httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r329388 - in /httpd/httpd/trunk/docs/manual: caching.xml mod/mod_cache.xml
Date Sat, 29 Oct 2005 10:07:06 GMT
Author: colm
Date: Sat Oct 29 03:07:01 2005
New Revision: 329388

Document the mod_cache / mod_authz_host problem.


Modified: httpd/httpd/trunk/docs/manual/caching.xml
--- httpd/httpd/trunk/docs/manual/caching.xml (original)
+++ httpd/httpd/trunk/docs/manual/caching.xml Sat Oct 29 03:07:01 2005
@@ -319,6 +319,31 @@
     <title>Security Considerations</title>
+      <title>Authorisation, Access &amp; and Control</title>
+      <p>Using <module>mod_cache</module> is very much like having a built
+      in reverse-proxy. Requests will be served by the caching module unless
+      it determines that the backend should be queried. When caching local
+      resources, this drastically changes the security model of Apache.</p>
+      <p>As traversing a filesystem hierarchy to examine potential
+      <code>.htaccess</code> files would be a very expensive operation,
+      partially defeating the point of caching (to speed up requests),
+      <module>mod_cache</module> makes no decision about whether a cached
+      entity is authorised for serving. In other words; if
+      <module>mod_cache</module> has cached some content, it will be served
+      from the cache as long as that content has not expired.</p>
+      <p>If, for example, your configuration permits access to a resource by IP
+      address you should ensure that this content is not cached. You can do this by
+      using the <directive module="mod_cache">CacheDisable</directive>
+      directive, or <module>mod_expires</module>. Left unchecked,
+      <module>mod_cache</module> - very much like a reverse proxy - would cache
+      the content when served and then serve it to any client, on any IP
+      address.</p>        
+    </section>
+    <section>
       <title>Local exploits</title>
       <p>As requests to end-users can be served from the cache, the cache

Modified: httpd/httpd/trunk/docs/manual/mod/mod_cache.xml
--- httpd/httpd/trunk/docs/manual/mod/mod_cache.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_cache.xml Sat Oct 29 03:07:01 2005
@@ -29,6 +29,14 @@
+    <note type="warning">This module should be used with care and
+    can be used to circumvent <directive 
+    module="mod_authz_host">Allow</directive> and <directive 
+    module="mod_authz_host">Deny</directive> directives. You 
+    should not enable caching for any content to which you wish
+    to limit access by client host name, address or environment
+    variable.</note>  
     <p><module>mod_cache</module> implements an <a
     href="">RFC 2616</a> compliant HTTP
     content cache that can be used to cache either local or proxied content.

View raw message