proxy_cache when 'Authorization' HTTP header presents.
Kuramoto Eiji
ek at kuramoto.org
Thu Aug 20 07:10:49 MSD 2009
Hello,
On Tue, 18 Aug 2009 18:13:16 +0400
Igor Sysoev wrote:
} > The proxy_cache module send cached contents until it's expired
} > even if a client send wrong user/password after passed first (401)
} > authentication. It might be a bug ... ?
}
} I agree that nginx should not cache authenticated responses. However,
} it should be configured, otherwise, anyone may flush cache with dummy
} an "Authorization" header.
Here is a small & dirty patch with configured
'proxy_cache_ignore_for_authorization' option.
--- http/ngx_http_upstream.c
+++ http/ngx_http_upstream.c
@@ -426,7 +426,18 @@
#if (NGX_HTTP_CACHE)
+ /*
+ * don't cache when Authorization header presents.
+ */
+ if ( u->conf->cache
+ && ( !u->conf->ignore_cache_for_authorization
+ || ( r->headers_in.authorization == NULL
+ && r->headers_in.user.data == NULL /* don't check 'len' for empty user/passwd */
+ && r->headers_in.passwd.data == NULL ) ) ) {
ngx_int_t rc;
rc = ngx_http_upstream_cache(r, u);
--- http/ngx_http_upstream.h
+++ http/ngx_http_upstream.h
@@ -160,6 +163,12 @@
ngx_uint_t cache_methods;
ngx_array_t *cache_valid;
+ /*
+ * don't cache when Authorization header presents.
+ */
+ ngx_flag_t ignore_cache_for_authorization; /* default ON */
#endif
ngx_array_t *store_lengths;
--- http/modules/ngx_http_proxy_module.c
+++ http/modules/ngx_http_proxy_module.c
@@ -385,6 +385,14 @@
offsetof(ngx_http_proxy_loc_conf_t, upstream.cache_methods),
&ngx_http_upstream_cache_method_mask },
+ { ngx_string("proxy_cache_ignore_for_authorization"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_proxy_loc_conf_t, upstream.ignore_cache_for_authorization),
+ NULL },
{ ngx_string("proxy_temp_path"),
@@ -1929,6 +1937,9 @@
conf->upstream.cache = NGX_CONF_UNSET_PTR;
conf->upstream.cache_min_uses = NGX_CONF_UNSET_UINT;
conf->upstream.cache_valid = NGX_CONF_UNSET_PTR;
+ conf->upstream.ignore_cache_for_authorization = NGX_CONF_UNSET;
#endif
conf->upstream.hide_headers = NGX_CONF_UNSET_PTR;
@@ -2159,6 +2170,10 @@
conf->cache_key = prev->cache_key;
}
+ ngx_conf_merge_value( conf->upstream.ignore_cache_for_authorization,
+ prev->upstream.ignore_cache_for_authorization, 1 ); /* default ON */
#endif
if (conf->method.len == 0) {
- Kuramoto Eiji
More information about the nginx
mailing list