proxy_cache when 'Authorization' HTTP header presents.

Thu Aug 20 07:10:49 MSD 2009

Hello,

 On Tue, 18 Aug 2009 18:13:16 +0400
    Igor Sysoev wrote:
 } > The proxy_cache module send cached contents until it's expired
 } > even if a client send wrong user/password after passed first (401)
 } > authentication. It might be a bug ... ?
 } 
 } I agree that nginx should not cache authenticated responses. However,
 } it should be configured, otherwise, anyone may flush cache with dummy
 } an "Authorization" header.

Here is a small & dirty patch with configured
'proxy_cache_ignore_for_authorization' option.

--- http/ngx_http_upstream.c
+++ http/ngx_http_upstream.c
@@ -426,7 +426,18 @@
 
 #if (NGX_HTTP_CACHE)
 
+    /*
+     * don't cache when Authorization header presents.
+     */
+    if ( u->conf->cache
+	 && ( !u->conf->ignore_cache_for_authorization
+	      || ( r->headers_in.authorization == NULL
+		   && r->headers_in.user.data == NULL /* don't check 'len' for empty user/passwd */
+		   && r->headers_in.passwd.data == NULL ) ) ) {
         ngx_int_t  rc;
 
         rc = ngx_http_upstream_cache(r, u);


--- http/ngx_http_upstream.h
+++ http/ngx_http_upstream.h
@@ -160,6 +163,12 @@
     ngx_uint_t                       cache_methods;
 
     ngx_array_t                     *cache_valid;
+    /*
+     * don't cache when Authorization header presents.
+     */
+    ngx_flag_t ignore_cache_for_authorization;  /* default ON */
 #endif
 
     ngx_array_t                     *store_lengths;


--- http/modules/ngx_http_proxy_module.c
+++ http/modules/ngx_http_proxy_module.c
@@ -385,6 +385,14 @@
       offsetof(ngx_http_proxy_loc_conf_t, upstream.cache_methods),
       &ngx_http_upstream_cache_method_mask },
 
+    { ngx_string("proxy_cache_ignore_for_authorization"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
+      ngx_conf_set_flag_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_proxy_loc_conf_t, upstream.ignore_cache_for_authorization),
+      NULL },
 
     { ngx_string("proxy_temp_path"),
@@ -1929,6 +1937,9 @@
     conf->upstream.cache = NGX_CONF_UNSET_PTR;
     conf->upstream.cache_min_uses = NGX_CONF_UNSET_UINT;
     conf->upstream.cache_valid = NGX_CONF_UNSET_PTR;
+    conf->upstream.ignore_cache_for_authorization = NGX_CONF_UNSET;
 #endif
 
     conf->upstream.hide_headers = NGX_CONF_UNSET_PTR;
@@ -2159,6 +2170,10 @@
         conf->cache_key = prev->cache_key;
     }
 
+    ngx_conf_merge_value( conf->upstream.ignore_cache_for_authorization,
+			  prev->upstream.ignore_cache_for_authorization, 1 ); /* default ON */
 #endif
 
     if (conf->method.len == 0) {


- Kuramoto Eiji



