OpenLiteSpeed 1.8.2 Virtual Host ACL lists not working correctly

[hnougher]

I upgraded OpenLiteSpeed using Debian apt today, which has arrived at 1.8.2.
All of this was working perfectly before the update.

What I am observing in the IP Address Allow and Deny lists are now having unexpected results.

• IPs in the allow list are blocked by the deny list "ALL". Removing the value in deny allows the requests again.
• Somehow, removing my own IP from the allow list still allows requests from my IP, but removing all entries from allow list blocks my IP.

My configuration for the ACL.
Allow list - Allowing my IP (replaced with x.x.x.x) and all Cloudflare IPs.
x.x.x.xT, y.y.y.yT, 173.245.48.0/20, 103.21.244.0/22, 103.22.200.0/22, 103.31.4.0/22, 141.101.64.0/18, 108.162.192.0/18, 190.93.240.0/20, 188.114.96.0/20, 197.234.240.0/22, 198.41.128.0/17, 162.158.0.0/1, 104.16.0.0/13, 104.24.0.0/14, 172.64.0.0/13, 131.0.72.0/22
Denied List
ALL

Additional: This is in the logs when I try accessing from Cloudflare, which is definitely covered by the entries "108.162.192.0/18" and "172.64.0.0/13".
2025-02-01 21:14:11.582732 | INFO | [1914618] [108.162.250.168:43610] [ACL] Access to virtual host [my.url] is denied.
2025-02-01 21:18:36.388820 | INFO | [1914618] [172.69.60.144:65358] [ACL] Access to virtual host [my.url] is denied.
2025-02-01 21:18:39.197265 | INFO | [1914618] [172.69.60.144:65358] [ACL] Access to virtual host [my.url] is denied.

Thanks

[litespeedtech]

You need to explicitly set config Use Client IP in Header to No to get the old behavior.
In 1.8.2, default has been changed from No to Trusted IP only. CloudFlare IP addresses are trusted automatically, so server has updated REMOTE_ADDR to use IP in the request header and check against ACL.

[hnougher]

Thanks for the guidance.
As you say, setting OpenLiteSpeed WebAdmin Console > Server Configuration > General Settings to "No" does solve the CloudFlare issue to how it used to work.
It might be worth the ACL log entry indicating "what" is blocked, given it was the header IP instead of the CloudFlare IP.

However, this has not solved the strange case of removing my own IP from the list is still allowing access. This is not via CloudFlare, but direct.

Thanks

[litespeedtech]

Assume that you use curl to access your site from your IP, you need to override the DNS lookup result of your domain name, either use curl command line option --resolve, or /etc/hosts, otherwise, you still go through CloudFlare.

[hnougher]

I am using Firefox, and test using an entirely different domain name that is not via CloudFlare.
i.e. live.url.au vs test.vm.hosting.provider
Further, when I bring up phpinfo on the test url, I cannot see any mention of x-forwarded headers.