You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Anthony Dodson <an...@gmail.com> on 2010/12/08 23:37:42 UTC
[users@httpd] mod_cache - limit cache-control request headers to Admins only
Hello.
I am running apache 2.2.15. I would like to use mod_cache, and I need a good
way for SysAdmins to manually clear the cache for specific URLs when needed,
but not allow users to do so from their browser.
It seems that when a browser sends headers Cache-Control: no-cache or
Pragma: no-cache, mod_cache will go to the origin for the request and update
the cache. That is a great way for SysAdmins to update the cache manually,
but I want to protect the back-end application from malicious users (or just
well-meaning users) doing a "shift-reload", which makes browsers send
request headers like "max-age", "pragma", and/or "cache-control" and forcing
mod_cache to bypass/update the cache.
I tried using mod_headers and mod_setenvif to control the request headers. I
ran into problems there. I could not get the directives:
RequestHeader unset Pragma
RequestHeader unset Cache-Control
...to work unless I specified "early" at the end of the directive. It seems
that "early" is required in order for it to be processed before mod_cache
gets the call.
The problem, then, is that RequestHeader unset can have EITHER "early" or
"env" in the option part of the directive. "env" was the portion I planned
to use to limit stripping those request headers based on where they
originate, like this:
SetEnvIf Remote_Addr my\.ip\.address\.or\.LAN LOCALCALL
RequestHeader unset Cache-Control env=!LOCALCALL
RequestHeader unset Pragma env=!LOCALCALL
I was hoping that would let me ONLY clear the cached object (manually and
on-demand) from the local system or network, and prevent users (remote) from
doing so via their browser request headers.
I think the combination of "SetEnvIf" and "RequestHeader unset" may be a
dead end for what I want to do (based on the exclusivity of "env" and
"early"). If not, please advise.
If that is a dead end, are there other ways to accomplish what I want to do?
If I set "CacheIgnoreCacheControl On", is there a sane way to update a
cached object based on it's URL (without scanning the cache directory
structure, grepping header files for the URL and deleting the cache files,
which I consider insane)?
Is there a way to know the directory path to the cache files based on a
given URL? Can I replicate that hashing algorithm to create the directory
path and then "rm" the files? Or is that caching filename and path
impossible to determine?
Thanks,
Anthony
--
Anthony Dodson
Re: [users@httpd] mod_cache - limit cache-control request headers
to Admins only
Posted by Igor Galić <i....@brainsware.org>.
----- "Anthony Dodson" <an...@gmail.com> wrote:
> Hello.
>
>
> I am running apache 2.2.15. I would like to use mod_cache, and I need
> a good way for SysAdmins to manually clear the cache for specific URLs
> when needed, but not allow users to do so from their browser.
>
>
> It seems that when a browser sends headers Cache-Control: no-cache or
> Pragma: no-cache, mod_cache will go to the origin for the request and
> update the cache. That is a great way for SysAdmins to update the
> cache manually, but I want to protect the back-end application from
> malicious users (or just well-meaning users) doing a "shift-reload",
> which makes browsers send request headers like "max-age", "pragma",
> and/or "cache-control" and forcing mod_cache to bypass/update the
> cache.
>
>
> I tried using mod_headers and mod_setenvif to control the request
> headers. I ran into problems there. I could not get the directives:
> RequestHeader unset Pragma
> RequestHeader unset Cache-Control
> ...to work unless I specified "early" at the end of the directive. It
> seems that "early" is required in order for it to be processed before
> mod_cache gets the call.
>
>
> The problem, then, is that RequestHeader unset can have EITHER "early"
> or "env" in the option part of the directive. "env" was the portion I
> planned to use to limit stripping those request headers based on where
> they originate, like this:
> SetEnvIf Remote_Addr my\.ip\.address\.or\.LAN LOCALCALL
>
> RequestHeader unset Cache-Control env=!LOCALCALL
> RequestHeader unset Pragma env=!LOCALCALL
> I was hoping that would let me ONLY clear the cached object (manually
> and on-demand) from the local system or network, and prevent users
> (remote) from doing so via their browser request headers.
>
>
> I think the combination of "SetEnvIf" and "RequestHeader unset" may be
> a dead end for what I want to do (based on the exclusivity of "env"
> and "early"). If not, please advise.
>
>
> If that is a dead end, are there other ways to accomplish what I want
Pretty much, yeah.. mod_cache runs *really* early in the chain.
> to do? If I set "CacheIgnoreCacheControl On", is there a sane way to
> update a cached object based on it's URL (without scanning the cache
> directory structure, grepping header files for the URL and deleting
> the cache files, which I consider insane)?
>
>
> Is there a way to know the directory path to the cache files based on
> a given URL? Can I replicate that hashing algorithm to create the
> directory path and then "rm" the files? Or is that caching filename
> and path impossible to determine?
htcacheclean from trunk has an option to delete URLs:
http://httpd.apache.org/docs/trunk/programs/htcacheclean.html#delete
The trouble is that it will likewise require mod_cache and mod_cache_disk
from trunk (yes, mod_cache_disk. The name changed.)
> Thanks,
> Anthony
>
>
>
> --
> Anthony Dodson
i
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org