On 03/12/10 07:44, David Q Levitt wrote:
I am running some tests to see how squid handles a 403 status. The
problem is that squid seems to be caching the 403 (despite 'Cache-Control:
no-cache, no-store, must-revalidate'), so that even if subsequent responses
from the origin server (for the same request) contain a 304 I still get the
403!
By "squid" what version do you mean? All the current releases have
different levels of HTTP compliance as we rolled HTTP/1.1 in.
The older releases shipped with negative_ttl wrongly set to a non-zero
value. The newer ones have it at zero and will obey the headers.
To compound that problem there are still a lot of old installs and
tutorials floating around which tell people to set it as non-zero.
I have a PHP script and am using Poster to submit GET requests to it (to
simulate an XHR and eliminate the browser as a source of confusion). I'm
using max-age=0. in order to force the request to be submitted to the
origin server each time.
The first time I submit the request:
http://localhost:80/GetandPost3.php?thename=Fred&theage=11
the PHP script looks like this:
<?php
$eTag = 'mmm3';
$cc = 'max-age=0';
header('Cache-Control: '.$cc);
header('Etag: '.$eTag);
?>
<html>
The name is<?php echo $_GET["thename"]; ?>.
The age is<?php echo $_GET["theage"]; ?>.
</html>
The response is as expected (with a 200 status).
Now I change the PHP script to the following and submit the same request
again:
<?php
$eTag = 'mmm3';
header('HTTP/1.1 403 Not Authorized');
header('Cache-Control: no-cache, no-store, must-revalidate');
header('Etag: '.$eTag);
?>
<html>
The request is NOT AUTHORIZED
</html>
:Again, the response is as expected: 403 Not Authorized.
Now I change the PHP script to return a 304 and submit the same request
again:
<?php
$eTag = 'mmm3';
$cc = 'max-age=0';
header('HTTP/1.1 304 Not Modified');
header('Cache-Control: '.$cc);
header('Etag: '.$eTag);
?>
This time I expect to see the same response as for request #1, but instead
I am still getting a 403!
Why is squid caching the 403 entry despite header('Cache-Control: no-cache,
no-store, must-revalidate'); ??? (I tried removing the Etag header in the
2nd test but still get the same results).
Check the actual HTTP headers that are coming out of the web server
running the script.
A Date: header is required. Always.
You should also be sending a Last-Modified header where possible. Set to
the filemtime() of the newest script or included file in HTTP date
format. (if content is pulled from elsewhere, for example a database,
this gets much more tricky).
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.9
Beta testers wanted for 3.2.0.3
