proxy_cache when 'Authorization' HTTP header presents.

Maxim Dounin mdounin at mdounin.ru
Mon Aug 17 18:14:34 MSD 2009


Hello!

On Wed, Aug 12, 2009 at 11:47:31AM +0900, Kuramoto Eiji wrote:

> Hi,
> 
> The proxy_cache module send cached contents until it's expired
> even if a client send wrong user/password after passed first (401)
> authentication. It might be a bug ... ?

If authorization checked by nginx - request will never reach this 
stage.  If it's checked by backend server - there is no reason for 
nginx to do anything with it.

> 
> small patch like this,
> 
> 
> --- ngx_http_upstream.c	22 Jul 2009 04:01:25 -0000	1.7
> +++ ngx_http_upstream.c	11 Aug 2009 10:01:41 -0000	1.8
> @@ -397,7 +397,18 @@
>  
>  #if (NGX_HTTP_CACHE)
>  
> +    /*
> +     * don't cache when Authorization header presents.
> +     */
> +    if (u->conf->cache
> +	 && r->headers_in.authorization == NULL
> +	 && r->headers_in.user.data == NULL /* don't check 'len' for empty user/passwd */
> +	 && r->headers_in.passwd.data == NULL) {

This effectively switches off cache for requests with 
authorization.  The same may be done via configs.

Maxim Dounin

>          ngx_int_t  rc;
>  
>          rc = ngx_http_upstream_cache(r, u);
> 
> - Kuramoto Eiji
> 





More information about the nginx mailing list