Specification out of date?

[Ricardo Newbery]

On Mar 20, 2008, at 4:34 AM, Dag-Erling Smørgrav wrote:

> Ricardo Newbery <ric at digitalmarbles.com> writes:
>> I'm actually more interested in trying to reproduce the semantics of
>> the 'public' token.  But I'm having trouble figuring out how to
>> implement this one in vcl.  In the default vcl, authenticated  
>> requests
>> are passed through before any cache check or backend fetch is
>> attempted.  If I rearrange this a bit so that the authenticate test
>> comes later, I think I run into a vcl limitation.
>>
>> For example, the following seems like it should work:
>>
>> 1) Remove from vcl_recv the following...
>>
>>             if (req.http.Authenticate || req.http.Cookie) {
>>                 pass;
>>             }
>>
>> 2) Add to vcl_hit the following (after the !obj.cacheable test)...
>>
>>             if (obj.http.Cache-Control ~ "public" ) {
>>                 deliver;
>>             }
>>             if (req.http.Authenticate) {
>>                 fetch;
>>             }
>
> Uh, no.  Why do you want to "fetch" here?  Why do you even want to do
> anything in vcl_hit?  The correct place to check Cache-Control is in
> vcl_fetch, *before* the object enters the cache.


Of course #3 in the list does indeed check Cache-Control in  
vcl_fetch.  But I don't believe this is enough.

If an authenticated request comes in and I have a valid cached copy,  
Varnish should not return the cached copy *unless* the copy contains a  
'public' token.  It's not enough that Varnish previously tested for  
the public token before insertion as the previous request may have  
been a regular non-authenticated request which should be cached  
regardless.  So I need to test for the public token before both  
insertion and delivery from cache.

Ric