How does CacheFu tell Squid whether a request is coming from an authenticated user?

Hi all,

In CacheFu's Cache Configuration Tool, if you go to Rules and select a rule, say, Content, you can tell CacheFu how you want to deal with authenticated users, such as "Cache with ETag". My question is:

How does Squid know that a request is coming from an authenticated user so that it does not cache it but instead passing it to Zope (so that Zope can use ETag to decide how to serve the content, for example)?

I'm using Shibboleth for authentication (instead of the regular Plone authentication) and Squid is serving my cached content even if I'm logged in (I can see X-Cache = HIT using Live HTTP Headers). If CacheFu only works with the default Plone authentication mechanism out of the box, is there a way for me to make it work with Shibboleth too?

I'm using Plone 2.5.5, Zope 2.9.8, CacheFu 1.2 and Squid 3.0. Thanks a lot!

Regards,

Alex
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Plone-Users mailing list
Plone-Users@...
https://lists.sourceforge.net/lists/listinfo/plone-users

On Aug 15, 2008, at 7:07 PM, Alex Man wrote:



You've got it backwards.  Since we use cookie authentication, Squid  
doesn't care about the request;  it only cares about the response  
(unless the response Vary header says otherwise).  So the short answer  
is that Squid will respect the cache related headers in the response.  
If you look at the cache-with-etag headerset, you will see that, among  
other things, it sets the cache-control maxage header to zero seconds  
--- this keeps the response out of the Squid cache.



> I'm using Shibboleth for authentication (instead of the regular  
> Plone authentication) and Squid is serving my cached content even if  
> I'm logged in (I can see X-Cache = HIT using Live HTTP Headers). If  
> CacheFu only works with the default Plone authentication mechanism  
> out of the box, is there a way for me to make it work with  
> Shibboleth too?


Are you perhaps also trying to cache the unauthenticated version of  
the same content?  If the url for both versions is the same, Squid has  
no idea that they are supposed to be different unless you tell it  
otherwise and may serve the cached unauthenticated version to you  
instead.



> I'm using Plone 2.5.5, Zope 2.9.8, CacheFu 1.2 and Squid 3.0. Thanks  
> a lot!


Note that CacheFu has not yet been tested against Squid 3.0.

Ric



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Plone-Users mailing list
Plone-Users@...
https://lists.sourceforge.net/lists/listinfo/plone-users

Hi Ric,

Thanks a lot for your information!

To respond to your second comment, yes I'm also caching the unauthenticated version of the same content. Actually, I think that I know what the problem is now. On my Plone site, an anonymous user can access by site through either http or https while an authenticated user can only access the site through https. If an unauthenticated user access a page through https and later on an authenticated user access the same page, Squid will serve the unauthenticated cached version of that page to the authenticated user and that's the problem.

So, to address this problem, I think I'll have to tell Squid to only cache http but not https? Do I do it through squid.conf? Thanks a lot!

At 08:08 PM 8/15/2008, Ricardo Newbery wrote:

On Aug 15, 2008, at 7:07 PM, Alex Man wrote:

Hi all,

In CacheFu's Cache Configuration Tool, if you go to Rules and select 
a rule, say, Content, you can tell CacheFu how you want to deal with 
authenticated users, such as "Cache with ETag". My question is:

How does Squid know that a request is coming from an authenticated 
user so that it does not cache it but instead passing it to Zope (so 
that Zope can use ETag to decide how to serve the content, for 
example)?

You've got it backwards.  Since we use cookie authentication, Squid 
doesn't care about the request;  it only cares about the response 
(unless the response Vary header says otherwise).  So the short answer 
is that Squid will respect the cache related headers in the response.  
If you look at the cache-with-etag headerset, you will see that, among 
other things, it sets the cache-control maxage header to zero seconds 
--- this keeps the response out of the Squid cache.

I'm using Shibboleth for authentication (instead of the regular 
Plone authentication) and Squid is serving my cached content even if 
I'm logged in (I can see X-Cache = HIT using Live HTTP Headers). If 
CacheFu only works with the default Plone authentication mechanism 
out of the box, is there a way for me to make it work with 
Shibboleth too?

Are you perhaps also trying to cache the unauthenticated version of 
the same content?  If the url for both versions is the same, Squid has 
no idea that they are supposed to be different unless you tell it 
otherwise and may serve the cached unauthenticated version to you 
instead.

I'm using Plone 2.5.5, Zope 2.9.8, CacheFu 1.2 and Squid 3.0. Thanks 
a lot!

Note that CacheFu has not yet been tested against Squid 3.0.

Ric

Regards,

Alex
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Plone-Users mailing list
Plone-Users@...
https://lists.sourceforge.net/lists/listinfo/plone-users

Hi,

Just to answer my own question: Yes I should ask Squid not to cache https pages but one shouldn't do it with squid.conf. Doing it with squid.conf with make Squid not to cache any of the resource that has "https" in the beginning of the URI. This is not desirable if you still want to cache file/images for https connections.

Instead, one can add the following TALES expression in the Predicate field of the Content rule:

python: not request.getURL().startswith('https')

This way, CacheFu only tells Squid not to cache https resource for content and nothing else. Hope this helps!

At 02:12 PM 8/18/2008, Alex Man wrote:

Hi Ric,

Thanks a lot for your information!

To respond to your second comment, yes I'm also caching the unauthenticated version of the same content. Actually, I think that I know what the problem is now. On my Plone site, an anonymous user can access by site through either http or https while an authenticated user can only access the site through https. If an unauthenticated user access a page through https and later on an authenticated user access the same page, Squid will serve the unauthenticated cached version of that page to the authenticated user and that's the problem.

So, to address this problem, I think I'll have to tell Squid to only cache http but not https? Do I do it through squid.conf? Thanks a lot!

At 08:08 PM 8/15/2008, Ricardo Newbery wrote:

On Aug 15, 2008, at 7:07 PM, Alex Man wrote:

Hi all,

In CacheFu's Cache Configuration Tool, if you go to Rules and select 
a rule, say, Content, you can tell CacheFu how you want to deal with 
authenticated users, such as "Cache with ETag". My question is:

How does Squid know that a request is coming from an authenticated 
user so that it does not cache it but instead passing it to Zope (so 
that Zope can use ETag to decide how to serve the content, for 
example)?

You've got it backwards.  Since we use cookie authentication, Squid 
doesn't care about the request;  it only cares about the response 
(unless the response Vary header says otherwise).  So the short answer 
is that Squid will respect the cache related headers in the response.  
If you look at the cache-with-etag headerset, you will see that, among 
other things, it sets the cache-control maxage header to zero seconds 
--- this keeps the response out of the Squid cache.

I'm using Shibboleth for authentication (instead of the regular 
Plone authentication) and Squid is serving my cached content even if 
I'm logged in (I can see X-Cache = HIT using Live HTTP Headers). If 
CacheFu only works with the default Plone authentication mechanism 
out of the box, is there a way for me to make it work with 
Shibboleth too?

Are you perhaps also trying to cache the unauthenticated version of 
the same content?  If the url for both versions is the same, Squid has 
no idea that they are supposed to be different unless you tell it 
otherwise and may serve the cached unauthenticated version to you 
instead.

I'm using Plone 2.5.5, Zope 2.9.8, CacheFu 1.2 and Squid 3.0. Thanks 
a lot!

Note that CacheFu has not yet been tested against Squid 3.0.

Ric

Regards,

Alex

Regards,

Alex
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Plone-Users mailing list
Plone-Users@...
https://lists.sourceforge.net/lists/listinfo/plone-users