Welcome! Log In Create A New Profile

Re: proxy_cache when 'Authorization' HTTP header presents.

Forum List Message List New Topic Print View

Kuramoto Eiji

August 19, 2009 11:10PM

Hello,

On Tue, 18 Aug 2009 18:13:16 +0400
Igor Sysoev wrote:
} > The proxy_cache module send cached contents until it's expired
} > even if a client send wrong user/password after passed first (401)
} > authentication. It might be a bug ... ?
}
} I agree that nginx should not cache authenticated responses. However,
} it should be configured, otherwise, anyone may flush cache with dummy
} an "Authorization" header.

Here is a small & dirty patch with configured
'proxy_cache_ignore_for_authorization' option.

--- http/ngx_http_upstream.c
+++ http/ngx_http_upstream.c
@@ -426,7 +426,18 @@

#if (NGX_HTTP_CACHE)

+ /*
+ * don't cache when Authorization header presents.
+ */
+ if ( u->conf->cache
+ && ( !u->conf->ignore_cache_for_authorization
+ || ( r->headers_in.authorization == NULL
+ && r->headers_in.user.data == NULL /* don't check 'len' for empty user/passwd */
+ && r->headers_in.passwd.data == NULL ) ) ) {
ngx_int_t rc;

rc = ngx_http_upstream_cache(r, u);

--- http/ngx_http_upstream.h
+++ http/ngx_http_upstream.h
@@ -160,6 +163,12 @@
ngx_uint_t cache_methods;

ngx_array_t *cache_valid;
+ /*
+ * don't cache when Authorization header presents.
+ */
+ ngx_flag_t ignore_cache_for_authorization; /* default ON */
#endif

ngx_array_t *store_lengths;

--- http/modules/ngx_http_proxy_module.c
+++ http/modules/ngx_http_proxy_module.c
@@ -385,6 +385,14 @@
offsetof(ngx_http_proxy_loc_conf_t, upstream.cache_methods),
&ngx_http_upstream_cache_method_mask },

+ { ngx_string("proxy_cache_ignore_for_authorization"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_proxy_loc_conf_t, upstream.ignore_cache_for_authorization),
+ NULL },

{ ngx_string("proxy_temp_path"),
@@ -1929,6 +1937,9 @@
conf->upstream.cache = NGX_CONF_UNSET_PTR;
conf->upstream.cache_min_uses = NGX_CONF_UNSET_UINT;
conf->upstream.cache_valid = NGX_CONF_UNSET_PTR;
+ conf->upstream.ignore_cache_for_authorization = NGX_CONF_UNSET;
#endif

conf->upstream.hide_headers = NGX_CONF_UNSET_PTR;
@@ -2159,6 +2170,10 @@
conf->cache_key = prev->cache_key;
}

+ ngx_conf_merge_value( conf->upstream.ignore_cache_for_authorization,
+ prev->upstream.ignore_cache_for_authorization, 1 ); /* default ON */
#endif

if (conf->method.len == 0) {

- Kuramoto Eiji

Reply Quote

RSS

Subject	Author	Posted
proxy_cache when 'Authorization' HTTP header presents.	Kuramoto Eiji	August 11, 2009 10:47PM
Re: proxy_cache when 'Authorization' HTTP header presents.	Maxim Dounin	August 17, 2009 10:14AM
Re: proxy_cache when 'Authorization' HTTP header presents.	Kuramoto Eiji	August 18, 2009 07:38AM
Re: proxy_cache when 'Authorization' HTTP header presents.	Maxim Dounin	August 18, 2009 08:25AM
Re: proxy_cache when 'Authorization' HTTP header presents.	Kuramoto Eiji	August 19, 2009 10:36PM
Re: proxy_cache when 'Authorization' HTTP header presents.	Igor Sysoev	August 18, 2009 10:13AM
Re: proxy_cache when 'Authorization' HTTP header presents.	Kuramoto Eiji	August 19, 2009 11:10PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 142

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018