You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by co...@apache.org on 2005/10/29 12:09:17 UTC
svn commit: r329390 - in /httpd/httpd/branches/2.2.x/docs/manual:
caching.xml mod/mod_cache.xml
Author: colm
Date: Sat Oct 29 03:09:12 2005
New Revision: 329390
URL: http://svn.apache.org/viewcvs?rev=329390&view=rev
Log:
Merge r329388 from trunk:
Document the mod_cache / mod_authz_host problem.
Modified:
httpd/httpd/branches/2.2.x/docs/manual/caching.xml
httpd/httpd/branches/2.2.x/docs/manual/mod/mod_cache.xml
Modified: httpd/httpd/branches/2.2.x/docs/manual/caching.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/docs/manual/caching.xml?rev=329390&r1=329389&r2=329390&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/caching.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/caching.xml Sat Oct 29 03:09:12 2005
@@ -319,6 +319,31 @@
<title>Security Considerations</title>
<section>
+ <title>Authorisation, Access & and Control</title>
+
+ <p>Using <module>mod_cache</module> is very much like having a built
+ in reverse-proxy. Requests will be served by the caching module unless
+ it determines that the backend should be queried. When caching local
+ resources, this drastically changes the security model of Apache.</p>
+
+ <p>As traversing a filesystem hierarchy to examine potential
+ <code>.htaccess</code> files would be a very expensive operation,
+ partially defeating the point of caching (to speed up requests),
+ <module>mod_cache</module> makes no decision about whether a cached
+ entity is authorised for serving. In other words; if
+ <module>mod_cache</module> has cached some content, it will be served
+ from the cache as long as that content has not expired.</p>
+
+ <p>If, for example, your configuration permits access to a resource by IP
+ address you should ensure that this content is not cached. You can do this by
+ using the <directive module="mod_cache">CacheDisable</directive>
+ directive, or <module>mod_expires</module>. Left unchecked,
+ <module>mod_cache</module> - very much like a reverse proxy - would cache
+ the content when served and then serve it to any client, on any IP
+ address.</p>
+ </section>
+
+ <section>
<title>Local exploits</title>
<p>As requests to end-users can be served from the cache, the cache
Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mod_cache.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/docs/manual/mod/mod_cache.xml?rev=329390&r1=329389&r2=329390&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/mod/mod_cache.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/mod/mod_cache.xml Sat Oct 29 03:09:12 2005
@@ -29,6 +29,14 @@
<identifier>cache_module</identifier>
<summary>
+ <note type="warning">This module should be used with care and
+ can be used to circumvent <directive
+ module="mod_authz_host">Allow</directive> and <directive
+ module="mod_authz_host">Deny</directive> directives. You
+ should not enable caching for any content to which you wish
+ to limit access by client host name, address or environment
+ variable.</note>
+
<p><module>mod_cache</module> implements an <a
href="http://www.ietf.org/rfc/rfc2616.txt">RFC 2616</a> compliant HTTP
content cache that can be used to cache either local or proxied content.