I want to use Edge Side Includes with Varnish in a website where users
can view pages both unauthenticated and authenticated.
Some of these includes have the same content regardless of the
authentication state of the user, so I would like these responses to
be cached by Varnish.
Varnish by default doesn't cache anything when either the client sends
a Cookie header, or the server responds with a Set-Cookie header. The
problem here, is that most requests will contain a session cookie, and
if not, the application will set one.
Now my idea is to override vcl_fetch so that it returns 'lookup'
instead of 'pass' for any request to symfony's _internal route.
The default is this:
if (req.http.Authorization || req.http.Cookie) {
/* Not cacheable by default */
return (pass);
}
I could change it into something like this:
if (req.http.Authorization || (req.http.Cookie && req.request ~ "^(/
_internal/)")) {
/* Not cacheable by default */
return (pass);
}
This would make anything with a Cookie non-cacheable, _except_
requests to Symfony's internal ESI route.
I would of course have to make sure only to return caching-headers for
the content that does NOT depend on any cookies sent by the client
(i.e. stateless actions).
In order for this to work, I would have to make sure that the
application also doesn't respond with any cookies for the cacheable
content, because that would still prevent caching.
Would simply switching off session.auto_start do the trick here? My
understanding is that with auto_start disabled, the application would
only send a cookie when a session is needed. Some testing seems to
show that my application indeed doesn't set a cookie on the client's
first request then, like it would normally do if auto_start was
enabled.
Is there anything 'under the hood' in symfony that could still trigger
a session start?
A second approach I came up with is having Varnish simply unset the
Cookie and Set-Cookie headers if the request matches a subset of the
internal routes, but that would require a white-list of cacheable urls
in Varnish, which I think is not really nicely decoupled.
I was thinking I could perhaps add a parameter to the route like
this:
{% render 'AcmeDemoBundle:Demo:test' with {'cacheable' : true},
{'standalone': true} %}
and then have Varnish check for the presence of this parameter in the
request and decide whether or not to cache the response based on that.
Would this be a good idea or am I overlooking something?
Which of these approaches seems like the best one? Or perhaps someone
can suggest a better solution?
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony users" group.
To post to this group, send email to symfony-users@googlegroups.com
To unsubscribe from this group, send email to
symfony-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
