Re: [Patch 30399] New directive CacheIgnoreHeaders to prevent user defined headers from being stored by mod_cache

[r . pluem]

[..cut..]
Hi all,
I recently noticed that we now have two votes (one from Justin and one from Bill, btw: thanks Bill) for backporting the
patch for report 30399 to 2.0.x.
As I and Dick Snippe (see http://mail-archives.apache.org/eyebrowse/[EMAIL PROTECTED]msgNo=97403) 

would like to see this patch backported I am just asking if someone has some 
time (ok, wrong approach :-)) to have a
look at the patch such that it can possibly receive a third +1. Maybe Nick who 
responded to Dicks posting or maybe
the person who added a +0 for this patch to the status file?
To ease the work of backporting I just attached a version of the patch against 2.0.53 to the report 30399. 

Thanks and regards
Rüdiger

Re: [Patch 30399] New directive CacheIgnoreHeaders to prevent user defined headers from being stored by mod_cache

[Dick Snippe]

On Thu, Dec 30, 2004 at 09:23:39PM +, Nick Kew wrote:

 On Thu, 30 Dec 2004, Dick Snippe wrote:
 
  cachable pages. Prior to apache 2.0.50 this wasn't a very big issue; these
  pages would be cached, many people would be using the same cookie and that
  was that. However, after apache-2.0.50 apache would store cookies as well.
  This resulted in storing multiple cookies for the same web page which
  confused tomcat to the point of breaking.
 
 Can you not work around this with your own Header set directives to
 override your application's cookies with the proxy's own, or indeed
 unset them?

I tried that once, but I never got it working. Simply unset all Set-Cookie
headers doesn't work, because that would also remove them at places where
they're needed (typically for Cache-Control: private pages that use
cookies to track login status etc.)
So, I'd need to unset them only for cachable pages.
Using mod_headers I don't see how this could be done.
An environment variable would need to be set. But SetEnvIf can only look at
the request headers; not at the response headers.
Perhaps if SetEnvIf could look at the response headers generated by the
origin server (tomcat in this case) it'd be possible to emulate all the
cachability tests in mod_cache.c But frankly, I'd rather not go there.

  Fortunately the CacheIgnoreHeaders patch solves exactly this problem for us!
  We use it in production on rather busy sites and it works perfectly.
  Since I'd rather use regular apache-2.0.x versions instead of CVS checkouts,
  I'd like to see this patch backported to 2.0.x, please.
 
 Nothing against backporting the patch, but I'd need to review it before
 voting +1 (as opposed to +0).

All I can say is that it works perfectly for us.

-- 
Dick Snippe - Publieke Omroep Internet Services
Mediacentrum kamer 138 Sumatralaan 45 Hilversum  \ fight war
tel +31 35 6774252, email [EMAIL PROTECTED] []()   \ not wars

Re: [Patch 30399] New directive CacheIgnoreHeaders to prevent user defined headers from being stored by mod_cache

[Dick Snippe]

On Sat, Oct 23, 2004 at 10:46:52AM -0700, Justin Erenkrantz wrote:

 --On Friday, October 15, 2004 10:48 AM +0200 R?diger Pl?m 
 [EMAIL PROTECTED] wrote:
 
 please find attached a new more general approch to prevent cookies from
 being stored in the cache.
 As proposed by Justin I replaced my original CacheStoreCookies directive
 with the more
 general CacheIgnoreHeaders directive. So far I only tested it for myself.
 If someone could test / have a look at it, it would be nice and 
 appreciated.
 Meanwhile I try to
 get additional testers and will report about the results later.
 
 Looks good.  I committed a variant of the patch to HEAD, and have proposed 
 it for backport to 2.0.x.  Thanks!  -- justin

I'd like to see this patch backported to 2.0.x as well.

At our jsp sites (approx 6 million hits per day) we use apache as a reverse
caching proxy for tomcat. Tomcat (that is to say: the j2ee spec) more or
less insists on creating sessions for everything. Often, web-applications
built by third parties don't get all the details of setting http caching
headers exactly right (if at all,..) So, we often see Set-cookie headers on
cachable pages. Prior to apache 2.0.50 this wasn't a very big issue; these
pages would be cached, many people would be using the same cookie and that
was that. However, after apache-2.0.50 apache would store cookies as well.
This resulted in storing multiple cookies for the same web page which
confused tomcat to the point of breaking.
Because of this we're more or less forced to keep on using 2.0.49 until all
webapps are fixed. Most webapps however will probably never be fixed, so we
may have to resort to extrema measures as putting apache-2.0.52 in front of
apache-2.0.49, as in:
internet--2.0.52[without caching]--2.0.49[with caching]--tomcat

Fortunately the CacheIgnoreHeaders patch solves exactly this problem for us!
We use it in production on rather busy sites and it works perfectly.
Since I'd rather use regular apache-2.0.x versions instead of CVS checkouts,
I'd like to see this patch backported to 2.0.x, please.

-- 
Dick Snippe - Publieke Omroep Internet Services
Mediacentrum kamer 138 Sumatralaan 45 Hilversum  \ fight war
tel +31 35 6774252, email [EMAIL PROTECTED] []()   \ not wars

Re: [Patch 30399] New directive CacheIgnoreHeaders to prevent user defined headers from being stored by mod_cache

[Nick Kew]

On Thu, 30 Dec 2004, Dick Snippe wrote:

 cachable pages. Prior to apache 2.0.50 this wasn't a very big issue; these
 pages would be cached, many people would be using the same cookie and that
 was that. However, after apache-2.0.50 apache would store cookies as well.
 This resulted in storing multiple cookies for the same web page which
 confused tomcat to the point of breaking.

Can you not work around this with your own Header set directives to
override your application's cookies with the proxy's own, or indeed
unset them?

I'm not suggesting this as an alternative to the patch, but rather as
a workaround that'll fix it for you with httpd-2.0.5x as-is now.

 Fortunately the CacheIgnoreHeaders patch solves exactly this problem for us!
 We use it in production on rather busy sites and it works perfectly.
 Since I'd rather use regular apache-2.0.x versions instead of CVS checkouts,
 I'd like to see this patch backported to 2.0.x, please.

Nothing against backporting the patch, but I'd need to review it before
voting +1 (as opposed to +0).

-- 
Nick Kew

Re: [Patch 30399] New directive CacheIgnoreHeaders to prevent user defined headers from being stored by mod_cache

[Justin Erenkrantz]

--On Friday, October 15, 2004 10:48 AM +0200 Rüdiger Plüm 
[EMAIL PROTECTED] wrote:

please find attached a new more general approch to prevent cookies from
being stored in the cache.
As proposed by Justin I replaced my original CacheStoreCookies directive
with the more
general CacheIgnoreHeaders directive. So far I only tested it for myself.
If someone could test / have a look at it, it would be nice and appreciated.
Meanwhile I try to
get additional testers and will report about the results later.
Looks good.  I committed a variant of the patch to HEAD, and have proposed it 
for backport to 2.0.x.  Thanks!  -- justin

[Patch 30399] New directive CacheIgnoreHeaders to prevent user defined headers from being stored by mod_cache

[Rüdiger Plüm]

Hi all,
please find attached a new more general approch to prevent cookies from being stored 
in the cache.
As proposed by Justin I replaced my original CacheStoreCookies directive with the more
general CacheIgnoreHeaders directive. So far I only tested it for myself.
If someone could test / have a look at it, it would be nice and appreciated. Meanwhile 
I try to
get additional testers and will report about the results later.
Regards
Rüdiger
diff -Nrup httpd-2.0.52.orig/docs/manual/mod/mod_cache.xml 
httpd-2.0.52/docs/manual/mod/mod_cache.xml
--- httpd-2.0.52.orig/docs/manual/mod/mod_cache.xml 2004-04-17 20:43:37.0 
+0200
+++ httpd-2.0.52/docs/manual/mod/mod_cache.xml  2004-10-14 23:11:39.0 +0200
@@ -332,4 +332,57 @@ will complete caching the file even if t
 /usage
 /directivesynopsis
 
+directivesynopsis
+nameCacheIgnoreHeaders/name
+descriptionDo not store the given HTTP header(s) in the cache.
+/description
+syntaxCacheIgnoreHeaders varheader-string/var [varheader-string/var] 
.../syntax
+defaultCacheIgnoreHeaders None/default
+contextlistcontextserver config/contextcontextvirtual host/context
+/contextlist
+
+usage
+pAccording to RFC 2616 only hop-by-hop HTTP headers are not stored in
+the cache. The following HTTP headers are hop-by-hop headers and thus
+do not get stored in the cache in emany/em case regardless of the
+setting of directiveCacheIgnoreHeaders/directive:/p
+
+ul
+  licodeConnection/code/li
+  licodeKeep-Alive/code/li
+  licodeProxy-Authenticate/code/li
+  licodeProxy-Authorization/code/li
+  licodeTE/code/li
+  licodeTrailers/code/li
+  licodeTransfer-Encoding/code/li
+  licodeUpgrade/code/li
+/ul
+
+pdirectiveCacheIgnoreHeaders/directive allows to add additional HTTP
+headers that should not to be stored in the cache. For example it makes
+sense in some cases to prevent cookies from being stored in the cache./p
+
+pdirectiveCacheIgnoreHeaders/directive takes a space separated list
+of HTTP headers that should not be stored in the cache. If all none
+hop-by-hop headers should be stored in the cache (RFC 2616 compliant
+behaviour), directiveCacheIgnoreHeaders/directive can be set to
+codeNone/code./p
+
+exampletitleExample 1/title
+  CacheIgnoreHeaders Set-Cookie
+/example
+
+exampletitleExample 2/title
+  CacheIgnoreHeaders None
+/example
+
+note type=warningtitleWarning:/title
+  If headers like codeExpires/code that are needed for the cache
+  management are not stored due to a
+  directiveCacheIgnoreHeaders/directive setting, the behaviour of
+  mod_cache is undefined.
+/note
+/usage
+/directivesynopsis
+
 /modulesynopsis
diff -Nrup httpd-2.0.52.orig/modules/experimental/cache_util.c 
httpd-2.0.52/modules/experimental/cache_util.c
--- httpd-2.0.52.orig/modules/experimental/cache_util.c 2004-08-26 18:59:44.0 
+0200
+++ httpd-2.0.52/modules/experimental/cache_util.c  2004-10-14 20:28:48.0 
+0200
@@ -21,6 +21,8 @@
 
 /* -- */
 
+extern module cache_module;
+
 /* return true if the request is conditional */
 CACHE_DECLARE(int) ap_cache_request_is_conditional(request_rec *r)
 {
@@ -517,8 +519,13 @@ CACHE_DECLARE(char *)generate_name(apr_p
  * headers table that are allowed to be stored in a cache.
  */
 CACHE_DECLARE(apr_table_t *)ap_cache_cacheable_hdrs_out(apr_pool_t *pool,
-apr_table_t *t)
+apr_table_t *t,
+server_rec *s)
 {
+cache_server_conf *conf;
+char **header;
+int i;
+
 /* Make a copy of the headers, and remove from
  * the copy any hop-by-hop headers, as defined in Section
  * 13.5.1 of RFC 2616
@@ -533,5 +540,14 @@ CACHE_DECLARE(apr_table_t *)ap_cache_cac
 apr_table_unset(headers_out, Trailers);
 apr_table_unset(headers_out, Transfer-Encoding);
 apr_table_unset(headers_out, Upgrade);
+conf = (cache_server_conf *)ap_get_module_config(s-module_config,
+ cache_module);
+/* Remove the user defined headers set with CacheIgnoreHeaders.
+ * This may break RFC 2616 compliance on behalf of the users wish.
+ */
+header = (char **)conf-ignore_headers-elts;
+for (i = 0; i  conf-ignore_headers-nelts; i++) {
+apr_table_unset(headers_out, header[i]);
+}
 return headers_out;
 }
diff -Nrup httpd-2.0.52.orig/modules/experimental/mod_cache.c 
httpd-2.0.52/modules/experimental/mod_cache.c
--- httpd-2.0.52.orig/modules/experimental/mod_cache.c  2004-08-26 18:59:44.0 
+0200
+++ httpd-2.0.52/modules/experimental/mod_cache.c   2004-10-14 20:28:48.0 
+0200
@@ -749,6 +749,9 @@ static void * create_cache_config(apr_po
 ps-no_last_mod_ignore = 0;