Nginx doesn't honor Cache-Control: no-cache _request_

Mirosław Jaworski mjaw at ikp.pl
Tue Aug 4 13:24:35 MSD 2009


On Mon, 2009-08-03 at 16:34 +0400, Igor Sysoev wrote:
> > > No, currently nginx ignores the reload because everyone may flush
> > > popular and heavy generated pages from your cache.
> > > I plan to allow reload only from limited set of addresses.
> > 
> > Cache-control: no-cache request isn't supposed to revalidate/invalidate
> > cache.
> > 
> > Logic is fairly trivial - exactly as i showed in my nonexisting
> > variable/wrong syntax example - nginx should simply omit checking
> > the cache when receiving such request, go for the backend and serve
> > backend's response without doing anything to the cache.
> 
> RFC does not say that server must not cache this response, it just says
> that is must bot use previously cached response.

Yet nginx does use cached response, breaking it. That's the most 
important part which needs addressing.

My suggestion not only complies with RFC but also allows to avoid
treating "Cache-control: no-cache" request as uncontrollable way to
tamper with the cache.

> Anyway, "Cache-control" should be supported from trusted addresses only:
> nginx is not generic transit proxy, it's accelerator, it's just part
> of web-server.

And should comply with RFC as such. It may be a nice _feature_
for some to limit it using some cache_control_restrict though.

Back to the problem - if i can't use cache depend on some request
header, can i make it IP dependent?

-- 
Mirosław "Psyborg" Jaworski
GCS/IT d- s+:+ a C++$ UBI++++$ P+++$ L- E--- W++(+++)$ N++ o+ K- w-- O-
M- V- PS+ PE++ Y+ PGP t 5? X+ R++ !tv b++(+++) DI++ D+ G e* h++ r+++ y?
              "If at first you don't succeed, redefine success."






More information about the nginx mailing list