使用NGINX从缓存的响应中删除标头 [英] Removing header from cached response with NGINX
问题描述
在一些Flask应用程序之前,我有NGINX作为反向代理运行.
I have NGINX running as a reverse proxy in front of a few Flask apps.
我想为注销的用户实施缓存.
I want to implement caching for logged out users.
烧瓶登录为每个响应(甚至对于匿名用户)都添加一个Set-Cookie标头,因为它包含带有CSRF令牌的会话cookie.这意味着我正在使用proxy_ignore_headers Set-Cookie;来确保NGINX缓存了内容(不会缓存和响应Set-Cookie标头).
Flask-login adds a Set-Cookie header for every response, even for anonymous users, as it contains a session cookie with a CSRF token. This means that that I'm using proxy_ignore_headers Set-Cookie; to ensure that stuff actually get's cached by NGINX (which won't cache and response with a Set-Cookie header).
我正在应用程序中设置一个单独的cookie,以指示用户的登录/注销状态,并使用该cookie来确定是否使用缓存.效果很好.
I'm setting a separate cookie in the apps to indicate the logged in/out status of a user and using that to determine whether to use the cache or not. This works great.
问题在于,用于注销用户的缓存响应包括Set-Cookie标头,该标头设置了会话cookie.该会话cookie会被服务到任何访问缓存的请求,最终导致不同的用户收到相同的CSRF令牌.
The issue is that the cached responses for a logged out user include the Set-Cookie header which sets the session cookie. This session cookie is served to any request that hits the cache, which ultimately results in different users receiving the same CSRF token.
我想阻止Set-Cookie标头存储在缓存中,或者当它从缓存发送到客户端时将其删除/覆盖.
I would like to either prevent the Set-Cookie header being stored in the cache, or remove/overwrite it when it's sent to the client from the cache.
我尝试设置proxy_hide_headers Set-Cookie,将其从缓存的响应中删除,也从该应用程序的响应中删除.因此没有人可以登录.这很糟糕.
I've tried setting proxy_hide_headers Set-Cookie which removes it from cached responses, but also from responses from that app. So no one can log in. Which is bad.
感觉应该有一个非常简单的解决方案,无论我用Google多么努力,我都可以找到它.
It feels like there should be a really easy solution to this, I just can find it no matter how hard I google.
感谢您的帮助.
推荐答案
更新:尝试了一百万次之后,我有一个适用于多个Cookie的解决方案,请问您的意见.
在Debian 10上,我安装了apt-get install libnginx-mod-http-lua,我认为这不是完整的OpenResty lua-nginx模块,不是吗?
Update: After trying a million things I have a solution that’s working for multiple cookies, I would like your opinions.
On Debian 10 I installed apt-get install libnginx-mod-http-lua I think this is not the complete OpenResty lua-nginx-module, isn’t it?
map $upstream_bytes_received $hide_cookie {
default '';
'' Set-Cookie;
}
内部位置:
header_filter_by_lua_block {
ngx.header[ngx.var.hide_cookie] = nil;
}
它有效,我将做更多测试...
And it works, I will do more testing...
上一个答案,用于1个Cookie,不含Lua:
Previous answer, for 1 cookie, without Lua:
我一直在为此寻求解决方案,但目前它适用于仅一个 cookie.
I've been working on a solution for this, but for now it works for ONLY ONE cookie.
首先,我遇到以下问题:$proxy_hide_header不接受变量,并且不能在if()内部使用.
我终于找到了一个包含可行解决方案的答案:使用标题过滤代理响应标题.
First I faced the following problems: $proxy_hide_header does not accept variables, and cannot be used inside if().
I finally found an answer that contained a viable solution to that: Using a Header to Filter Proxied Response Headers.
这是我现在的代码,我将进行更多测试,因为这是一件很棘手的事情:
So this is my code for now , that I will test more, because is a delicate matter:
map $upstream_bytes_received $cookies {
default $upstream_http_set_cookie;
'' '';
}
然后在内部位置:
proxy_hide_header Set-Cookie;
add_header Set-Cookie $cookies;
也许我会默认:没有cookie,如果失败,这将是显而易见的,并且在隐私方面的问题也较少.
Maybe I would make the default: No cookies, that will be noticeable if fails, and less problematic regarding privacy.
但是我认为无法针对多个cookie改进此解决方案,如果不得不强制在$proxy_hide_header处使用变量,那我将不得不寻找其他解决方案.
But this solution I think cannot be improved for multiple cookies, I have to look elsewhere, if I could force the use of variables at $proxy_hide_header would be the end solution.
这篇关于使用NGINX从缓存的响应中删除标头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
