You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
(maybe other, but at least 204 codes should be immune to the attack).
While (1) only creates errors for some clients, (2) can really be source of cache-poisoning attacks. So we might want more careful mode for keep-alive/pipelineing:
Do not pipeline HEAD requests
No not pipeline If-Modifed-Since and If-None-Match requests, 304 response codes.
The alternative is to disable keep-alive by default as nginx does. Another thing is we need some test suite to determine whether service behind swindon does proxying correctly. And the test suite is hard to do because the service might have some complex routing (i.e. serving static files under certain urls, serving streaming updates under certain urls), or be non-validating proxy itself (i.e. depend on the services behind for correctness).
There are some servers that don't obey non-body receiving responses, including:
(maybe other, but at least 204 codes should be immune to the attack).
While (1) only creates errors for some clients, (2) can really be source of cache-poisoning attacks. So we might want more careful mode for keep-alive/pipelineing:
If-Modifed-SinceandIf-None-Matchrequests, 304 response codes.The alternative is to disable keep-alive by default as nginx does. Another thing is we need some test suite to determine whether service behind swindon does proxying correctly. And the test suite is hard to do because the service might have some complex routing (i.e. serving static files under certain urls, serving streaming updates under certain urls), or be non-validating proxy itself (i.e. depend on the services behind for correctness).
Inspired by #47.
The text was updated successfully, but these errors were encountered: