nginx: extend HTML no-cache filter to /api/ (not just /api/dictionary/)
ci-deploy / build-deploy-test (push) Failing after 1m11s
ci-deploy / build-deploy-test (push) Failing after 1m11s
Run 546 surfaced the second half of the cache-poisoning bug. /api/health (which goes through the /api/ location, not /api/dictionary/) showed `x-cache-status: STALE` text/html — meaning nginx had cached the WAF HTML block page as a 200 entry, then served it via proxy_cache_use_stale when the upstream returned 403 on a fresh fetch. The browser saw text/html for an endpoint that should be JSON, console-gate flagged the fail, and 5+ specs broke despite /api/dictionary/* being healthy. Fix is the same one-liner already applied to /api/dictionary/: require $no_cache_html (set in flights-api-cache.conf based on upstream's Content-Type) so HTML responses are never stored. Future WAF spasms return 403 directly to the client instead of dispensing months-old poisoned HTML.
This commit is contained in:
@@ -88,6 +88,11 @@ server {
|
||||
proxy_cache_lock on;
|
||||
proxy_cache_use_stale error timeout updating http_403 http_500 http_502 http_503 http_504;
|
||||
proxy_cache_bypass $http_cache_control;
|
||||
# Same rationale as /api/dictionary/ — refuse to cache the WAF
|
||||
# block page (text/html). Prevents `proxy_cache_use_stale` from
|
||||
# later serving that HTML as a stale 200 when the WAF returns 403
|
||||
# on a fresh fetch.
|
||||
proxy_no_cache $no_cache_html;
|
||||
add_header X-Cache-Status $upstream_cache_status always;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user