i have setup varnish 4 to run on port 8081 while apache is configured to run on port 80.
The problem with my setup is that when i browse my domain
http//:mydomain.com:8180/.
i get a (301) permanent redirect to http//:mydomain.com/.
Due to this redirect am unable to get the difference between calling the cached domain http//:mydomain.com:8180/ visa v the uncached domain http//:mydomain.com/.
my varnish config
DAEMON_OPTS="-a :8180\
-T localhost:6082 \
-f /etc/varnish/default.vcl \
-S /etc/varnish/secret \
-s malloc,1G"
.......
also the vcl
backend mydomain {
.host = "x.x.x.x";
.port = "80";
.connect_timeout = 60s;
.first_byte_timeout = 60s;
.between_bytes_timeout = 60s;
.max_connections = 800;
}
.......
the responce header shows that apache is the one redirecting.
HTTP/1.1 301 Moved Permanently
Date: Fri, 04 Sep 2015 11:58:04 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Pingback: http//:mydomain.com/xmlrpc.php
Location: http//:mydomain.com/
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html; charset=UTF-8
X-Varnish: 32795
Age: 0
Via: 1.1 varnish-v4
Connection: keep-alive
my question is How do i stop the redirect?
fixed this by adding
set req.http.host = "http//:mydomain.com";
in vlc as shown below.
if (req.http.host ~ "mydomain.com:8180") {
set req.http.host = "mydomain.com";
set req.backend_hint = mydomain;
}
by doing this we ensure that the request host is recognized by apache hence apache will not redirect
Related
I'm using Traefik to implement a reverse proxy an Apache docker container with Letsencrypt. Everything works well, except when the backend returns a 301/302 Redirect for some resources.
For example:
curl https://example.com/js/conf.js
> GET /js/conf.js HTTP/2
> Host: example.com
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/2 302
< cache-control: no-store, no-cache, must-revalidate
< content-type: text/html; charset=iso-8859-1
< date: Wed, 27 Mar 2019 16:50:05 GMT
< expires: Thu, 01 Jan 1970 00:00:00 GMT
< location: http://example.com/it/js/conf.js
< server: Apache/2.4.34 (Unix) OpenSSL/1.0.2l
< content-length: 224
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved here.</p>
</body></html>
I expect traefik to set the location header to https://example.com/it/js/conf.js instead.
This is the config I'm using:
debug = true
logLevel = "info"
defaultEntryPoints = ["https","http"]
#[accessLog]
[api]
dashboard = true
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
watch = true
exposedByDefault = false
[acme]
email = "test#example.com"
storage = "/etc/traefik/acme/acme.json"
entryPoint = "https"
onHostRule = true
[acme.httpChallenge]
entryPoint = "http"
I'm running the container with the following labels:
--label traefik.enable=true --label traefik.website.frontend.rule=Host:example.com --label traefik.frontend.redirect.entryPoint=https
I had a somewhat similar issue with traefik and gunicorn here. In my case I had to pass the X-FORWARDED_PROTO header to let the webserver know that the initial connection was done over HTTPS. That might be why your Apache is redirecting to HTTP.
I have added the following server declaration so that all www. prefixed requests should redirect to the non-www url.
server {
server_name www.spottingquotes.ca;
return 301 https://spottingquotes.ca$request_uri;
}
This works great with the exception of the url https://www.spottingquotes.ca which throws a certificate error because the cert does not have the www. prefix. You can test this by going into incognito mode and entering the url "https://www.spottingquotes.ca", the site will render, then enter the same url and a cert error is thrown.
My question is, why does this server declaration catch the request properly on the first request but not the subsequent requests. Furthermore, how do I fix this?
A better test is to use the command line which always fails on that url.
I've built this little shell script for testing the various urls which always fails on the https://www.spottingquotes.ca request:
#!/bin/sh
url=spottingquotes.ca
target=https://$url
echo "---> Target: $target"
curl -I $target
echo "******************************************************************************"
target=https://www.$url
echo "---> Target: $target"
curl -I $target
echo "******************************************************************************"
target=http://$url
echo "---> Target: $target"
curl -I $target
echo "******************************************************************************"
target=http://www.$url
echo "---> Target: $target"
curl -I $target
echo "******************************************************************************"
target=$url
echo "---> Target: $target"
curl -I $target
echo "******************************************************************************"
Can someone guide me in the right direction or explain why my server declaration is not stripping the https://www. variant properly?
Thanks.
EDIT
Here is a sample of the scripts results:
./curl-url.sh
---> Target: https://spottingquotes.ca
HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Mon, 28 Jan 2019 23:40:15 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Status: 200 OK
Cache-Control: max-age=0, private, must-revalidate
Strict-Transport-Security: max-age=604800
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block
X-Request-Id: 41d5365b-161d-4f1e-b117-552849a1a196
X-Download-Options: noopen
ETag: W/"ceabfe116d120b23bf65d7f839911ae6"
X-Runtime: 0.012416
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; base-uri 'self'; block-all-mixed-content; child-src 'self' *.google.com *.stripe.com; connect-src 'self' *.stripe.com; font-src 'self' data: *.cloudflare.com *.gstatic.com; frame-ancestors 'none'; img-src 'self' data: *.google-analytics.com *.cloudflare.com *.gstatic.com *.googleapis.com *.stripe.com *.s3-us-east-2.amazonaws.com; manifest-src 'self'; media-src 'self'; object-src 'none'; sandbox allow-scripts allow-same-origin allow-forms allow-popups allow-modals; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googleapis.com *.cloudflare.com *.google-analytics.com *.bootstrapcdn.com *.google.com *.gstatic.com *.stripe.com *.atlassian.net *.googletagmanager.com; style-src 'self' 'unsafe-inline' *.googleapis.com *.cloudflare.com *.bootstrapcdn.com; worker-src 'self'; report-uri 'self'
Set-Cookie: Quotr_session=UVBYeGQ0QXBnY2VWMGZvb3RZUHI5bEVuS3ZFT1hYN2pNUlppZHFuZWRoU3RUSC9wdHdMM3l4UGQ4aHdxb1VYVU9yUGVlQjhVRlhXb0h5Y1Y1UWluV0MwbENkcXYydml5TkRjVWVjRG1NODZBa3dyRW94T0ZISWVjZXlkTWpHcDdlSVV2cUtHRy9vbXppNHJndlZ3ZXBBPT0tLUFKc09NWElBc0o2Y1dEbTVndStPbXc9PQ%3D%3D--e382dcfbc60ccb44d155e9f317c553d8a47df2f7; path=/; secure; HttpOnly; SameSite=Lax
X-Powered-By: Phusion Passenger 5.3.0
Strict-Transport-Security: max-age=15768000; includeSubDomains
******************************************************************************
---> Target: https://www.spottingquotes.ca
curl: (51) SSL: certificate subject name (spottingquotes.ca) does not match target host name 'www.spottingquotes.ca'
******************************************************************************
---> Target: http://spottingquotes.ca
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.2
Date: Mon, 28 Jan 2019 23:40:15 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://spottingquotes.ca/
******************************************************************************
---> Target: http://www.spottingquotes.ca
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.2
Date: Mon, 28 Jan 2019 23:40:15 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://spottingquotes.ca/
******************************************************************************
---> Target: spottingquotes.ca
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.2
Date: Mon, 28 Jan 2019 23:40:15 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://spottingquotes.ca/
******************************************************************************
EDIT EDIT I should mention that we are always redirecting http traffic to https via this server declaration:
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://spottingquotes.ca$request_uri;
}
Not the best answer, but this seems fishy. You have 2 headers on strict-transport-security. First one doesn't include subdomain, second does. Can you try removing the one without it
tkchk ~ $ curl -I https://spottingquotes.ca/
HTTP/2 200
server: nginx/1.10.2
date: Tue, 29 Jan 2019 00:41:12 GMT
content-type: text/html; charset=utf-8
status: 200 OK
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=604800
referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
x-permitted-cross-domain-policies: none
x-xss-protection: 1; mode=block
x-request-id: cf52a3fc-2cee-4f22-986e-70b8d04fd4b0
x-download-options: noopen
etag: W/"7c3640b87c82ac5887927e1dd88ac818"
x-runtime: 0.012091
x-frame-options: DENY
x-content-type-options: nosniff
content-security-policy: default-src 'self'; base-uri 'self'; block-all-mixed-content; child-src 'self' *.google.com *.stripe.com; connect-src 'self' *.stripe.com; font-src 'self' data: *.cloudflare.com *.gstatic.com; frame-ancestors 'none'; img-src 'self' data: *.google-analytics.com *.cloudflare.com *.gstatic.com *.googleapis.com *.stripe.com *.s3-us-east-2.amazonaws.com; manifest-src 'self'; media-src 'self'; object-src 'none'; sandbox allow-scripts allow-same-origin allow-forms allow-popups allow-modals; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googleapis.com *.cloudflare.com *.google-analytics.com *.bootstrapcdn.com *.google.com *.gstatic.com *.stripe.com *.atlassian.net *.googletagmanager.com; style-src 'self' 'unsafe-inline' *.googleapis.com *.cloudflare.com *.bootstrapcdn.com; worker-src 'self'; report-uri 'self'
set-cookie: Quotr_session=QzRGRjNSRTE1cUlYd2t0ajh6Tk84Q2c2cGpKRVQ0UnFpWjFYSkdZWUR5WEI2WmxyQUNJOFNRMWZWK2xiVjhoVVFQM1BrNmVUU0JuSkMvejErbnh0MjBCOXJ0L2VKZ2V1Y0xwbGU5dXRKRGxqR2Y1bk1FMndjNkdnRC93M3l2ZWs0VFRoZkxBL0ZmMGFqS25NYytjYlN3PT0tLUkycjc0UUhoSXQ1bUZPZ2NESzE5RkE9PQ%3D%3D--fb5840d05440015a608f0e25c6b26ec028bbfdae; path=/; secure; HttpOnly; SameSite=Lax
x-powered-by: Phusion Passenger 5.3.0
strict-transport-security: max-age=15768000; includeSubDomains
This article has more info
https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
why does this server declaration catch the request properly on the first request but not the subsequent requests.
I think this has nothing to do with the server, but a default behavior for WebKit-based browsers. If you'll look at the developers console, you'll see following message (taken from Chrome 71, may be different for Safari or other):
Redirecting navigation www.spottingquotes.ca -> spottingquotes.ca because the server presented a certificate valid for spottingquotes.ca but not for www.spottingquotes.ca. To disable such redirects launch Chrome with the following flag: --disable-features=SSLCommonNameMismatchHandling
I don't know why such a redirect doesn't occur for second time, like Microsoft used to say in their KB articles, "this behaviour is by design" :)
In Gecko-based browsers like Firefox no redirects occurs and it throws a security warning immediately.
how do I fix this?
I think the only way to do it is to get a cert for two domain names. There should be no problem to do this with Letsencrypt. If you have access to DNS for this domain, you can even get a wildcard certificate.
The problem ended up being that I didn't have the ssl cert for the www.spottingquotes.ca domain setup. I needed to setup a server block like so:
server {
listen *:443 ssl;
server_name www.spottingquotes.ca;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/letsencrypt/live/www.spottingquotes.ca/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.spottingquotes.ca/privkey.pem; # managed by Certbot
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
return 301 https://spottingquotes.ca$request_uri;
}
Now running the curl script shows every url redirects properly.
In my Firefox or Chrome if I check the HTTP header the result are always with Content-Encoding: gzip. But I have customers reporting that they see "transfer-encoding: chunked" instead and the request are not gzipped.
http://www.example.com/public/css/style.min.css
If I or the customer do a gzip compression online check it's confirmed gzip is active.
https://checkgzipcompression.com = gzip!
But if I use a checker like this one. http://onlinecurl.com/
I also get the transfer-encoding: chunked
Request:
GET /style/css.css HTTP/1.1
Host: www.example.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
User-Agent: ...
Accept: /
Referer: http://www.example.com/
Accept-Encoding: gzip, deflate
Accept-Language: ...
Cookie: ...
Response:
HTTP/1.1 200 OK
Age: 532948
cache-control: public, max-age=604800
Content-Type: text/css
Date: Wed, 28 Jun 2017 12:35:07 GMT
ETag: "5349e8d595dfd21:0"
Last-Modified: Wed, 07 Jun 2017 13:56:17 GMT
Server: Microsoft-IIS/7.5
Vary: X-UA,Accept-Encoding, User-Agent
X-Cache: HIT
X-Cache-Hits: 6327
X-CacheReason: Static-js-css.
X-Powered-By: ASP.NET
X-Served-By: ip-xxx-xxx-xxx-xx.name.xxx
x-stale: true
X-UA-Device: pc
X-Varnish: 993020034 905795837
X-Varnish-beresp-grace: 43200.000
X-Varnish-beresp-status: 200
X-Varnish-beresp-ttl: 604800.000
transfer-encoding: chunked
Connection: keep-alive
Why are some requests not gzipped, when it should, this is my Varnish config (the part relevant for gzip):
if (req.http.Accept-Encoding) {
if (req.url ~ "\.(jpg|png|gif|gz|tgz|bz2|tbz|mp3|ogg|flv|swf)$") {
# No point in compressing these
remove req.http.Accept-Encoding;
} elsif (req.http.Accept-Encoding ~ "gzip") {
set req.http.Accept-Encoding = "gzip";
} elsif (req.http.Accept-Encoding ~ "deflate") {
set req.http.Accept-Encoding = "deflate";
} else {
# unkown algorithm
remove req.http.Accept-Encoding;
}
}
# Enabling GZIP
if (beresp.http.Content-Type ~ "(text/css|application/x-javascript|application/javascript)") {
set beresp.do_gzip = true;
}
if (beresp.http.Content-Encoding ~ "gzip" ) {
if (beresp.http.Content-Length == "0") {
unset beresp.http.Content-Encoding;
}
}
set beresp.http.Vary = regsub(beresp.http.Vary, "(?i)^(.*?)X-Forwarded-URI,?(.*)$", "\1\2");
set beresp.http.Vary = regsub(beresp.http.Vary, "(?i)^(.*?)User-Agent,?(.*)$", "\1\2");
set beresp.http.Vary = regsub(beresp.http.Vary, "^(.*?),?$", "X-UA,\1");
set beresp.http.Vary = regsub(beresp.http.Vary, "^(.*?),?$", "\1");
Any ideas, thank you.
Responses will only be gzipped if the request indicates that it can accept a gzipped response. This is indicated by the Accept-Encoding header in the request. So perhaps your online curl is not sending that header. It may be the same for your clients who are seeing this. You really have customers who are reporting that they are not getting responses gzipped?
Update
Ah, I see what you're doing now. Are you using a recent version of Varnish? There's no need to do all this yourself now. Varnish handles it all natively. All you need to do is set do_gzip to on for the content types where you want it, and Varnish takes care of the rest, including the Accept-Encoding header. See the documentation here.
So just remove all of your gzip/encoding related code except the part directly under # Enabling GZIP:
# Enabling GZIP
if (beresp.http.Content-Type ~ "(text/css|application/x-javascript|application/javascript)") {
set beresp.do_gzip = true;
}
And that will probably get everything working. It works fine for me that way. The best amount of VCL is as little as possible, Varnish is very good at handling things itself. Don't forget to restart Varnish or otherwise clear the cache for this site after making the change.
In case it's useful, I use the following VCL for this:
if (
beresp.status == 200
&& beresp.http.content-type ~ "\b((text/(html|plain|css|javascript|xml|xsl))|(application/(javascript|xml|xhtml\+xml)))\b"
) {
set beresp.do_gzip = true;
}
Which checks for more content types that can benefit from compression, including HTML. I don't bother with application/x-javascript as it's ancient and not used.
On another note, are you sure you need to be modifying the Vary header in the way that you are doing there?
I use a very simple jquery.ajax() call to fetch some HTML snippet from a server:
// Init add lines button
$('body').on('click', '.add-lines', function(e) {
$.ajax({
type : 'POST',
url : $(this).attr('href')+'?ajax=1&addlines=1',
data : $('#quickorder').serialize(),
success : function(data,x,y) {
$('#directorderform').replaceWith(data);
},
dataType : 'html'
});
e.preventDefault();
});
On the PHP side i basically echo out a HTML string. The jQuery version is 1.8.3.
The problem is in IE10: While it works fine there on Server A which runs on Apache it fails on Server B which runs on Nginx + PHP-FPM: If i debug the success handler on Server B I get a undefined for data. In the Network tab of the IE developer tools I can see the full response and all headers. It may affect other IE versions, but i could only test IE10 so far.
Here are the two response headers:
Server A, Apache (works):
HTTP/1.1 200 OK
Date: Thu, 25 Apr 2013 13:28:08 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 1268
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Server B, Nginx + PHP-FPM (fails):
HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Thu, 25 Apr 2013 13:41:43 GMT
Content-Type: text/html; charset=utf8
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
The body part looks the same in both cases.
Any idea what could cause this issue?
Please also check the Content-Type Header, since Apache and Nginx are sending different values:
Content-Type: text/html; charset=UTF-8
vs.
Content-Type: text/html; charset=utf8
Update your Nginx config, add this line:
charset UTF-8;
I think this seems related to Varnish.
After I log out, user status should change. But it didn't. I have use "CTRL + F5" to force cache refreshing.
So I am little confused. I forced refreshing of the browser cache or Varnish cache.
If Varnish is caching the correct page ( user is not logged in), why didn't the browser display it, instead, it persists with the old page when the user still logged in.
Any clue?
VCL
backend testserver {
.host = "127.0.0.1";
.port = "8080";
}
acl purge {
"localhost";
"127.0.0.1";
"192.168.3.0"/24;
}
sub vcl_recv {
if (req.request == "PURGE") {
if (!client.ip ~ purge) {
error 405 "Not allowed.";
}
return(lookup);
}
remove req.http.X-Forwarded-For;
set req.http.X-Forwarded-For = client.ip;
// Remove has_js and Google Analytics cookies
set req.http.Cookie = regsuball(req.http.Cookie, "(^|;\s*)(_[_a-z]+|has_js)=[^;]*","");
// remove a ";" prefix, if present
set req.http.Cookie = regsub(req.http.Cookie, "^;\s*", "");
// remove empty cookies.
if (req.http.Cookie ~ "^\s*$") {
unset req.http.Cookie;
}
// Skip the Vanish cache for install, update, and cron
if (req.url ~ "install\.php|update\.php|cron\.php") {
return (pass);
}
# Normalize Accept-Encoding to get better cache coherency
if (req.http.Accept-Encoding) {
# No point in compressing media that is already compressed
if (req.url ~ "\.(jpg|png|gif|gz|tgz|bz2|tbz|mp3|ogg)$") {
remove req.http.Accept-Encoding;
# MSIE 6 JS bug workaround
} elsif(req.http.User-Agent ~ "MSIE 6") {
unset req.http.Accept-Encoding;
} elsif (req.http.Accept-Encoding ~ "gzip") {
set req.http.Accept-Encoding = "gzip";
} elsif (req.http.Accept-Encoding ~ "deflate") {
set req.http.Accept-Encoding = "deflate";
} else {
# unkown algorithm
remove req.http.Accept-Encoding;
}
}
# ... other vcl_recv rules here ...
# Don't serve cached content to logged-in users
# Don't cache Drupal logged-in user sessions
# LOGGED_IN is the cookie that earlier version of Pressflow sets
# VARNISH is the cookie which the varnish.module sets
if (req.http.Cookie ~ "(VARNISH|DRUPAL_UID|LOGGED_IN)") {
return (pass);
}
// Let's have a little grace
// When backend cannot generate refreshed content
// this time will allow expired content to stay longer in grace
set req.grace = 0s;
if (req.http.host ~ "^www.test.com") {
set req.backend = testserver;
if (req.request != "GET" && req.request != "HEAD") {
return(pipe);
}
else {
return(lookup);
}
}elsif (req.http.host ~ "^www.test2.com") {
set req.backend = testserver;
if (req.request != "GET" && req.request != "HEAD") {
return(pipe);
}
else {
return(lookup);
}
}
else {
error 404 "test Cache Server IS Out of Order";
return(lookup);
}
# Drupal js/css doesn't need cookies, cache them
if (req.url ~ "^/modules/.*\.(js|css)\?") {
unset req.http.Cookie;
}
## Pass cron jobs and server-status
if (req.url ~ "cron.php") {
return (pass);
}
if (req.url ~ ".*/server-status$") {
return (pass);
}
}
sub vcl_hit {
if (req.request == "PURGE") {
set obj.ttl = 0s;
error 200 "Purged.";
}
}
sub vcl_miss {
if (req.request == "PURGE") {
error 404 "Not in cache.";
}
}
sub vcl_fetch {
if (req.url ~ "\.(png|gif|jpg|swf|css|js)$") {
unset beresp.http.set-cookie;
}
#if (beresp.http.Pragma ~ "nocache") {
# return(pass);
#}
if (req.request == "GET" && req.url ~ "\.(txt|js)$") {
set beresp.ttl = 3600s;
}
else {
set beresp.ttl = 30d;
}
}
sub vcl_error {
set obj.http.Content-Type = "text/html; charset=utf-8";
set obj.http.Retry-After = "5";
synthetic {"<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html><head><title>"} obj.status " " obj.response {"</title></head><body><h1>Error "} obj.status " " obj.response {"</h1><p>"} obj.response {"</p><h3>Guru Meditation:</h3><p>XID: "} req.xid {"</p><hr><p>Varnish cache server</p></body></html>"};
return (deliver);
}
sub vcl_pipe {
# http://www.varnish-cache.org/ticket/451
# This forces every pipe request to be the first one.
set bereq.http.connection = "close";
}
Headers
After Log In
Response Headers view source
Cache-Control store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection close
Content-Type text/html; charset=utf-8
Date Tue, 21 Feb 2012 04:09:09 GMT
Expires Sun, 11 Mar 1984 12:00:00 GMT
Last-Modified Tue, 21 Feb 2012 04:09:07 GMT
Location http://www.test.com/frontpage_empty
Server nginx/1.0.0
Set-Cookie SESSe3202baa92dbab78a8d1785ee17b05a0=deleted; expires=Mon, 21-Feb-2011 04:09:08 GMT; path=/ SESSe3202baa92dbab78a8d1785ee17b05a0=67d001b0720c9f5a74e5b671fae74d76; expires=Fri, 09-Mar-2012 12:49:09 GMT; path=/; domain=.test.com LOGGED_IN=Y; expires=Fri, 09-Mar-2012 12:49:07 GMT; path=/
Transfer-Encoding chunked
X-Powered-By PHP/5.2.17
Request Headers view source
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language en-us,en;q=0.5
Authorization Basic amFtZXM6MTIzMTIz
Connection keep-alive
Cookie OAID=e171ed7b31967c95a09c70646433d7b1; has_js=1; SESSe3202baa92dbab78a8d1785ee17b05a0=054b6fa52ce9009198a2160800d04456; __utma=256091342.2121990614.1327109315.1329792135.1329797585.41; __utmz=256091342.1327109315.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); OAID=e171ed7b31967c95a09c70646433d7b1; SESSa395c7767e83fe1b8cd4bf8229e072c3=2bfb1adba208cf29bf17921ce9946bd5; has_js=1; __utmc=256091342; __utmb=256091342.1.10.1329797585
Host www.test.com
Referer http://www.test.com/user/login?destination=frontpage_empty
User-Agent Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Response Headers From Cache
Cache-Control store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection close
Content-Type text/html; charset=utf-8
Date Tue, 21 Feb 2012 04:09:09 GMT
Expires Sun, 11 Mar 1984 12:00:00 GMT
Last-Modified Tue, 21 Feb 2012 04:09:07 GMT
Location http://www.test.com/frontpage_empty
Server nginx/1.0.0
Set-Cookie SESSe3202baa92dbab78a8d1785ee17b05a0=deleted; expires=Mon, 21-Feb-2011 04:09:08 GMT; path=/ SESSe3202baa92dbab78a8d1785ee17b05a0=67d001b0720c9f5a74e5b671fae74d76; expires=Fri, 09-Mar-2012 12:49:09 GMT; path=/; domain=.test.com LOGGED_IN=Y; expires=Fri, 09-Mar-2012 12:49:07 GMT; path=/
Transfer-Encoding chunked
X-Powered-By PHP/5.2.17
Request Headers From Upload Stream
Content-Length 61
Content-Type application/x-www-form-urlencoded
After log out
Response Headers view source
Cache-Control store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection close
Content-Type text/html; charset=utf-8
Date Tue, 21 Feb 2012 09:10:29 GMT
Expires Sun, 11 Mar 1984 12:00:00 GMT
Last-Modified Tue, 21 Feb 2012 09:10:27 GMT
Location http://www.test.com/
Server nginx/1.0.0
Set-Cookie LOGGED_IN=deleted; expires=Mon, 21-Feb-2011 09:10:28 GMT; path=/
Transfer-Encoding chunked
X-Powered-By PHP/5.2.17
Request Headers view source
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language en-us,en;q=0.5
Authorization Basic amFtZXM6MTIzMTIz
Connection keep-alive
Cookie SESSe3202baa92dbab78a8d1785ee17b05a0=67d001b0720c9f5a74e5b671fae74d76; __utma=256091342.2121990614.1327109315.1329792135.1329797585.41; __utmz=256091342.1327109315.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); OAID=e171ed7b31967c95a09c70646433d7b1; SESSa395c7767e83fe1b8cd4bf8229e072c3=2bfb1adba208cf29bf17921ce9946bd5; has_js=1; __utmc=256091342; LOGGED_IN=Y
Host www.test.com
If-Modified-Since Tue, 21 Feb 2012 03:32:36 GMT
Referer http://www.test.com/
User-Agent Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
What your VCL is currently doing is removing Cookie from the request header and caching all requests. This causes the exact behavior you describe.