2

first: I have been reading a lot of SO posts, and did not find a satisfying answer. I hope I did not miss the answer.

Situation:

  • I'm running a Laravel application (PHP 7.3)
  • I implemented a full page cache using FastCGI (php-fpm) and Nginx
  • It works great, BUT dynamic things like the csrf token are not refreshed
  • My Goal: get a full cached page, but with the right CSRF token for user session

What I've tried:

  • I digged into Nginx SSI, but only could make it work with .html file. Here I wanted to include a simple .php file (that include laravel Core) to retrieve the output of csrf_token()
    • I tried with file and virtual includes, with .php file and API routes. It never worked in my Blade templates. (Strange as I understood, it's based on response content-type like text/html). Even a basic <!--#echo var="DATE_LOCAL" --> does not work and is stripped out by Nginx (not in response).
    • same tests in a .html file worked. I could include my .php file that has my token
  • I looked into ESI (Edge Side Loading), but it seems that there is not support for Nginx yet... too bad.
    • It seems possible to use Varnish as a proxy to get ESI working. But it's a lot of changes to our infrastructure.

What I have left:

  • In the end, the only solution I can think of is to make an Ajax API request onLoad to get the token. On every page load. It does not seem a really good approach but, I'm out of options (am I?).
  • Maybe I can trick Nginx to think my root index.php is HTML and so get SSI to work? (inspiration)
  • SSI/ESI seems exactly what I need. But it also seems to be "an old" technology. Still, I couldn't find real alternatives.

Questions:

  • is SSI only possible with HTML files?
  • is installing everything for ESI worth?
  • is Ajax the only solution I have?
  • is there something else I could have missed?

Thanks a lot. I know there are similar questions, but I could not find a definitive answer to this situation.

Mtxz
  • 3,749
  • 15
  • 29
  • 1
    did you find a solution to this? I'm having a similar problem with Fastcgi cache where I don't want it applied to requests with Authorization header in them – Hirad Roshandel Feb 24 '20 at 14:04
  • 1
    I think you can configure Nginx (Apache also certainly) to disable your fastcgi_cache (with required config options, and a variable to set them) depending header value/content/presence (eg: https://stackoverflow.com/questions/18970620/nginx-reject-request-if-header-is-not-present-or-wrong). – Mtxz Feb 25 '20 at 01:59
  • 1
    Yea I managed to fix it this way https://stackoverflow.com/questions/60378224/bypass-fastcgi-cache-when-authorization-header – Hirad Roshandel Feb 25 '20 at 02:10
  • I am trying to solve the same challenge. Did you find a workaround @Mtxz? – decocodes Jan 26 '22 at 22:08
  • Well, in the end, I added an Ajax request `head` returning a CRSF token on page load. This token is stored and then used for the next queries or submits. If you find a better way, I would love to hear it! – Mtxz Feb 01 '22 at 14:23

0 Answers0