Hello!
On Thu, May 09, 2024 at 08:11:26PM +0300, Christos Chatzaras wrote:
> Hello,
>
> I want to bypass cache if PHPSESSID exists.
>
> I have this configuration:
>
> http {
> fastcgi_cache_path /tmpfs/cache levels=1:2 keys_zone=fastcgicache:10m
> inactive=10m max_size=1024m;
> fastcgi_cache_key $device_type$scheme$request_method$host$request_uri;
> fastcgi_cache_min_uses 1;
> fastcgi_cache fastcgicache;
> fastcgi_cache_valid 200 301 10s;
> fastcgi_cache_valid 302 1m;
> fastcgi_cache_valid 404 5m;
> fastcgi_cache_lock on;
> fastcgi_cache_lock_timeout 8000;
> fastcgi_pass_header Set-Cookie;
> fastcgi_pass_header Cookie;
> fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
Note that you ignore Set-Cookie here, so responses with the
Set-Cookie response headers from the upstream server are expected
to be cached.
> fastcgi_no_cache $no_cache;
> fastcgi_cache_bypass $no_cache;
[...]
> if ($http_cookie ~* "_mcnc|PHPSESSID") {
> set $no_cache "1";
> }
And the $no_cache variable is set based on the Cookie request
header, not the upstream server response headers.
[...]
> When I repeatedly run curl, the content is fetched from the
> cache, and the Set-Cookie header always contains
> "PHPSESSID=604e406c1c7a6ae061bf6ce3806d5eee", leading to session
> leakage:
>
> curl -I https://example.com
> HTTP/1.1 200 OK
> Server: nginx
> Date: Thu, 09 May 2024 16:37:15 GMT
> Content-Type: text/html; charset=UTF-8
> Connection: keep-alive
> Vary: Accept-Encoding
> Set-Cookie: PHPSESSID=604e406c1c7a6ae061bf6ce3806d5eee; path=/
> Expires: Thu, 19 Nov 1981 08:52:00 GMT
> Cache-Control: no-store, no-cache, must-revalidate
> Pragma: no-cache
> X-Cache: HIT
>
> Any idea what's wrong with my configuration?
Your configuration explicitly permits caching of such responses
due to the "fastcgi_ignore_headers" directive you use. Consider
removing it.
--
Maxim Dounin
http://mdounin.ru/
--
nginx mailing list
nginx@freenginx.org
https://freenginx.org/mailman/listinfo/nginx
