2

My website serves the same pages to both logged in and logged out users. Requests from logged in users have an Authorization header. I want to use Apache's mod_cache to serve cached pages only to logged out users.

Starting with a fresh server, I can make requests with the Authorization header and they won't be cached. If I make a request as a logged out user, the request is cached. The problem is that subsequent requests with the Authorization header return the cached result.

How can I disable mod_cache for requests with the Authorization header?

edit: as I was writing this out, I came up with a solution that appears to work.

RequestHeader set Cache-Control max-age=300 "expr=-z %{HTTP:Authorization}"

This sets a Cache-Control header on every request that does not have the Authorization header. Interestingly, the responses for logged in requests now contain the header "Vary: Authorization".

Is this a good solution? Should I just use Varnish instead of mod_cache?

Thank you

moolagain
  • 33
  • 3

1 Answers1

0

The question of whether you should use varnish should consider a huge number of variables which you've not told us anything about. What you have implemented is as close to the requirement you describe as anything I can think of. Although I would want to validate the mod_cache/varnish is honouring the "Vary" header correctly.

However the predicates in your requirement are rather odd. I suspect that if you want to change these in future you may run into issues - e.g. switching to a different authentication mechanism.

symcbean
  • 19,931
  • 1
  • 29
  • 49