please don’t cache 403 by default

  • It looks like the configs generated by this plugin cause varnish to cache 403 errors, which is not the default.

    The default status codes cached by Varnish are listed here:

    * https://book.varnish-software.com/4.0/chapters/VCL_Basics.html#the-initial-value-of-beresp-ttl

    Can you please update the line

    if (beresp.status == 404 || beresp.status >= 500) {

    to just blacklist everything except the codes listed as the varnish defaults? Except 404, I suppose?

    if ( beresp.status != 200 && beresp.status != 203 && beresp.status != 300 && beresp.status != 301 && beresp.status != 302 && beresp.status != 304 && beresp.status != 307 && beresp.status != 410 ) {

    Or however else you think is best.

    • This topic was modified 7 years, 3 months ago by maltfield.
Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Razvan Stanga

    (@razvanstanga)

    403 Forbidden or 503 Service Unavailable ?

    You mean this ?

    
# Avoid caching error responses
    if (beresp.status == 404 || beresp.status >= 500) {
        set beresp.ttl   = 0s;
        set beresp.grace = 15s;
    }

    So you want to cache 404 ?

    Thread Starter maltfield

    (@maltfield)

    Sorry if I wasn’t clear.

    Currently the varnish configs generated by this plugin *is* caching “403 Forbidden” errors. Varnish should not cache “403 Forbidden” errors. In our case, we generate 403 responses for some clients behaviour using mod_evasive, mod_security, etc. These responses should *not* be cached, but they are using the varnish configs generated by this plugin.

    I’m requesting that we add logic to ensure that the “403 Forbidden” response never gets cached by Varnish.

    The code change I listed above would make it match the default behaviour as defined by the Varnish Book–with the exception that it will *not* cache 404. By default, Varnish *does* cache 404, but your configs appear to intentionally *not* cache 404. So the code I provided would prevent caching 404 as well.

    The code change I recommended would only cache the following responses:

    1. 200: OK
    2. 203: Non-Authoritative Information
    3. 300: Multiple Choices
    4. 301: Moved Permanently
    5. 302: Moved Temporarily
    6. 304: Not modified
    7. 307: Temporary Redirect
    8. 410: Gone

    Which I believe is the intended behaviour for most users.

    • This reply was modified 7 years, 3 months ago by maltfield.
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘please don’t cache 403 by default’ is closed to new replies.