openresty / srcache-nginx-module

Transparent subrequest-based caching layout for arbitrary nginx locations.
http://wiki.nginx.org/NginxHttpSRCacheModule
475 stars 105 forks source link

skip caching basic auth #82

Closed Raboo closed 4 years ago

Raboo commented 4 years ago

Hi,

I'm wondering how to not cache an authorized response? I have openresty that does a proxy_pass to a apache. That apache has a site with a .htaccess file that enables Basic Auth (via ldap).

So if I do

curl -u 'username' https://mysite.com/

and

curl https://mysite.com/

I get same content. But the second curl should actually respond with a 401 Unauthorized. So the first response gets cached, and the subsequent request gets it's response from the cache.

If I allow the cache to expire, running curl https://mysite.com/ responds with a 401 Unauthorized.

How can I configure srcache so it doesn't allow authorized responses to a non-authorized client?

agentzh commented 4 years ago

@Raboo I don't think we cache 401 by default. See

https://github.com/openresty/srcache-nginx-module#srcache_store_statuses

Raboo commented 4 years ago

@agentzh that may be true and not the issue here, a succeeded login is cached. So an unauthenticated user can see the content behind a password protected page.

Raboo commented 4 years ago

The Apache HTTPD appears to set a header vary: Authorization. Perhaps that can be used to skip cache.

Raboo commented 4 years ago

This seems to work

    srcache_fetch_skip $http_authorization;
    srcache_store_skip $http_authorization;