Thanks Reindl for highlighting the risk. I have modified it to eliminate
the risk factor.
On 2/5/2016 12:20 AM, Reindl Harald wrote:
Am 04.02.2016 um 20:15 schrieb Muhammad Faisal:
*Hi James,*
I'm sorry I couldn't get. I have set
"proxy.config.http.cache.required_header" to 0 so that everything get
cached regardless of the header condition since the origin server
response is not under our control. This is what i understood from the
parameter description and set it accordingly.
* |0|= no headers required to make document cacheable
* |1|= either the|Last-Modified|header, or an explicit lifetime
header,|Expires|or|Cache-Control:max-age|, is required
* |2|= explicit lifetime is
required,|Expires|or|Cache-Control:max-age|
that's probably a dangerous game when it comes to session-cookies
(typically headers) and you ignore "Cache-Control: private" which
should be set by any sane application when it's aware that there is a
user login active
the most possible harm which can happen on a proxy is cache private
and sensible data while deliver it to the wrong user / client
you need to get the origin server somehow under your control and if
that means "talk to the admin on the other side" so be it
On 2/5/2016 12:01 AM, James Peach wrote:
On Feb 4, 2016, at 10:36 AM, Muhammad Faisal<[email protected]>
wrote:
Hi James,
In the configuraitons the proxy.config.http.cache.required_headers
is set to 0. No header configuration required, it means cache
everything regardless of the headers. Am I right? Should i change
it to 1?
Emitting a Cache-Control header is the best approach. Failing that
setting required_headers is an option. I have found the xdebug
plugin helpful for debugging this sort of problem.
On 2/4/2016 9:19 PM, James Peach wrote:
On Jan 30, 2016, at 6:19 AM, Muhammad
Faisal<[email protected]> wrote:
Required Heads:
GET
/project/filezilla/FileZilla_Client/3.11.0.2/FileZilla_3.11.0.2_win64-setup.exe
HTTP/1.1
Host: netix.dl.sourceforge.net
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111
Safari/537.36
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 6477032
Content-Type: application/octet-stream
Date: Sat, 30 Jan 2016 14:15:45 GMT
ETag: "62d4e8-5178afaba6ac0"
Last-Modified: Tue, 02 Jun 2015 15:56:03 GMT
Server: Apache/2.4.6 (CentOS)
You have a Last-Modified but no Cache-Control, so set
proxy.config.http.cache.required_headers=1.
https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html#proxy-config-http-cache-required-headers
I dont see any cache control header in the URL
On 1/30/2016 6:40 AM, Reindl Harald wrote:
Am 29.01.2016 um 20:46 schrieb Muhammad Faisal:
sorry for being dumb but how to check the header from origin?
On 1/30/2016 12:41 AM, Miles Libbey wrote:
No -- from the origin. My real question is, are you sure that
url is
set to be cacheable?
curl --head <url>
