From f56bb97e684e4210dc560c04e4cf7a4c493dafba Mon Sep 17 00:00:00 2001 From: gnezim Date: Tue, 28 Apr 2026 13:13:31 +0300 Subject: [PATCH] nginx: extend HTML no-cache filter to /api/ (not just /api/dictionary/) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Run 546 surfaced the second half of the cache-poisoning bug. /api/health (which goes through the /api/ location, not /api/dictionary/) showed `x-cache-status: STALE` text/html — meaning nginx had cached the WAF HTML block page as a 200 entry, then served it via proxy_cache_use_stale when the upstream returned 403 on a fresh fetch. The browser saw text/html for an endpoint that should be JSON, console-gate flagged the fail, and 5+ specs broke despite /api/dictionary/* being healthy. Fix is the same one-liner already applied to /api/dictionary/: require $no_cache_html (set in flights-api-cache.conf based on upstream's Content-Type) so HTML responses are never stored. Future WAF spasms return 403 directly to the client instead of dispensing months-old poisoned HTML. --- deployment/nginx/ui-dashboard.gnerim.ru.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployment/nginx/ui-dashboard.gnerim.ru.conf b/deployment/nginx/ui-dashboard.gnerim.ru.conf index accd0d44..cdc3b3f9 100644 --- a/deployment/nginx/ui-dashboard.gnerim.ru.conf +++ b/deployment/nginx/ui-dashboard.gnerim.ru.conf @@ -88,6 +88,11 @@ server { proxy_cache_lock on; proxy_cache_use_stale error timeout updating http_403 http_500 http_502 http_503 http_504; proxy_cache_bypass $http_cache_control; + # Same rationale as /api/dictionary/ — refuse to cache the WAF + # block page (text/html). Prevents `proxy_cache_use_stale` from + # later serving that HTML as a stale 200 when the WAF returns 403 + # on a fresh fetch. + proxy_no_cache $no_cache_html; add_header X-Cache-Status $upstream_cache_status always; }