IBM Lotus Domino - reverse proxy - do not cache if authenticated web user (based on cookie)

Hi

My backend is IBM Lotus Domino and its HTTP task. I have application
that
has admin panel thats been used with end-user’s browser.
Currently i am using cache but that admin panel goes crazy because of
caching. So, goal is to prevent caching if user is authenticated.
IBM Lotus Domino uses Cookie named DomAuthSessId which has session id.

So on global level i have configured:


http {

proxy_cache_path  /usr/share/nginx/cache  levels=1:2 

keys_zone=one:10m
max_size=1G;
proxy_temp_path /usr/share/nginx/tmp;
proxy_cache_key “$scheme$host$request_uri”;

proxy_cache_valid 200 302 5m;
proxy_cache_valid 301 1h;
proxy_cache_valid any 1m;

 proxy_cache one;

… and so on

and on virtual server level

server {
server_name www.somedomain.fi;
default_type text/html;
root /some/directory;
location / {
proxy_pass http://some.ip.add.ress;
}

}

Would this work if i do something like this?

location / {
# if authenticated domino user, disable cache
if ($http_cookie ~* “DomAuthSessId”) {
proxy_cache_valid 200 302 304 none;
proxy_cache_valid 301 none;
}
proxy_pass http://some.ip.add.ress
}

Or any ideas how it should be done?

Terveisin/Regards,
Pekka Panula, Sofor Oy - Jatkuvat palvelut

On Tue, Mar 30, 2010 at 2:58 AM, [email protected] wrote:

Hi

My backend is IBM Lotus Domino and its HTTP task. I have application that
has admin panel thats been used with end-user’s browser.
Currently i am using cache but that admin panel goes crazy because of
caching. So, goal is to prevent caching if user is authenticated.
IBM Lotus Domino uses Cookie named DomAuthSessId which has session id.

So on global level i have configured:

What cache-control headers does the back-end domino set? You can see
this with a tool like fiddler or Firebug… that makes all the
difference in how you need to configure nginx to override its behavior
if it is undesirable.

If all of the domino stuff is under a small set of URLs, you can
simply add a location for those that does not have “proxy_cache one;”
which is far simpler than trying to override the back-end’s
cache-control headers. This means you will need to move your
“proxy_cache one;” from the http block to any inner location blocks
that need caching.

Also, this line “proxy_cache_valid any 1m;” looks like it could be
problematic if the back-end isn’t setting cache-control headers at
all. You’re basically saying “cache everything for at least a minute”
with that line, which you clearly do not want.

I do not think proxy_* directives are valid inside an “if” block. Did
you try it?


RPM

What cache-control headers does the back-end domino set? You can see
this with a tool like fiddler or Firebug… that makes all the
difference in how you need to configure nginx to override its behavior
if it is undesirable.

Unfortunately, Domino is sort of braind dead, no cache-control unless
you
make your application to give them. AFAIK.

If all of the domino stuff is under a small set of URLs, you can
simply add a location for those that does not have “proxy_cache one;”
which is far simpler than trying to override the back-end’s
cache-control headers. This means you will need to move your
“proxy_cache one;” from the http block to any inner location blocks
that need caching.

Unfortunately, there is no easy way to do that, no small set, and urls
are
pretty dynamics, well, also application based, so one application can
have
very different url set than some other application. Its pretty pain,
because there are no direct way to know which is application and which
is
admin functions, etc, because it really depends much how application is
coded.

I do not think proxy_* directives are valid inside an “if” block. Did
you try it?

Yep, you are right, you cant have them on if-block.

Basicly currently if you have IBM Lotus Domino backends, you cant use
proxy_cache, which sucks, because those applications do use lots of
upstream resources, and which by using even small caches can be reduced
much… Basicly you have to disable caching if you want your web pages
to
behave without problems.

I dont have lots of ideas how to fix, but what if it was possible to
disable nginx caching based if user has some cookie set, i mean as if
there was no proxy_cache variables set at all, so it always did fetch
data
from upstream if certain cookie is on. Is this even possible to code on
nginx? Unfortunately my C coding skills are somewhat not-exists. Because
Domino sets session cookie when user is authenticated, that way nginx
would know if user is anonymous or some authenticated user that is prob.
doing some updates, like new docs, etc. to domino application, so it
whould prob. be anyway not to cache hes content…

Terveisin/Regards,
Pekka Panula, Sofor Oy - Jatkuvat palvelut

On Wed, Mar 31, 2010 at 4:42 AM, [email protected] wrote:

Unfortunately my C coding skills are somewhat not-exists. Because Domino
sets session cookie when user is authenticated, that way nginx would know if
user is anonymous or some authenticated user that is prob. doing some
updates, like new docs, etc. to domino application, so it whould prob. be
anyway not to cache hes content…

Actually, this isn’t really an nginx problem; other proxy caches like
Squid, Varnish, and Microsoft ISA would have similar problems with
Domino. If there is truly no cachabiity information at all being set
by the application, there is nothing sensible a cache can do (except
not cache, which is what the HTTP specification requires and should
also be the default for most proxy caches).

Probably the best you can do is make a second RegEx-based location for
“known-cachable” items that includes nginx cache directives with
default times. Are images even served with GIF/JPEG/PNG extensions in
the URI by Domino?

As far as caching being turned on or off based on the cookie, the
workarounds I mentioned before (adding it into the proxy_cache_key, or
redirecting to a different internal location via “if”) might be made
to work in an ugly fashion.


RPM