You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Graham Leggett <mi...@sharp.fm> on 2002/08/01 08:38:06 UTC

Re: quick_handler hook is completely bogus.

Eidelman, Brian wrote:

> The only safe way you can determine what content is safe to cache is by
> having a robust set of configurable rules in your caching module (or proxy)
> that allows a site administrator to set rules that determine what is safe to
> cache.

The cache already has configuration directives so that you can choose 
which URL spaces are cached, and which are not, and how 
(disk/memory/shared/etc).

> I agree with Graham's notion that any hook designed primarily for caching
> should be moved to after the access control hooks.

I'm now on the fence on this one. The cache is supposed to be layered on 
top of Apache. By moving bits of Apache "in front of" the cache, the 
whole point behind caching is lost. But the point remains that it allows 
it to short circuit the auth stuff, which may not be what people expect 
- but - you're likely to have other caches between browser and Apache 
anyway, so I don't think it will make any difference, the end user will 
still have to force-reload to see the results regardless.

> I think the direct
> performance impact will be minimal and easily made up for by the fact that
> you will be able to cache more content since you will no longer be
> constrained by whether or not the content is protected (only by whether or
> not it is dynamic for each user/request).  

Some permission mechanisms (directory or database for example) are 
expensive too.

However, in order to support caching of different variants depending on 
user, the request will need to be preauthenticated to be safe, otherwise 
a suitably created request could coax a response out of the cache for 
another user.

> Additionally, I'd like to point out that total reliance on cache control
> headers is not a good option.

You find caches in browsers, proxies, and (in Apache's case) webservers, 
and all these are governed by HTTP/1.1. I don't think we should start 
second guessing the protocol - otherwise we start introducing interop 
problems and HTTP goes out the window. I think relying on HTTP/1.1 is 
the only option.

As to applications supporting the cache-control headers, if they don't 
support the headers properly they won't work properly with existing 
software out there anyway, so support is not a problem.

> At the same time, an access control module
> may not want to set a do not cache header on every request because it might
> be acceptable (as described above) for a browser cache to cache a piece of
> content but not for mod_cache or a reverse proxy cache.

Cache-Control: private

Regards,
Graham
-- 
-----------------------------------------
minfrin@sharp.fm 
	"There's a moon
					over Bourbon Street
						tonight..."