[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-httpd-users
Subject: [users@httpd] Caching of pages with HTTP authentication using mod_cache_disk and apache 2.4
From: Rune Stilling <subs () rdfined ! dk>
Date: 2016-04-28 11:43:16
Message-ID: 797AB4FF-FD24-4730-B6E3-454541CC14D8 () rdfined ! dk
[Download RAW message or body]
Hi list
I have a Apache web site serving REST-resources from a Tomcat server via proxypass. I \
have set up the cache_disk_module so that resources are cached server side. My \
httpd.conf looks like this:
<IfModule cache_disk_module>
CacheDefaultExpire 300
CacheIgnoreNoLastMod On
CacheIgnoreQueryString Off
CacheIgnoreCacheControl On
CacheIgnoreHeaders Set-Cookie
CacheQuickHandler Off
CacheRoot "C:/Program Files (x86)/Apache Software Foundation/Apache24/cache"
CacheEnable disk /
CacheDirLevels 1
CacheDirLength 2
</IfModule>
I have been experimenting with the Cache-Control response-header using either:
1) Cache-Control: public
2) Cache-Control: public, no-cache
If I use public only my basic http authentication page is cached including username \
and password, so when just one client has authenticated, all clients are able to \
access the page without authenticating.
If I use "public, no-cache" the protected page is never cached. The cache-log says \
"cache miss: attempting entity save" every time.
The second solution as I read it is supposed to be the official way to do things:
"If you'd like such pages to be cacheable, but still authenticated for every user, \
combine the Cache-Control: public and no-cache headers. This tells the cache that it \
must submit the new client's authentication information to the origin server before \
releasing the representation from the cache." (https://www.mnot.net/cache_docs/)
On the other hand I found an old post on list stating:
"An in any case, as you've noticed, it isn't supported at the moment." \
(http://osdir.com/ml/httpd-apache/2006-12/msg00493.html)
So my question is: Is this feature still not supported in Apache \
httpd/mod_cache_disk? Are there other ways to accomplish caching of basic \
authentication protected ressources without caching username and password?
With regards,
Rune
[Attachment #3 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html \
charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; \
-webkit-line-break: after-white-space;" class="">Hi list<div class=""><br \
class=""></div><div style="widows: 1;" class="">I have a Apache web site serving \
REST-resources from a Tomcat server via proxypass. I have set up the <span \
style="widows: 1; background-color: rgb(255, 255, 255);" class=""><font \
color="#003366" face="Arial, Helvetica, sans-serif" class="">cache_disk_module so \
that resources are cached server side. My httpd.conf looks like \
this:</font></span></div><div style="widows: 1;" class=""><span style="widows: 1; \
background-color: rgb(255, 255, 255);" class=""><font color="#003366" face="Arial, \
Helvetica, sans-serif" class=""><br class=""></font></span></div><div style="widows: \
1;" class=""><font color="#003366" face="Arial, Helvetica, sans-serif" class=""><span \
style="background-color: rgb(255, 255, 255);" class=""> <IfModule \
cache_disk_module> <br class=""> CacheDefaultExpire 300 <br \
class=""> CacheIgnoreNoLastMod On <br class=""> \
CacheIgnoreQueryString Off <br class=""> CacheIgnoreCacheControl \
On <br class=""> CacheIgnoreHeaders Set-Cookie <br class=""> \
CacheQuickHandler Off <br class=""> CacheRoot "C:/Program Files \
(x86)/Apache Software Foundation/Apache24/cache" <br class=""> CacheEnable \
disk / <br class=""> CacheDirLevels 1 <br class=""> \
CacheDirLength 2 <br class=""> </IfModule> <br class=""><br \
class=""></span></font>I have been experimenting with the Cache-Control \
response-header using either:</div><div style="widows: 1;" class=""><br \
class=""></div><div style="widows: 1;" class="">1) Cache-Control: public</div><div \
style="widows: 1;" class=""><div class="">2) Cache-Control: public, \
no-cache</div><div class=""><br class=""></div><div class="">If I use public only my \
basic http authentication page is cached including username and password, so when \
just one client has authenticated, all clients are able to access the page without \
authenticating.</div><div class=""><br class=""></div><div class="">If I use "public, \
no-cache" the protected page is never cached. The cache-log says "cache miss: \
attempting entity save" every time.</div><div class=""><br class=""></div><div \
class="">The second solution as I read it is supposed to be the official way to do \
things:</div><div class=""><br class=""></div><div class="">"If you'd like such pages \
to be cacheable, but still authenticated for every user, combine the Cache-Control: \
public and no-cache headers. This tells the cache that it must submit the new \
client's authentication information to the origin server before releasing \
the representation from the cache." (<a href="https://www.mnot.net/cache_docs/" \
class="">https://www.mnot.net/cache_docs/</a>)</div><div class=""><br \
class=""></div><div class="">On the other hand I found an old post on list \
stating:</div><div class=""><br class=""></div><div class="">"An in any case, as \
you've noticed, it isn't supported at the moment." (<a \
href="http://osdir.com/ml/httpd-apache/2006-12/msg00493.html" \
class="">http://osdir.com/ml/httpd-apache/2006-12/msg00493.html</a>)</div><div \
class=""><br class=""></div><div class="">So my question is: Is this feature still \
not supported in Apache httpd/mod_cache_disk? Are there other ways to accomplish \
caching of basic authentication protected ressources without caching username \
and password?</div><div class=""><br class=""></div><div class="">With \
regards,</div><div class="">Rune</div></div></body></html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic