nginx cache seems to swallow Set-Cookie

mschipperheyn nginx-forum at
Fri Jan 14 00:52:02 MSK 2011

I realize that this is an old thread but it relates to my question. I
use proxy_cache with a somewhat special approach.
User can log in to our site that has been designed to be completely
reverse proxy cacheable, even when  a user is logged in. We use a
separate json call to retrieve session information for the user.

So some pages like /product/* are cacheable but they may still be
retrieved by a logged in user. I want to make sure that the set cookie
doesn't get accidently get cached and allow another user to access my
session. Just this kind of thing seemed to happen the other day when an
anonymous user was suddenly logged in under my account, so now I'm not
sure how to see it. I am hoping that this was an issue related to a
stale proxy_cache that accumulated "illegal" content over the course of
development and changes in configuration.

The desired functionality is;
Anonymous useer
   * request cacheablepage1.html
   * retrieve from cache if available => cachefile01
   * put in cache
Logged in user
   * request cacheablepage1.html
   * retrieve from cache => cachefile01
   * request cacheablepage2.html
   * retrieve from cache if availabel
   * put in cache but strip any set-cookie associated with the session 
=> cachefile02
   * get cachefile02
Anonymous user
   * request cacheablepage2.html
   * retrieve from cache if available => cachefile02
Any result from a POST
    * never put in proxy cache

My current config for this is
server {
	listen          			80 default_server;
	server_name     			_;
	server_name_in_redirect  	off;
	charset 					utf-8;
	root            			/var/lib/APP;
	add_header			Cache-Control public;

	set $proxy_bypass 		off;
	location ~ (cart|account|editor|admin)$ {
		set $proxy_bypass		on;
		try_files				$uri @proxy;
	location / {
		keepalive_timeout 		30;
		rewrite 				^([^.]*[^/])$ $1/ permanent;
		try_files 				$uri @proxy;
	location @proxy {
		proxy_cache				STATIC;
		proxy_pass				http://localhost:9000;
		proxy_cache_valid 		200 15m;
		proxy_cache_valid 		404  5m;
		proxy_cache_use_stale  	error timeout invalid_header updating
                               http_500 http_502 http_503 http_504;
		proxy_cache_key 		$host$request_uri;
		proxy_ignore_headers	Set-Cookie;
		proxy_cache_bypass 		$proxy_bypass;

		proxy_set_header        X-Real-IP $remote_addr;
		proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header        Host $http_host;
		#proxy_max_temp_file_size 0;
		proxy_buffering 		on;
		#proxy_store			off;

		proxy_connect_timeout 	30;
		proxy_send_timeout    	30;
		proxy_read_timeout    	30;

		# All POST requests go directly
		if ($request_method = POST) {
			proxy_pass http://localhost:9000;

Are my assumptions correct? What directes are important to pay attention
to in order to avoid accidental session access for the wrong user?

Kind regards,


Posted at Nginx Forum:,126312,166019#msg-166019

More information about the nginx mailing list