1

Need help finding the correct setup for using Nginx fastcgi_cache without caching the PHP session cookie. Here is what I currently have below. Testing this however if I go to a page that has been cached, delete my PHPSESSION cookie in the browser, and refresh, I get a PHPSESSION id from one of the cached Nginx files. 

if ($http_cookie = "PHPSESSION")
{
   set $fastcgi_skipcache 1;
}
location ~* \.php {
    include fastcgi_params;
    fastcgi_pass backend;
    fastcgi_index index.php;
    fastcgi_param SERVER_NAME $host;
    fastcgi_param SCRIPT_URL $fastcgi_script_name;
    fastcgi_param SCRIPT_URI $scheme://$http_host$fastcgi_script_name;
    fastcgi_param SCRIPT_NAME "/index.php";
    fastcgi_param PHP_SELF $uri;
    fastcgi_param HTTPS $https if_not_empty;
    fastcgi_param HTTP_FRONT_END_HTTPS HTTPS;
    fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    fastcgi_param REQUEST_URI $uri?$args;
    fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
    fastcgi_intercept_errors on;
    fastcgi_ignore_client_abort off;
    fastcgi_connect_timeout 90;
    fastcgi_send_timeout 180;
    fastcgi_read_timeout 180;
    fastcgi_buffer_size 128k;
    fastcgi_buffers 4 256k;
    fastcgi_busy_buffers_size 256k;
    fastcgi_temp_file_write_size 256k;

    #Caching
    fastcgi_cache ee;
    fastcgi_cache_key "$scheme$host$request_uri";
    fastcgi_cache_valid 200 302 168h;
    fastcgi_cache_valid 404 1m;
    fastcgi_cache_bypass $fastcgi_skipcache;
    fastcgi_no_cache $fastcgi_skipcache;

}

We used to have this working in Nginx with proxy_cache as below, but are moving from Nginx/Apache/Php setup to Nginx/PHP-FPM setup.

    proxy_hide_header Set-Cookie;
    proxy_ignore_headers Expires Cache-Control Set-Cookie;
    proxy_set_header Cookie "";

    proxy_cache ee;
    proxy_cache_key         "$scheme$host$request_uri";
    proxy_cache_valid 200 302 60m;
    proxy_cache_valid 404 1m;

This link seems to be questioning the same thing, but if I use fastcgi_hide_header "Set-Cookie"; we are having problems in our cart. I'm assuming because it cannot see the session.

Let me know if more details are required. Thanks,

Chris.

Community
  • 1
cdlaforc
  • 11
  • 1
  • 3

2 Answers2

2

I think you're overcomplicating things. Try this:

fastcgi_no_cache $cookie_PHPSESSID;
fastcgi_cache_bypass $cookie_PHPSESSID;

By the way proxy_* directives are for a case when nginx is acting like a proxy, for example in a load-nalancing scheme. I doubt there can be a configuration when nginx can be both fastcgi-backend and a proxy for one location.

drookie
  • 8,625
  • 1
  • 19
  • 29
  • Hey drookie, I changed it to this, but it's not caching anything now. I think the code is setup to always generate a session if missing. I don't want to not cache it if there is a session cookie I just want to exclude the session cookie value so it cannot be accidentally transferred to another user. – cdlaforc Oct 19 '16 at 03:39
  • Well, if the output depends on a cookie, so in general there's no dirrerence in passing to a user a content of another one with or without cookie. – drookie Oct 19 '16 at 03:56
  • It is the php session cookie so if another user gets this via a Nginx cached page they may also get put into an incorrect cart. – cdlaforc Oct 19 '16 at 04:27
  • Exactly my point. – drookie Oct 19 '16 at 04:35
  • Hey drookie, Sorry, I guess I'm not getting your point. I would assume that if we had this working with proxy_* directives we should be able to get this working the same way with fastcgi_* directives. – cdlaforc Oct 19 '16 at 11:51
  • Yuuuuuuuuuuuuuup. – drookie Oct 19 '16 at 12:53
  • proxy_hide_header Set-Cookie; proxy_ignore_headers Expires Cache-Control Set-Cookie; proxy_set_header Cookie ""; – cdlaforc Oct 19 '16 at 15:41
  • Accidentally hit enter on that last comment before I was done, and not sure how to edit it. Basically though those are the 3 lines I think I need to find the fastcgi version of to get this to work as it has in the past. – cdlaforc Oct 19 '16 at 15:43
0

I made a solution that sends the desired header when the response is from backend, and then it hides it, if response is from cache. The example shown will hide all cookies from cached responses.

You will need Lua module. On Debian 10 I installed apt-get install libnginx-mod-http-lua.

map $upstream_bytes_received $hide_cookie {
   default '';
   '' Set-Cookie;
}

Inside location:

header_filter_by_lua_block {
   ngx.header[ngx.var.hide_cookie] = nil;
}

More explanation, other options without Lua, and explanation of why I needed Lua (to use variables) here: https://stackoverflow.com/a/59383747/4932239

Vixxs
  • 103
  • 1
  • 4