httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <>
Subject Re: cache trouble (Re: [vote] 2.1.9 as beta)
Date Tue, 08 Nov 2005 21:11:05 GMT

On 11/08/2005 01:36 AM, Roy T. Fielding wrote:
> On Nov 7, 2005, at 3:03 PM, Ruediger Pluem wrote:


>> but the next request for this (fresh) resource will not check the
>> access control and
>> deliver it to any client, regardless of the IP. Correct?

Many thanks for sorting my confused thoughts.

> The forward proxy would deliver it to any client that had the
> ability to GET from that proxy.

And this actually depends on if the resource requested by the client has been already
cached or not. If it has not been cached things like

<Proxy *>

order allow,deny
allow from


work as expected (access to the proxied resource is only granted to

But once the resource has been cached by mod_cache access to it is granted to *every* client,
because the access checker has not been run when the quick handler decides to deliver
the (fresh) content by inserting the CACHE_OUT filter and kicking the filter stack.

Although this is not a regression to 2.0.x (is it one to 1.3.x???), it is a weird behaviour
from the users perspective. Even more as

suggests to secure a forward proxy by using mod_authz_host. Currently the advice should be
opposite: Yes, secure your forward proxy, but do *not* do this with mod_authz_host as it
does not work as expected.

Nevertheless I regard this discussion as very useful with respect to caching reverse proxies
other cached local resources that are under access control.

That said I come back to the starting point of this discussion:

I think Paul's patch to make it configurable where to run the cache handler is currently the
best proposal on the table, provided that it is configurable in a way that expresses what
does from the users perspective. So I would regard something like CacheRunQuickHandler as
bad idea. I would have something in mind like CacheDisableAccessControl (ok the flaming can
start :-).



View raw message