ATS does not cache S3 requests with an Authorization header

Discussion:

Benjamin Morel

2017-12-06 15:11:34 UTC

Hi guys, I'm using ATS as a forward proxy, to provide a local cache to my
application.
When accessing a private file on Amazon S3, an Authorization header is
sent, and ATS does not cache the response.

This is clearly documented
<https://docs.trafficserver.apache.org/en/latest/admin-guide/configuration/cache-basics.en.html#client-directives>
:

By default, Traffic Server does not cache objects with the following

Authorization
Cache-Control: no-store
Cache-Control: no-cache
To configure Traffic Server to ignore this request header, refer to Configuring
Traffic Server to Ignore Client no-cache Headers
<https://docs.trafficserver.apache.org/en/latest/admin-guide/configuration/cache-basics.en.html#configuring-traffic-server-to-ignore-client-no-cache-headers>
.

I followed the only suggestion in the documentation:

CONFIG proxy.config.http.cache.ignore_client_no_cache INT 1

But this still does not make it ignore the Authorization header, as far as
I can see.
Plus, *I do not want to ignore the Cache-Control header*, just
Authorization.

Is there a configuration entry to make ATS ignore the Authorization header?

Thanks in advance,
Benjamin

Leif Hedstrom

2017-12-06 15:22:41 UTC

Permalink

Hi guys, I'm using ATS as a forward proxy, to provide a local cache to my application.
When accessing a private file on Amazon S3, an Authorization header is sent, and ATS does not cache the response.
Authorization
Cache-Control: no-store
Cache-Control: no-cache
To configure Traffic Server to ignore this request header, refer to Configuring Traffic Server to Ignore Client no-cache Headers <https://docs.trafficserver.apache.org/en/latest/admin-guide/configuration/cache-basics.en.html#configuring-traffic-server-to-ignore-client-no-cache-headers>.
CONFIG proxy.config.http.cache.ignore_client_no_cache INT 1
But this still does not make it ignore the Authorization header, as far as I can see.
Plus, I do not want to ignore the Cache-Control header, just Authorization.
Is there a configuration entry to make ATS ignore the Authorization header?

Well, with CC: no-store, no-cache, ATS is not going to write to cache (and not serve out of cache). It also doesnât know how long to cache even if you did remove those (unless you enable the lifetime heuristic options).

That much said, for the Authorization part, you likely have to do

CONFIG proxy.config.http.cache.ignore_authentication INT 1

â Leif

Benjamin Morel

2017-12-06 15:35:54 UTC

Permalink

Thanks for your reply.

Well, with CC: no-store, no-cache, ATS is not going to write to cache (and

Post by Leif Hedstrom
not serve out of cache). It also doesnât know how long to cache even if you
did remove those (unless you enable the lifetime heuristic options).

There is no Cache-Control header in the S3 response, I copy/pasted the doc
because it puts Authorization and Cache-Control in the same basket.
There is no Expires either in this response, but there is an Etag and a
Last-Modified. I would therefore expect ATS to revalidate every request
with If-None-Match / If-Modified-Since, but it doesn't.

CONFIG proxy.config.http.cache.ignore_authentication INT 1

I just tried this one, but unfortunately ATS still does not revalidate. No
If-None-Match / If-Modified-Since headers in the log, cache MISS every time.

Benjamin Morel

2017-12-08 23:29:37 UTC

Permalink

Post by Leif Hedstrom
CONFIG proxy.config.http.cache.ignore_authentication INT 1

I just tried this one, but unfortunately ATS still does not revalidate. No

Post by Leif Hedstrom
If-None-Match / If-Modified-Since headers in the log, cache MISS every time.

*Actually it does work,* but I had to use it together with:

CONFIG proxy.config.http.cache.required_headers INT 0

Probably because of the missing Cache-Control header. So thanks a lot Leif!