> On Feb 4, 2016, at 12:20 PM, Reindl Harald <[email protected]> wrote: > > > > Am 04.02.2016 um 20:15 schrieb Muhammad Faisal: >> *Hi James,* >> I'm sorry I couldn't get. I have set >> "proxy.config.http.cache.required_header" to 0 so that everything get >> cached regardless of the header condition since the origin server >> response is not under our control. This is what i understood from the >> parameter description and set it accordingly. >> >> * |0|= no headers required to make document cacheable >> * |1|= either the|Last-Modified|header, or an explicit lifetime >> header,|Expires|or|Cache-Control:max-age|, is required >> * |2|= explicit lifetime is required,|Expires|or|Cache-Control:max-age| > > that's probably a dangerous game when it comes to session-cookies (typically > headers) and you ignore "Cache-Control: private" which should be set by any > sane application when it's aware that there is a user login active > > the most possible harm which can happen on a proxy is cache private and > sensible data while deliver it to the wrong user / client > > you need to get the origin server somehow under your control and if that > means "talk to the admin on the other side" so be it
+1. Beat the origins into submission! :-) If that still doesn’t work, what I typically do is using header_rewrite to make the responses from those misbehaving origin(s) be reasonable, but this can also be difficult. But in almost all cases, do I leave the proxy.config.http.cache.required_header left at “2”. Cheers, — leif
