed version (which would prefer php74).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Fix install script version check
* Add $host variable for fastcgi_params et proxy_params
* Add "$http3" variable to logs
* Bump release to v3.21.2
* Another fix for wildcard certificates
Seems there is an issue with these changes. This is what the output of `https://www.example.com/.well-known/traffic-advice` looks like with WO 3.15.3 :
```
[\{
"user_agent": "prefetch-proxy",
"google_prefetch_proxy_eap": \{
"fraction": 1.0
\}
\}]
```
**Here is the expected output for a valid configuration**:
```
[{
"user_agent": "prefetch-proxy",
"google_prefetch_proxy_eap": {
"fraction": 1.0
}
}]
```
# X-XSS-Protection
Even though this feature can protect users of older web browsers that don't yet support CSP, in some cases, XSS protection can create XSS vulnerabilities in otherwise safe websites.
Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protectionhttps://thexssrat.medium.com/x-xss-protection-headers-protection-or-vulnerability-bc7213951320
Chrome has removed their XSS Auditor
Firefox has not, and will not implement X-XSS-Protection
Edge has retired its XSS filter.
# X-Download-Options
Microsoft announced the retirement of Internet Explorer and it's rendered inoperable since June 15, 2022. So, we may safely remove this IE 8 specific HTTP Header too.
