與驗證的REST緩存代理請求

Question

考慮以下情形：

• 我有REST風格的URL /文章，返回文章列表
• 用戶使用上的每個請求
• 文章可能會有所不同授權HTTP標頭提供了國書從用戶到用戶根據他的權限

它可能使用高速緩存代理，如Squid，在這種情況下？ 代理將只能看到URL /文章，因此它可能會返回僅對生成緩存的第一個用戶有效的文章列表。其他請求URL /文章的用戶可以看到他們無法訪問的文章，當然這不是理想的。

我應該推出自己的緩存還是可以將某些緩存代理軟件配置爲將其緩存基於Authorization HTTP標頭？

Answer 1

嘗試的一種可能性是使用Vary: Authorization響應頭指示下游緩存通過根據請求的Authorization標頭更改緩存的文檔來小心緩存。

如果您使用響應壓縮，則可能已經在使用此標頭。用戶通常請求標題爲Accept-Encoding: gzip, deflate的資源;如果服務器配置爲支持壓縮，那麼響應可能會隨標題Content-Encoding: gzip和Vary: Accept-Encoding一起提供。

Answer 2

通過HTTP/1.1 RFC部分14.8（http://tools.ietf.org/html/rfc2616#section-14.8）：

When a shared cache (see section 13.7) receives a request 
    containing an Authorization field, it MUST NOT return the 
    corresponding response as a reply to any other request, unless one 
    of the following specific exceptions holds: 

    1. If the response includes the "s-maxage" cache-control 
    directive, the cache MAY use that response in replying to a 
    subsequent request. But (if the specified maximum age has 
    passed) a proxy cache MUST first revalidate it with the origin 
    server, using the request-headers from the new request to allow 
    the origin server to authenticate the new request. (This is the 
    defined behavior for s-maxage.) If the response includes "s- 
    maxage=0", the proxy MUST always revalidate it before re-using 
    it. 

    2. If the response includes the "must-revalidate" cache-control 
    directive, the cache MAY use that response in replying to a 
    subsequent request. But if the response is stale, all caches 
    MUST first revalidate it with the origin server, using the 
    request-headers from the new request to allow the origin server 
    to authenticate the new request. 

    3. If the response includes the "public" cache-control directive, 
    it MAY be returned in reply to any subsequent request.