Closed Raboo closed 4 years ago
@Raboo I don't think we cache 401 by default. See
https://github.com/openresty/srcache-nginx-module#srcache_store_statuses
@agentzh that may be true and not the issue here, a succeeded login is cached. So an unauthenticated user can see the content behind a password protected page.
The Apache HTTPD appears to set a header vary: Authorization
.
Perhaps that can be used to skip cache.
This seems to work
srcache_fetch_skip $http_authorization;
srcache_store_skip $http_authorization;
Hi,
I'm wondering how to not cache an authorized response? I have openresty that does a
proxy_pass
to a apache. That apache has a site with a .htaccess file that enables Basic Auth (via ldap).So if I do
and
I get same content. But the second curl should actually respond with a 401 Unauthorized. So the first response gets cached, and the subsequent request gets it's response from the cache.
If I allow the cache to expire, running
curl https://mysite.com/
responds with a 401 Unauthorized.How can I configure srcache so it doesn't allow authorized responses to a non-authorized client?