nginx cache seems to swallow Set-Cookie

Fri Jan 14 01:20:50 MSK 2011

Hello!

On Thu, Jan 13, 2011 at 04:52:02PM -0500, mschipperheyn wrote:

> I realize that this is an old thread but it relates to my question. I
> use proxy_cache with a somewhat special approach.
> User can log in to our site that has been designed to be completely
> reverse proxy cacheable, even when  a user is logged in. We use a
> separate json call to retrieve session information for the user.
> 
> So some pages like /product/* are cacheable but they may still be
> retrieved by a logged in user. I want to make sure that the set cookie
> doesn't get accidently get cached and allow another user to access my
> session. Just this kind of thing seemed to happen the other day when an
> anonymous user was suddenly logged in under my account, so now I'm not
> sure how to see it. I am hoping that this was an issue related to a
> stale proxy_cache that accumulated "illegal" content over the course of
> development and changes in configuration.
> 
> The desired functionality is;
> Anonymous useer
>    * request cacheablepage1.html
>    * retrieve from cache if available => cachefile01
>    * put in cache
> Logged in user
>    * request cacheablepage1.html
>    * retrieve from cache => cachefile01
>    * request cacheablepage2.html
>    * retrieve from cache if availabel
>    * put in cache but strip any set-cookie associated with the session 
> => cachefile02
>    * get cachefile02
> Anonymous user
>    * request cacheablepage2.html
>    * retrieve from cache if available => cachefile02
> Any result from a POST
>     * never put in proxy cache
> 
> My current config for this is
> [code]
> server {
> 	listen          			80 default_server;
> 	server_name     			_;
> 	server_name_in_redirect  	off;
> 	charset 					utf-8;
> 	root            			/var/lib/APP;
> 	add_header			Cache-Control public;
> 
> 	set $proxy_bypass 		off;
> 	
> 	[..]
> 	
> 	location ~ (cart|account|editor|admin)$ {
> 		set $proxy_bypass		on;
> 		try_files				$uri @proxy;
> 	}
> 	location / {
> 		keepalive_timeout 		30;
> 		rewrite 				^([^.]*[^/])$ $1/ permanent;
> 		try_files 				$uri @proxy;
> 	}
> 	location @proxy {
> 		proxy_cache				STATIC;
> 		proxy_pass				http://localhost:9000;
> 		proxy_cache_valid 		200 15m;
> 		proxy_cache_valid 		404  5m;
> 		proxy_cache_use_stale  	error timeout invalid_header updating
>                                http_500 http_502 http_503 http_504;
> 		proxy_cache_key 		$host$request_uri;
> 		proxy_ignore_headers	Set-Cookie;
> 		proxy_cache_bypass 		$proxy_bypass;
> 
> 		proxy_set_header        X-Real-IP $remote_addr;
> 		proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
> 		proxy_set_header        Host $http_host;
> 		#proxy_max_temp_file_size 0;
> 		proxy_buffering 		on;
> 		#proxy_store			off;
> 
> 		proxy_connect_timeout 	30;
> 		proxy_send_timeout    	30;
> 		proxy_read_timeout    	30;
> 
> 		# All POST requests go directly
> 		if ($request_method = POST) {
> 			proxy_pass http://localhost:9000;
> 			break;
> 		}
> 	}
> [/code]
> 
> 
> Are my assumptions correct? What directes are important to pay attention
> to in order to avoid accidental session access for the wrong user?

1. proxy_cache_bypass will bypass cache with both "off" and "on" 
values, as both are evaluated to true;  and more importantly - 
proxy_cache_bypass doesn't work correctly as of now if not used 
with identical proxy_no_cache due to bug, so just forget about it

2. to strip Set-Cookie from replies you have to use 
proxy_hide_header Set-Cookie; it's not clear why you ever return 
cookies with cacheable pages though

3. POST requests aren't cached by default, no need for an if;  and 
your if relies on this anyway as it doesn't contain proxy_cache 
off;

Maxim Dounin