logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.


Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Using Apache2 Proxy and Cache problem with userid/password
Author
AtlantaKid



Joined: 08 Feb 2021
Posts: 2
Location: USA, Atlanta

PostPosted: Mon 08 Feb '21 21:56    Post subject: Using Apache2 Proxy and Cache problem with userid/password Reply with quote

Hi,
I am running Aapche2 on Ubuntu Linux acting as Proxy & Cache server for a localhost running microservice, when I perform logout operation in my Spring boot microservice app, Apache still remembers the authenticated credentials and that is a problem. If I turn off caching all works fine.
My OS & Apache2 versions are
Code:
Ubuntu
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.2 LTS
Release:        20.04
Codename:       focal
Apache 2
Server version: Apache/2.4.41 (Ubuntu)
Server built:   2020-08-12T19:46:17


in apache2.conf I have
Code:
    # cache control
    CacheIgnoreNoLastMod On
    CacheIgnoreCacheControl On

    # unset headers from upstream server
    Header unset Expires
    Header unset Cache-Control
    Header unset Pragma

    ExpiresActive On
    ExpiresByType text/html "access plus 1 years"
    ExpiresByType image/png "access plus 1 years"
    ExpiresByType image/jpg "access plus 1 years"
    ExpiresByType image/jpeg "access plus 1 years"
    ExpiresByType application/javascript "access plus 1 years"

    CacheQuickHandler off
    CacheLock on
    CacheLockPath /tmp/mod_cache-lock
    CacheLockMaxAge 5
    CacheIgnoreHeaders Set-Cookie

    <Location />
        CacheEnable disk /
        CacheHeader on
        CacheDefaultExpire 800
        CacheMaxExpire 64000
        CacheIgnoreNoLastMod On
        ExpiresActive on
        ExpiresDefault A300
    </Location>


and for Proxy in my apache enabled-site conf file I have the below config, I have changed domain name and SSL digits for privacy reasons.
Code:
</VirtualHost>

<VirtualHost *:443>
    ServerName example.com
    ServerAlias example1.com server4.example.com
    ServerAdmin webmaster@example.com
    #DocumentRoot /var/www/example.com/www

    HostnameLookups off

#---- SSL Config
    SSLEngine on
    SSLCertificateFile /usr1/SSL/www.example.com/digicert/example_com_111111111example_com.crt
    SSLCertificateKeyFile /usr1/SSL/www.example.com/example.com.key
    SSLCertificateChainFile /usr1/SSL/www.example.com/digicert/example_com_111111111DigiCertCA.crt
#---- SSL Config ends

#------- Added this for the support of Spring Code
    ProxyPreserveHost On
    ProxyRequests On
    ProxyVia On

    ProxyPass / http://127.0.0.1:8081/
    ProxyPassReverse / http://127.0.0.1:8081/

#------- Added this for the support of Spring Code done

    #-- Redirect the errors to somewehre else
    ErrorDocument 404 http://example.com/404.htm

    <Directory /var/www/example.com/www>
        Options -Indexes +FollowSymLinks
        AllowOverride All
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
    CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined

</VirtualHost>


My Spring Boot app annotations are:
Quote:
@PreAuthorize("isFullyAuthenticated() and hasAnyAuthority('USER', 'ADMIN', 'EDITOR')")
@RequestMapping(value = "/welcome", method = RequestMethod.GET)
public String weclome(ModelMap model) {
...........
}


and my SecurityConfig in Spring boot app is
Code:
        // @formatter:off
        @Override
        protected void configure(HttpSecurity http) throws Exception {
                http.csrf()
                        .ignoringAntMatchers("/**", "/music/**")
                        .and().headers().frameOptions().disable()
                        .and().authorizeRequests().antMatchers("/login/**", "/bye/**")
                        .permitAll()
                        .and()
                        .formLogin()
                        .loginProcessingUrl("/login").defaultSuccessUrl("/welcome", true)
                        .and().logout().logoutSuccessHandler(new SimpleUrlLogoutSuccessHandler() {
                        @Override
                        public void onLogoutSuccess(HttpServletRequest request,
                                    HttpServletResponse response, Authentication authentication)
                                throws IOException, ServletException {
                            super.onLogoutSuccess(request, response, authentication);
                        }
                    }).logoutSuccessUrl("/login").invalidateHttpSession(true).deleteCookies("JSESSIONID")
                        .permitAll()
                        .and()
                        .httpBasic();
        }
        // @formatter:on



Can you please advise what config I can do or change so I can enable and use caching in Apache Server again?

Thanks.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6921
Location: Germany, Next to Hamburg

PostPosted: Tue 09 Feb '21 20:29    Post subject: Reply with quote

Quote:
If the response contains an "Authorization:" header, it must also contain an "s-maxage", "must-revalidate" or "public" option in the "Cache-Control:" header, or it won't be cached.


From the docs[1]

So maybe your

Code:

Header unset Cache-Control


is the the issue. But I'm not sure about it. You may consult the docs [1][2]


[1] https://httpd.apache.org/docs/2.4/caching.html
[2]https://httpd.apache.org/docs/2.4/mod/mod_authn_socache.html#authncachesocache
Back to top
tangent



Joined: 16 Aug 2020
Posts: 80
Location: UK

PostPosted: Tue 09 Feb '21 21:58    Post subject: Reply with quote

I tend to agree James. I think the problem lies with the Apache configuration where the OP unsets various upstream headers coming from the Spring code, namely Pragma and particularly Expires and Cache-Control. Why would do this for all such responses from the back end?

He doesn't provide detail of the authentication process between the client and the Spring code, but at logout I'd expect some transaction that would invalidate and cached credentials. So I'd personally not delete these headers.

Also, looking at the ExpiresByType entries, where the documentation says:
    When the Expires header is already part of the response generated by the server, for example when generated by a CGI script or proxied from an origin server, this module does not change or add an Expires or Cache-Control header.
For cases where Expires or Cache-Control hasn't been explicitly set by the back end, I'd consider the figure of one year way too long. Images don't change that often, but html, javascript and css files might change frequently. I'd personally use a mixture of hours and days depending on the content type.
Back to top
AtlantaKid



Joined: 08 Feb 2021
Posts: 2
Location: USA, Atlanta

PostPosted: Wed 10 Feb '21 15:25    Post subject: Using Apache2 Proxy and Cache problem with userid/password Reply with quote

Hello per your suggestions I made the following modifications in my cache control and user login/logout seems to be working fine.

These were the changes from the previous config.
#-- took out per forum suggestion 20210210
#Header unset Cache-Control

and
ExpiresByType text/html "access plus 1 days "
ExpiresByType image/png "access plus 1 years"
ExpiresByType image/jpg "access plus 5 days"
ExpiresByType image/jpeg "access plus 5 days"
ExpiresByType application/javascript "access plus 1 seconds"




Code:
    # cache control
    CacheIgnoreNoLastMod On
    CacheIgnoreCacheControl On

    # unset headers from upstream server
    Header unset Expires
#-- took out per forum suggestion 20210210
    #Header unset Cache-Control
    Header unset Pragma

    ExpiresActive On
    ExpiresByType text/html "access plus 1 years"
    ExpiresByType image/png "access plus 1 years"
    ExpiresByType image/jpg "access plus 5 days"
    ExpiresByType image/jpeg "access plus 5 days"
    ExpiresByType application/javascript "access plus 1 seconds"

    CacheQuickHandler off
    CacheLock on
    CacheLockPath /tmp/mod_cache-lock
    CacheLockMaxAge 5
    CacheIgnoreHeaders Set-Cookie

    <Location />
        CacheEnable disk /
        CacheHeader on
        CacheDefaultExpire 800
        CacheMaxExpire 64000
        CacheIgnoreNoLastMod On
        ExpiresActive on
        ExpiresDefault A300
    </Location>
Back to top


Reply to topic   Topic: Using Apache2 Proxy and Cache problem with userid/password View previous topic :: View next topic
Post new topic   Forum Index -> Apache