5

I have NGINX running as a reverse proxy in front of a few Flask apps.

I want to implement caching for logged out users.

Flask-login adds a Set-Cookie header for every response, even for anonymous users, as it contains a session cookie with a CSRF token. This means that that I'm using proxy_ignore_headers Set-Cookie; to ensure that stuff actually get's cached by NGINX (which won't cache and response with a Set-Cookie header).

I'm setting a separate cookie in the apps to indicate the logged in/out status of a user and using that to determine whether to use the cache or not. This works great.

The issue is that the cached responses for a logged out user include the Set-Cookie header which sets the session cookie. This session cookie is served to any request that hits the cache, which ultimately results in different users receiving the same CSRF token.

I would like to either prevent the Set-Cookie header being stored in the cache, or remove/overwrite it when it's sent to the client from the cache.

I've tried setting proxy_hide_headers Set-Cookie which removes it from cached responses, but also from responses from that app. So no one can log in. Which is bad.

It feels like there should be a really easy solution to this, I just can find it no matter how hard I google.

Any help is appreciated.

Chris Wynne
  • 251
  • 3
  • 7
  • I'm facing the same problem, not for Flask, just for a PHP site. I feel the solution will require some modification to the nginx files, or a complex condition inside location{}, like an if cache is a HIT hide header. – Vixxs Dec 17 '19 at 22:09

1 Answers1

0

Update: After trying a million things I have a solution that’s working for multiple cookies, I would like your opinions.
On Debian 10 I installed apt-get install libnginx-mod-http-lua I think this is not the complete OpenResty lua-nginx-module, isn’t it?

map $upstream_bytes_received $hide_cookie {
   default '';
   '' Set-Cookie;
}

Inside location:

header_filter_by_lua_block {
   ngx.header[ngx.var.hide_cookie] = nil;
}

And it works, I will do more testing...

Previous answer, for 1 cookie, without Lua:

I've been working on a solution for this, but for now it works for ONLY ONE cookie.

First I faced the following problems: $proxy_hide_header does not accept variables, and cannot be used inside if().
I finally found an answer that contained a viable solution to that: Using a Header to Filter Proxied Response Headers.

So this is my code for now , that I will test more, because is a delicate matter:

map $upstream_bytes_received $cookies {
default $upstream_http_set_cookie;
'' '';
}

And then inside location:

    proxy_hide_header Set-Cookie;
    add_header Set-Cookie $cookies;

Maybe I would make the default: No cookies, that will be noticeable if fails, and less problematic regarding privacy.

But this solution I think cannot be improved for multiple cookies, I have to look elsewhere, if I could force the use of variables at $proxy_hide_header would be the end solution.

Vixxs
  • 569
  • 7
  • 21