My Squid reverse proxy returns the pages stored in cache by an anonymous
request even if the current request contains an Authorization http
header field.
Here's an example :
First, I get the page with an authenticated user (authentification on the web server, not Squid) :
% ab -A admin:secret http://my.server.org/sections
==> store.log <==
1077211219.602 RELEASE -1 FFFFFFFF ACB7146AAD80CF6756BDC297AA507537 200 1077211219 -1 -1 text/html 10345/10345 GET http://my.server.org/sections
==> access.log <==
1077211219.602 288 10.68.140.37 TCP_MISS/200 10671 GET http://my.server.org/sections - TIMEOUT_FIRST_UP_PARENT/localhost text/html
All is OK : the page is not stored in cache because I am authenticated
(and the server behind Squid doesn't return any Expires http header
field in this case).
Then I get the same page without any authentication :
% ab http://my.server.org/sections
==> store.log <==
1077211535.436 SWAPOUT 00 00000000 0DF0B2112C2A1E102AE22805E353EF2C 200 1077211535 -1 1077215135 text/html 6819/6819 GET http://my.server.org/sections
==> access.log <==
1077211535.501 225 10.68.140.37 TCP_MISS/200 7213 GET http://my.server.org/sections - FIRST_PARENT_MISS/localhost text/html
This is still OK, the page in stored in cache.
Then I redo the first request :
% ab -v 4 -A admin:secret http://my.server.org/sections
==> access.log <==
1077211621.273 16 10.68.140.37 TCP_MEM_HIT/200 7170 GET http://my.server.org/sections - NONE/- text/html
The page is taken from the cache (from the preceding request), which
is wrong in this case, because the pages for authenticated users are
different from those for anonymous ones.
How can I fix this problem, apart from using different protocols
(http/https) or virtual hosts (one for anonymous and one for authenticated) ?
Is there a way to detect the Authorization header field in an acl rule ?
-- Jérôme SAUTRET (Jerome@SAUTRET.org) http://SAUTRET.org Key 0x95D463F3 fingerprint 3B69 3B60 4D32 B8DF 2BF3 8035 5036 D41A 95D4 63F3Received on Thu Feb 19 2004 - 10:55:11 MST
This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:02 MST