nginx cache seems to swallow Set-Cookie
Maxim Dounin
mdounin at mdounin.ru
Fri Jan 14 01:20:50 MSK 2011
Hello!
On Thu, Jan 13, 2011 at 04:52:02PM -0500, mschipperheyn wrote:
> I realize that this is an old thread but it relates to my question. I
> use proxy_cache with a somewhat special approach.
> User can log in to our site that has been designed to be completely
> reverse proxy cacheable, even when a user is logged in. We use a
> separate json call to retrieve session information for the user.
>
> So some pages like /product/* are cacheable but they may still be
> retrieved by a logged in user. I want to make sure that the set cookie
> doesn't get accidently get cached and allow another user to access my
> session. Just this kind of thing seemed to happen the other day when an
> anonymous user was suddenly logged in under my account, so now I'm not
> sure how to see it. I am hoping that this was an issue related to a
> stale proxy_cache that accumulated "illegal" content over the course of
> development and changes in configuration.
>
> The desired functionality is;
> Anonymous useer
> * request cacheablepage1.html
> * retrieve from cache if available => cachefile01
> * put in cache
> Logged in user
> * request cacheablepage1.html
> * retrieve from cache => cachefile01
> * request cacheablepage2.html
> * retrieve from cache if availabel
> * put in cache but strip any set-cookie associated with the session
> => cachefile02
> * get cachefile02
> Anonymous user
> * request cacheablepage2.html
> * retrieve from cache if available => cachefile02
> Any result from a POST
> * never put in proxy cache
>
> My current config for this is
> [code]
> server {
> listen 80 default_server;
> server_name _;
> server_name_in_redirect off;
> charset utf-8;
> root /var/lib/APP;
> add_header Cache-Control public;
>
> set $proxy_bypass off;
>
> [..]
>
> location ~ (cart|account|editor|admin)$ {
> set $proxy_bypass on;
> try_files $uri @proxy;
> }
> location / {
> keepalive_timeout 30;
> rewrite ^([^.]*[^/])$ $1/ permanent;
> try_files $uri @proxy;
> }
> location @proxy {
> proxy_cache STATIC;
> proxy_pass http://localhost:9000;
> proxy_cache_valid 200 15m;
> proxy_cache_valid 404 5m;
> proxy_cache_use_stale error timeout invalid_header updating
> http_500 http_502 http_503 http_504;
> proxy_cache_key $host$request_uri;
> proxy_ignore_headers Set-Cookie;
> proxy_cache_bypass $proxy_bypass;
>
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header Host $http_host;
> #proxy_max_temp_file_size 0;
> proxy_buffering on;
> #proxy_store off;
>
> proxy_connect_timeout 30;
> proxy_send_timeout 30;
> proxy_read_timeout 30;
>
> # All POST requests go directly
> if ($request_method = POST) {
> proxy_pass http://localhost:9000;
> break;
> }
> }
> [/code]
>
>
> Are my assumptions correct? What directes are important to pay attention
> to in order to avoid accidental session access for the wrong user?
1. proxy_cache_bypass will bypass cache with both "off" and "on"
values, as both are evaluated to true; and more importantly -
proxy_cache_bypass doesn't work correctly as of now if not used
with identical proxy_no_cache due to bug, so just forget about it
2. to strip Set-Cookie from replies you have to use
proxy_hide_header Set-Cookie; it's not clear why you ever return
cookies with cacheable pages though
3. POST requests aren't cached by default, no need for an if; and
your if relies on this anyway as it doesn't contain proxy_cache
off;
Maxim Dounin
More information about the nginx
mailing list