Opened 7 years ago
Closed 7 years ago
#1545 closed defect (invalid)
proxy_cache_bypass does not work when a period characer is part of the name of a cookie
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | 1.15.0 |
| Component: | nginx-module | Version: | 1.13.x |
| Keywords: | proxy module proxy_cache_bypass | Cc: | |
| uname -a: |
uname -a
Linux ln2-n1-p1 4.4.39-gentoo #1 SMP Thu Aug 17 15:53:17 PDT 2017 x86_64 Intel(R) Xeon(R) CPU X5650 @ 2.67GHz GenuineIntel GNU/Linux |
||
| nginx -V: |
nginx -V
nginx version: nginx/1.13.12 built with OpenSSL 1.0.2n 7 Dec 2017 TLS SNI support enabled configure arguments: --prefix=/usr --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error_log --pid-path=/run/nginx.pid --lock-path=/run/lock/nginx.lock --with-cc-opt=-I/usr/include --with-ld-opt='-L/usr/lib64 -ljemalloc' --http-log-path=/var/log/nginx/access_log --with-compat --with-file-aio --with-http_v2_module --with-pcre --with-pcre-jit --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_realip_module --with-http_stub_status_module --with-http_sub_module --with-http_realip_module --add-module=external_module/headers-more-nginx-module-0.33 --add-module=external_module/ngx_devel_kit-0.3.0 --add-module=external_module/lua-nginx-module-0.10.13 --add-module=external_module/nginx_upstream_check_module-master --add-module=external_module/echo-nginx-module-0.61 --with-http_ssl_module --add-module=external_module/njs-214afa2466a0/nginx --add-module=external_module/ngx_upstream_jdomain-de7892926b696377bf9b54228b5116372da6daee --add-module=external_module/nginx_auth_cookie_module-1.0.1 --add-module=external_module/ngx_http_waf --add-module=external_module/ngx_http_redis-0.3.8 --add-module=external_module/redis2-nginx-module-73475b8c0cca48f6fb6bc99080e1adbbca1447b8 --add-module=external_module/srcache-nginx-module-0.31 --add-module=external_module/set-misc-nginx-module-0.31 --add-module=external_module/nginx_secure_cookie_module-master --add-module=external_module/ngx_http_geoip2_module-master --without-stream_geo_module --without-stream_return_module --without-stream_split_clients_module --without-stream_upstream_hash_module --without-stream_upstream_least_conn_module --without-stream_upstream_zone_module --with-stream --with-stream_ssl_module --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module --user=nginx --group=nginx |
||
Description
When using this directive on a location :
proxy_cache_bypass $cookie_Example.AUTH;
The resulting nginx logs show BYPASS for upstream_cache_status on all requests, even though the client browser is not sending the cookie "Example.AUTH" .
If I change the proxy_cache_bypass parameter to contain no period characters, then the caching mechanism will work as expected without the cookie, and when the cookie is sent, the upstream_cache_status shows BYPASS as expected.
I have checked all the RFC documentation on syntax of cookie name, and all the information I can find shows that a period character should be allowed in a cookie.
I tried different workarounds to this, including encapsulating the cookie variable inside of quotes , eg :
proxy_cache_bypass "$cookie_Example.AUTH";
I have also tried escaping the period, eg :
proxy_cache_bypass $cookie_Example\.AUTH;
All of the workaround attempts failed, with upstream_cache_status showing BYPASS even though the browser/curl was not sending a a cookie.
I realize that there are a lot of third party modules here, but I do not suspect that there is any conflict, and fully expect this bug to be present with only official nginx modules (proxy module specifically) being used.
You can't access cookies with dots in their names using the
$cookie_*, as the dot this character is not permitted in variable names and is interpreted as a part of the following static text. In your configuration examples you've configured nginx to bypass anything, as what's written is equivalent to${cookie_Example}.AUTHand always evaluates to true.If you want to check a cookie with various characters not allowed in variable names, consider testing the $http_cookie variable instead, e.g., using a map with regular expressions. Something like this should work:
map $http_cookie $bypass { ~Example\.AUTH= 1; } proxy_cache_bypass $bypass;