Opened 6 years ago

Closed 6 years ago

#1545 closed defect (invalid)

proxy_cache_bypass does not work when a period characer is part of the name of a cookie

Reported by: ScottieIOT@… Owned by:
Priority: minor Milestone: 1.15.0
Component: nginx-module Version: 1.13.x
Keywords: proxy module proxy_cache_bypass Cc:
uname -a: uname -a
Linux ln2-n1-p1 4.4.39-gentoo #1 SMP Thu Aug 17 15:53:17 PDT 2017 x86_64 Intel(R) Xeon(R) CPU X5650 @ 2.67GHz GenuineIntel GNU/Linux
nginx -V: nginx -V
nginx version: nginx/1.13.12
built with OpenSSL 1.0.2n 7 Dec 2017
TLS SNI support enabled
configure arguments: --prefix=/usr --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error_log --pid-path=/run/nginx.pid --lock-path=/run/lock/nginx.lock --with-cc-opt=-I/usr/include --with-ld-opt='-L/usr/lib64 -ljemalloc' --http-log-path=/var/log/nginx/access_log --with-compat --with-file-aio --with-http_v2_module --with-pcre --with-pcre-jit --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_realip_module --with-http_stub_status_module --with-http_sub_module --with-http_realip_module --add-module=external_module/headers-more-nginx-module-0.33 --add-module=external_module/ngx_devel_kit-0.3.0 --add-module=external_module/lua-nginx-module-0.10.13 --add-module=external_module/nginx_upstream_check_module-master --add-module=external_module/echo-nginx-module-0.61 --with-http_ssl_module --add-module=external_module/njs-214afa2466a0/nginx --add-module=external_module/ngx_upstream_jdomain-de7892926b696377bf9b54228b5116372da6daee --add-module=external_module/nginx_auth_cookie_module-1.0.1 --add-module=external_module/ngx_http_waf --add-module=external_module/ngx_http_redis-0.3.8 --add-module=external_module/redis2-nginx-module-73475b8c0cca48f6fb6bc99080e1adbbca1447b8 --add-module=external_module/srcache-nginx-module-0.31 --add-module=external_module/set-misc-nginx-module-0.31 --add-module=external_module/nginx_secure_cookie_module-master --add-module=external_module/ngx_http_geoip2_module-master --without-stream_geo_module --without-stream_return_module --without-stream_split_clients_module --without-stream_upstream_hash_module --without-stream_upstream_least_conn_module --without-stream_upstream_zone_module --with-stream --with-stream_ssl_module --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module --user=nginx --group=nginx

Description

When using this directive on a location :

proxy_cache_bypass $cookie_Example.AUTH;

The resulting nginx logs show BYPASS for upstream_cache_status on all requests, even though the client browser is not sending the cookie "Example.AUTH" .

If I change the proxy_cache_bypass parameter to contain no period characters, then the caching mechanism will work as expected without the cookie, and when the cookie is sent, the upstream_cache_status shows BYPASS as expected.

I have checked all the RFC documentation on syntax of cookie name, and all the information I can find shows that a period character should be allowed in a cookie.

I tried different workarounds to this, including encapsulating the cookie variable inside of quotes , eg :
proxy_cache_bypass "$cookie_Example.AUTH";

I have also tried escaping the period, eg :
proxy_cache_bypass $cookie_Example\.AUTH;

All of the workaround attempts failed, with upstream_cache_status showing BYPASS even though the browser/curl was not sending a a cookie.

I realize that there are a lot of third party modules here, but I do not suspect that there is any conflict, and fully expect this bug to be present with only official nginx modules (proxy module specifically) being used.

Change History (1)

comment:1 by Maxim Dounin, 6 years ago

Resolution: invalid
Status: newclosed

You can't access cookies with dots in their names using the $cookie_*, as the dot this character is not permitted in variable names and is interpreted as a part of the following static text. In your configuration examples you've configured nginx to bypass anything, as what's written is equivalent to ${cookie_Example}.AUTH and always evaluates to true.

If you want to check a cookie with various characters not allowed in variable names, consider testing the $http_cookie variable instead, e.g., using a map with regular expressions. Something like this should work:

map $http_cookie $bypass {
    ~Example\.AUTH=  1;
}

proxy_cache_bypass $bypass;
Note: See TracTickets for help on using tickets.