Handling of cache-control

Michael Fischer michael at dynamine.net
Tue Jan 19 19:26:22 CET 2010

On Mon, Jan 18, 2010 at 4:37 PM, Poul-Henning Kamp <phk at phk.freebsd.dk>wrote:

> In message <DE028C9E-4618-4EBC-8477-6E308753CBCE at dynamine.net>, "Michael
> S. Fis
> cher" writes:
> >On Jan 18, 2010, at 5:20 AM, Tollef Fog Heen wrote:
> >> My suggestion is to also look at Cache-control: no-cache, possibly also
> >> private and no-store and obey those.
> >
> >Why wasn't it doing it all along?
> Because we wanted to give the backend a chance to tell Varnish one
> thing with respect to caching, and the client another.
> I'm not saying we hit the right decision, and welcome any consistent,
> easily explainable policy you guys can agree on.

Well, the problem is that application engineers who understand what that
header does have a reasonable expectation that the caches will obey them,
and so I think Vanish should honor them as Squid does.  Otherwise surprising
results will occur when the caching platform is changed.

Cache-Control: private certainly meets the goal you stated, at least insofar
as making Varnish behave differently than the client -- it states that the
client can cache, but Varnish (as an intermediate cache) cannot.

I assume, however, that some engineers want a way to do the opposite - to
inform Varnish that it can cache, but inform the client that it cannot.
 Ordinarily I'd think this is not a very good idea, since you almost always
want to keep the cached copy as close to the user as possible.  But I guess
there are some circumstances where an engineer would want to preload a cache
with prerendered data that is expensive to generate, and, also
asynchronously force updates by flushing stale objects with a PURGE or
equivalent.  In that case the cache TTL would be very high, but not
necessarily meaningful.

I'm not sure it makes sense to extend the Cache-Control: header here,
because there could be secondary intermediate caches downstream that are not
under the engineer's control; so we need a way to inform only authorized
intermediate caches that they should cache the response with the specified

One way I've seen to accomplish this goal is to inject a custom header in
the response, but we need to ensure it is either encrypted (so that
non-authorized caches can't see it -- but this could be costly in terms of
CPU) or removed by the last authorized intermediate cache as the response is
passed back downstream.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20100119/5da9020a/attachment-0001.html>

More information about the varnish-misc mailing list