Hello!

On Tue, Aug 18, 2009 at 08:38:03PM +0900, Kuramoto Eiji wrote:

> On Mon, 17 Aug 2009 18:14:34 +0400
> Maxim Dounin wrote:
>
> } > The proxy_cache module send cached contents until it's expired
> } > even if a client send wrong user/password after passed first (401)
> } > authentication. It might be a bug ... ?
> }
> } If authorization checked by nginx - request will never reach this
> } stage. If it's checked by backend server - there is no reason for
> } nginx to do anything with it.
>
> It's checked by backend server.
>
> my nginx.conf:
>
> proxy_cache_path /usr/local/nginx/proxy_cache levels=1:2 keys_zone=one:10m;
>
> proxy_cache_key "$host:$server_port$uri$is_args$args";
>
> server {
> listen 8080;
> server_name frontend-hostname.example.com;
>
> location / {
> proxy_cache one;

Just a side note: proxy_cache meaningless here.

> error_page 401 404 502 504 = @fallback;
> }
>
> location @fallback {
> proxy_cache one;
> proxy_cache_valid 200 1m;
> proxy_pass http://backend-hostname.example.com;
> }
>
>
> Request/Response:
> 1. client requests HTTP authorization required URI to nginx.
> 2. If it doesn't found in proxy_cached contents, nginx requests URI to
> backend server.
> 3. backend server responses with 401 (Unauthorized) HTTP status code
> to nginx.
> 4. nginx responses with 401 (Unauthorized) HTTP status code to client.
> 5. client send requests with the authorized User/Password on
> 'Authorization:' HTTP header.
> 6. nginx passes through that requests to backend server.
> 7. backend server responses authorized contents with 200 HTTP status
> code without 'Cache-Control: no-cache or no-store' HTTP headers.
> 8. nginx's proxy_cache module caches the contents, so it respond with
> 200 HTTP status code.
> 9. nginx responses the contens to client with 200 HTTP status code.
> 10. change User or Password for HTTP authorization of URI on backend
> server.
> 11. client requests same URI at step 1 with previously (same at step 5)
> User/Password (at here, wrong/unauthorized User/Password) on
> 'Authorization:' HTTP header.
> 12. nginx responses previously (at step 8) cached contents without any
> HTTP authorizations until proxy_cache expired ('proxy_cache_valid'
> time for '200' HTTP status).
>
> nginx should request to backend server with 'Authorization:' HTTP
> header requested by client at step 12, I suppose..

No, it shouldn't. You instructed nginx to cache response - and it
will do so. Moreover, it will serve cached response to other
clients too, even to requests without Authorization header (there
is no $http_authorization in proxy_cache_key).

> } This effectively switches off cache for requests with
> } authorization. The same may be done via configs.
>
> How can I do via configs?

Try something like this:

location @fallback {
recursive_error_pages on;
error_page 405 = @nocache;

if ($http_authorization) {
return 405;
}

proxy_pass ...
proxy_cache ...
}

location @nocache {
# no proxy_cache here
proxy_pass ...
}

Maxim Dounin