I want to make sure that some of my responses will not be cached by anyone.
One of the advised options is to set Vary: *.
Unfortunately my nginx which has enabled gzip support returns me two Vary headers if i add add_header "Vary" "*";
HTTP/1.1 200 OK
Server: nginx/1.11.1
Date: Mon, 16 Jan 2017 14:56:16 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
Vary: *
Any idea how to force having only Vary: * in responses and gzip support for the request on?
gzip_vary off;
should stop gzip from auto-adding Vary header.
docs: http://nginx.org/en/docs/http/ngx_http_gzip_module.html#gzip_vary
Related
I'm setting up a new server with Traefik (version 1.7.10) for load balancing different NGINX and PHP-FPM containers.
Currently visitors see in the response header that my containers using NGINX. Where can I globaly, for all containers, overwrite the server response header to something other (like "FunnyServer") ?
With HAProxy I have done this in the past and wondering how to do this with Traefik?
Here you see the response coming from HAProxy:
cache-control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
content-type: text/html; charset=utf-8
date: Wed, 17 Apr 2019 20:20:15 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
server: MonkeysBananaServer <===== WITH HAPROXY!!! Traefik???
set-cookie: PHPSESSID=1234567890abcdef; path=/; domain=.xxx.xx
status: 200
x-powered-by: PHP/x.x.x
As you can see, under HAProxy I have set the response header to "MonkeysBananaServer".
For those who use version 2.0 and have the same question:
- "traefik.http.middlewares.secure-headers.headers.customresponseheaders.x-powered-by=SomeThing/9.7.2"
- "traefik.http.routers.custom_router_name.middlewares=secure-headers"
You can override the response headers:
traefik.frontend.headers.customResponseHeaders=server:FunnyServer
https://docs.traefik.io/configuration/backends/docker/#custom-headers
When I recently curled my company's website, some headers appear to be duplicated in both names and values. For example, this is the full response from curl:
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 19 Dec 2016 15:54:37 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 53272
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
X-Frame-Options: ALLOW-FROM https://policygenius1424796031.zendesk.com/
ETag: W/"2515e7e2b57063c8029ea978bf98b6e7"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: analytics_id=OW53dllLeGVPZ1YzR21vOVRvU1V5WjRBeklGNHdXeERpNVNNM3ZLd2djcnpBUjlnTzRWblFIYitHM0VtdWUzei0tN284NTV3RUVrRm9nVkhpTm1NZU5qQT09--b43227e963c8680e5b2984c13483e65ae67c8b6a; path=/; expires=Wed, 18 Jan 2017 15:54:37 -0000
Set-Cookie: request_method=HEAD; path=/
Set-Cookie: _policy_genius_session=bUVTYW5KU2FzQTh2bG44WEdvcExWK2d4NzJtNUlOSnpqUWhzL2tVSkhFTUNuODFWVkhmYU9mWVUySlpDbmlkdCttbVpZOXV0NHVYY3VWbFphYlA2S0tOdmROSFVMNUJ1QWNMMFpMcm5DZGEyTkdqSTBMMnNoTi9mMmJ2L01lSlRuSGhmMk8ydXBOYVNNcXA1Z1crWXUvelpvSDlYdWFZYjYxc0p2MGdPYnhNNm1FSFpDSFpYSU9Jb3F2UFhMQTVoTm12cXQ4bEdNMkpaVy95cWVQK094RXkwVmo5ZlE0UXdoMzA3LzJiQllkMW9jZS9xZmpiMEI0ZHFVMTNQSHlBbi0tSE51NGZyeEx2Nk95c3NxNWtHbjNhUT09--d1107337bb68f2861ffc6f081012441bd7554501; path=/; HttpOnly
X-Request-Id: 4a812c77-719e-4163-a665-5059a2b1e3a6
X-Runtime: 0.133390
Vary: Origin
Strict-Transport-Security: max-age=31536000
Strict-Transport-Security: max-age=31536000
Notice Strict-Transport-Security and Vary are duplicates and have same values too. I am aware that it's ok to have duplicate header names with different values (here), but same values?
Second part of the question: is anyone aware of negative effects of such duplication?
When I test my site using http://www.webpagetest.org/. It says that I have not set cache expiration header on the home page. When I curl, I see it is set:
HTTP/1.1 200 OK
Date: Wed, 23 Mar 2016 22:31:17 GMT
Server: Apache/2.2.22 (Ubuntu)
Cache-Control: max-age=691200, public
Strict-Transport-Security: max-age=31536000
X-XSS-Protection: 1; mode=block
X-Request-Id: aa9fc904-2af6-4649-bbb2-dfc308172c08
ETag: W/"0011b34ba2dd655ce7380a1014310370"
X-Frame-Options: SAMEORIGIN
X-Runtime: 0.010013
X-Content-Type-Options: nosniff
X-Powered-By: Phusion Passenger 5.0.25
Set-Cookie: request_method=HEAD; path=/; secure
Set-Cookie: _lafon_session=V21Yc1RlSUlRPT0%3Ddaea; path=/; secure; HttpOnly
Status: 200 OK
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Any ideas on why webpagetest.org thinks the header is not set?
http://www.webpagetest.org/ wrongly expects Expires header to be set, forgetting about full analog with higher priority - max-age.
Everything is ok with your site.
When i login with gmail , i see this header ('x-auto-login') in one of the http repsonse, what is the purpose of it:
gtglobal-ocsp.geotrust.com
:Alternate-Protocol: 443:quic
Cache-Control: no-cache, no-store
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
Date: Thu, 06 Mar 2014 22:26:41 GMT
Expires: Mon, 01-Jan-1990 00:00:00 GMT
Pragma: no-cache
Server: GSE
Set-Cookie: GAPS=1:8823f898f8dsf8sd6g;Path=/;Expires=Sat, 05-Mar-2016 22:26:41 GMT;Secure;HttpOnly
GALX=axHR8TU45uo;Path=/;Secure
Strict-Transport-Security: max-age=10893354; includeSubDomains
x-auto-login: realm=com.google&args=service%3Dmail%26continue%3Dhttp%253A%252F%252Fmail.google.com%252Fmail%252F
x-content-type-options: nosniff
X-Frame-Options: DENY
x-xss-protection: 1; mode=block
X-Firefox-Spdy: 3.1
[Note: I have intentionally changed the cookie value for security reason]
The HTTP header x-auto-login allows to auto-login a user in Chrome.
See here for a code reference.
https://code.google.com/p/chromium/codesearch#chromium/src/components/auto_login_parser/auto_login_parser.cc&q=x-auto-login&sq=package:chromium&dr=C&l=42
So if you use Chrome or Chromium at a site the has the header then Chrome will redirect to Google's openid consent page. If you are loggedin at Google already the login to the new site is quite smooth.
There does not seem to be an official description of the header nor a W3C standard for it.
I've been searching all over for a solution to this, but so far nothing. I am dynamically rendering an HTML page in Node.js/Express, generating an ETag by SHA256 hashing the HTML string, and sending the page through nginx. For some reason, Google Chrome won't cache the page or send an "If-None-Match" header for the previous ETag.
Here are my request and response headers:
Request:
GET / HTTP/1.1
Host: dev.logan.oikoi.co
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_0) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.82 Safari/537.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: km_ai=Q%2FR9nmmebaNLthhixes8jxMubzQ%3D; km_uq=; kvcd=1346083163009; km_vs=1; km_lv=1346083163
Response:
HTTP/1.1 200 OK
Server: nginx/1.2.3
Date: Sun, 26 Aug 2012 06:20:46 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: Express
Cache-Control: public, max-age=0, must-revalidate, proxy-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
ETag: "2e26404f4306e4d2a7c821f537aa3e714d655d260462f8a7fdd9f0a8ad501900"
Set-Cookie: connect.sid=rPrRyvqf3LhbilN0syPU3htr.776UPuqojSyF1YgS0AFcyac4qQtv%2FXF9TFSHQ96p6e8; path=/; expires=Sun, 26 Aug 2012 10:20:46 GMT; httpOnly; secure
Content-Encoding: gzip
Edit: I forgot to mention in my initial post, but Firefox has no problem caching the page.
Your response has these headers -
Cache-Control: public, max-age=0, must-revalidate, proxy-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Remove these headers and you should be good.
FYI :
must-revalidate forces the browser to make a request every time the resource is request
Expires header and max-age=0 tell the browser to not cache the resource