varnish caching with jsessionid being set

Dridi Boukelmoune dridi at varni.sh
Fri Mar 24 10:18:19 CET 2017


On Wed, Mar 22, 2017 at 4:28 PM, Guillaume Quintard
<guillaume at varnish-software.com> wrote:
>
> Sure, you can override them:
>
> set vcl_backend_response {
>     set beresp.ttl = 5m;
> }

Hello Jim,

This kind of "yes you can" should always come with a mandatory
"but you shouldn't" :)

C allows you to easily shoot yourself in the foot, C++ too but it will
blow off your whole leg. Those are well known facts.

It is the same for VCL: it allows you to shoot yourself in the foot,
blow off your leg, and leak sensitive information. That is true
with any caching solution that allows you to overrule the origin
server. And that applies to any origin server that doesn't do
proper caching.

If you're backend isn't good at conveying caching intent, fix the
backend. Otherwise how can you know when you (and I quote)
"ignore the caching headers" that you aren't caching something
private?

Know what thou art doing and proceed with care.

Dridi



More information about the varnish-misc mailing list