You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Samuel Esposito <sa...@gmail.com> on 2009/08/28 09:21:58 UTC

[users@httpd] 304 http headers in apache proxy

Hi All,

I'm using the apache proxy balancer for balancing all requests on my
web application over a set of litespeed servers. Because this
web-application is integrated into another web application using an
iFrame, and because most of the users use IE 7.0, I have to set a P3P
CP="CAO PSA OUR" header in all http responses in order to maintain my
cookie on the browser. This P3P header is set by my application
framework, is served by litespeed and is proxied by apache.

However, when my application generates a 304 http response (NOT
MODIFIED) and litespeed send it to the apache proxy, apache seems to
remove the header. The consequence is that IE 7.0 drops my cookie and
my user is suddenly logged out.

Is there a way to prevent apache from modifying my 304 responses?

Best regards,

Samuel

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] 304 http headers in apache proxy

Posted by Samuel Esposito <sa...@gmail.com>.

Hi Andre,

Thanks for your reply!

----------quote---------------
>    However, when my application generates a 304 http response (NOT
>    MODIFIED) and litespeed send it to the apache proxy, apache seems to
>    remove the header.

How did you make sure of this ?
----------unqoute------------

To check the http response headers, I used firebug in firefox. When I
only use litespeed to serve the application, I do get the P3P header
in the 304 reply. When I put the apache2 mod_proxy_balancer in front
of it, the header disappears. This is my proxy config:

####################################################
#
# test.myhost.com
#
####################################################
<VirtualHost x.x.x.x:x>
  ServerName ssl_test.myhost.com
  ServerAlias test.myhost.com
  DocumentRoot /var/www/myhost/test/public/
  SSLEngine On
  SSLProxyEngine On
  RewriteEngine On

  RewriteCond %{DOCUMENT_ROOT}/maintenance.html -f
  RewriteCond %{SCRIPT_FILENAME} !maintenance.html
  RewriteRule ^.*$ /maintenance.html [L]

  ProxyPass / balancer://ssl_test.myhost.com/
  ProxyPassReverse / balancer://ssl_test.myhost.com/

  ProxyPreserveHost on
  Header set X-Proxied Yes
  <Proxy balancer://ssl_test.myhost.com>
    BalancerMember http://x.x.x.x
  </Proxy>

  SSLCACertificateFile /var/www/ssl/myhost.com/ca.myhost.com.crt
  SSLCertificateFile /var/www/ssl/myhost.com/myhost.com.crt
  SSLCertificateKeyFile /var/www/ssl/myhost.com/myhost.key

  ErrorLog /var/www/log/myhost-error_log
  CustomLog /var/www/log/myhost-access_log combined
</VirtualHost>

quote
Which version of Apache are you using ?
unqoute
I'm using Apache/2.2.3 on a Debian Lenny machine


----------quote---------------
>  Because this
>  web-application is integrated into another web application using an
>  iFrame, and because most of the users use IE 7.0, I have to set a P3P
>  CP="CAO PSA OUR" header in all http responses in order to maintain my
>  cookie on the browser.

I never heard before of an obligation to set some P3P header to force
a browser to keep a cookie.
----------unqoute------------

I've been testing this for two days. Whenever a 304 response without a
P3P header is sent to IE7, my user is logged out because all cookie
data was cleared. When I sent a 304 response with the P3P header or
when I turned of caching using the apache proxy config beneath, the
application just worked fine. I'm not a big fan of this P3P stuff, but
its the only way to make IE7 work.

  BrowserMatch ^.*MSIE 7\.0.*$ ie
  Header unset ETag env=ie
  Header set Cache-Control "max-age=0, no-cache, no-store,
must-revalidate" env=ie
  Header set Pragma "no-cache" env=ie
  Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT" env=ie


----------quote---------------
Looking at the HTTP RFC 2626, section "10.3.5 304 Not Modified", it
seems to say that the set of allowable HTTP headers for a 304 response
is quite limited.
----------unqoute------------
I'm aware or this RFC, and I will not deny that something seems to be
messed up here. Nevertheless I was hoping there is a way to make
apache proxy ignore this restriction as it is just forwarding the
responses of a third party.

Cheers,

Samuel

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org