I've got a strange issue and I'm running out of ideas. In my Rails(4.2)-App I'm using the fresh_when-Method to invalidate client caches for my blog pages:
def show
#post = Post.find(params[:id])
fresh_when #post
end
With curl everything works out fine, sending the matching Etag gives me a 304 response:
celmare$ curl -i -H 'If-None-Match: "3b4dd96aac692c03ce623db459c9cef2"' https://grosse.io/blog
Response:
HTTP/1.1 304 Not Modified
Connection: keep-alive
Status: 304 Not Modified
Last-Modified: Sun, 04 Oct 2015 10:41:08 GMT
Cache-Control: max-age=0, private, must-revalidate
Strict-Transport-Security: max-age=31536000
X-XSS-Protection: 1; mode=block
X-Request-Id: 68a0ecd2-3fac-4004-ac1e-fd6d14780f61
ETag: "3b4dd96aac692c03ce623db459c9cef2"
X-Frame-Options: SAMEORIGIN
X-Runtime: 0.006207
X-Content-Type-Options: nosniff
Date: Thu, 29 Oct 2015 13:17:02 GMT
X-Powered-By: Phusion Passenger 5.0.15
Server: nginx/1.8.0 + Phusion Passenger 5.0.15
When I open the page in the browser (e.g. Chrome Version 47.0.2526.35 beta (64-bit)) I always get 200 although the Etag still matches:
Request headers:
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
Connection:keep-alive
Cookie:_gat=1; _syscfg_net_v2_session=eGFlYk83Z0kwUE9IYmtUVHg1Z1ppbHF2eFBrUitiTDBsRG1Kbml2bW8vQVZ6YW4xM0ZuRTNOS0w2VmVLM1ZaN0czZno3N0Y2MWpiUWNjQUV0YkVlaXhCZUJyZlJWWEVIZVpPclFaaHZxdFNncjNBVVg3MFR2SE0yWDRUaklsSlRMbmw4OVQrQmlDRHBIbmRSMS9VVml3PT0tLTYvUGdURTRaRjNXSU9WOTdOY1F3OEE9PQ%3D%3D--3bafbda7d522c61cd9fd04898c2c6a4bac06131b; _ga=GA1.2.235147781.1445350582
Host:grosse.io
If-Modified-Since:Sun, 04 Oct 2015 10:41:08 GMT
If-None-Match:W/"3b4dd96aac692c03ce623db459c9cef2"
Referer:https://grosse.io/blog
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.35 Safari/537.36
Response headers:
Cache-Control:max-age=0, private, must-revalidate
Connection:keep-alive
Content-Encoding:gzip
Content-Type:text/html; charset=utf-8
Date:Thu, 29 Oct 2015 13:16:48 GMT
ETag:W/"3b4dd96aac692c03ce623db459c9cef2"
Last-Modified:Sun, 04 Oct 2015 10:41:08 GMT
Server:nginx/1.8.0 + Phusion Passenger 5.0.15
Set-Cookie:_syscfg_net_v2_session=MUtjWlQyY1ZFZnF2TzlvTDJkdnpmMDhqVmhoVld5YkJDdHl5NUtIdXJTY1VZQ1AzV1NVMjF1alFDSE9NKzliOGhzcmc4S3FLajRmNGFZUjltQzdPNDg4SW51aUxGU2xDd0FxVi82UFZneE5YU1FnTjJVSFhpL3RCQkNYdjlFVTlyZVRRU0ZPdG83UFNVbjVyckJmZ0R3PT0tLXh4Zzg0cjhBSTZKbVpkayttanpwUFE9PQ%3D%3D--dc404af2428a17085bea4b40a3f4f0fc6ef01e50; path=/; secure; HttpOnly
Status:200 OK
Strict-Transport-Security:max-age=31536000
Transfer-Encoding:chunked
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-Powered-By:Phusion Passenger 5.0.15
X-Request-Id:0633095f-b95d-4339-8e62-8b15683c2d8c
X-Runtime:0.034172
X-XSS-Protection:1; mode=block
And on top: In my local env it's working with the same browser. I can hardly imagine that it is a NGINX thing because the everything is configured very defaulty. Could it be something with HTTPS?
Any ideas? Thanks in advance.
Ok, I found the cause. It's a problem with NGINXs gzip compression in combination with weak "W/" Etags. Will try upgrading NGINX or using a Patch.
Adding etag on; after gzip on; in nginx.conf fixed the problem from 1.7.4 and newer.
Related
Most of the documentation talks about adding config.force_ssl = true which provides HSTS to Rails application. Well, how can I make sure its working as expected? How can I test HSTS header is added for every request? Any help is much appreciated.
Use curl -I https://your_website.domain or browser developer tools to view response headers. You're interested in the Strict-Transport-Security header:
curl -I https://www.ssllabs.com/
HTTP/2 200
date: Fri, 23 Apr 2021 15:25:17 GMT
server: Apache
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
strict-transport-security: max-age=31536000 <-- this one
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: 0
x-frame-options: DENY
content-type: text/html;charset=ISO-8859-1
content-language: en-US
content-length: 6587
set-cookie: ...
content-security-policy: ...
I'm quite new to caching so I've been trying some different ways of caching my website. I've settled on HTTP caching now, because it's the most appropriate with sporadic updates and lots of users perusing the same pages over and over.
I'm struggling to get it working however. The site shows different content based on whether you're logged in or not, so I have to invalidate cache based on current_user as well as the latest update on the collection of models.
If I look in chrome inspect the ETag and the modified_since are the same, but the server returns a 200 instead of a 304. My code works in development environment, so I'm lost in how to troubleshoot it. Also a different page that only invalidates based on the collection of models (similar on latest update), does work as expected.
Code from the controller:
def index
...#some code
# HTTTP caching:
last_mod = #scraps.order("updated_at").last.updated_at
user = current_user ? current_user.id : 0
fresh_when etag: user.to_s, last_modified: last_mod, public: false
end
Output from chrome inspect
Response Headers:
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Status: 200 OK
Last-Modified: Sun, 23 Jul 2017 20:40:53 GMT
Cache-Control: max-age=0, private, must-revalidate
ETag: W/"6e92592bdb6c3cf610020e2b076e64b4"
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Runtime: 3.187090
X-Request-Id: c698c0c6-8a0d-44ba-8ca9-3f162b766478
Date: Mon, 24 Jul 2017 14:49:38 GMT
Set-Cookie: ... [edited out]; path=/; HttpOnly
X-Powered-By: Phusion Passenger 5.0.30
Server: nginx/1.10.1 + Phusion Passenger 5.0.30
Content-Encoding: gzip
Request Headers:
GET /scraps?page=3&price_max=100&price_min=0&producer=silk+scraps HTTP/1.1
Host: www.picture-scraps.com
Connection: keep-alive
Accept: text/html, application/xhtml+xml, application/xml
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
X-XHR-Referer: https://www.picture-scraps.com/scraps?page=4&price_max=100&price_min=0&producer=silk+scraps
Referer: https://www.picture-scraps.com/scraps?page=4&price_max=100&price_min=0&producer=silk+scraps
Accept-Encoding: gzip, deflate, br
Accept-Language: nl-NL,nl;q=0.8,en-US;q=0.6,en;q=0.4,af;q=0.2
Cookie: ... [edited out]
If-None-Match: W/"6e92592bdb6c3cf610020e2b076e64b4"
If-Modified-Since: Sun, 23 Jul 2017 20:40:53 GMT
I can imagine some additional information is needed, so please request and I'll add to the question.
Figured it out today. This post provides the answer. I saw the server used weak etags while in the dev environment strong etags were used. The latter is as expected as weak etags were only introduced from rails 5 forward.
If you use Nginx with rails 4 you might experience the same problem. Installing rails_weak_etags gem solved it for me.
i use nginx 1.8.0 under centOS 6.7 which serving Ruby On Rails 4.2.3 application.
The Problem:
I need to enable iframe options for all domains so tried this:
X-Frame-Options: *
then when i check headers i see it twice 1 time with SAMEORIGIN and one time with *, here is the response:
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Sun, 01 Nov 2015 15:48:32 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Status: 200 OK
Strict-Transport-Security: max-age=31536000
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
ETag: W/"d14b3de05fb18ebe4a94774c8f209e7f"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: guess_locale=en; path=/; secure
Set-Cookie: _admin_numgames_com_session=Y3N0QjR2NXY0VFlZMlVnMHJLZC9WbUVraldZYjhpeHo0UG41akpaZE1rb0tQWS9YeGpkcklTRmViUU5aVmJpUElCcWpMaFJWQmpIWHRSazI4TE9QdTgvQ2VVRGYrSW9VcjA4eWVCMVlsUHJRejR1WmNoQWZoL2hGeVA1ZHp5YWxPdFZ4S25ydEtTamVnbFlZMEhJRDdXalQ2MU93T24vWnR6b28wM0NvYS82Nm1XMGV2Njh4djIzR1RNb2w3WTVHUDM3cVl3NnVrQnJ1WTMyU3I4dVBjY3RORWRQSlk2VmhNVnRVelZRbHRVWT0tLU9DYVBIZUxoUXlLN2VmZ01VNEhab3c9PQ%3D%3D--fa2a9d6817b5464b82a2babd784ed098f2526eeb; path=/; secure; HttpOnly
X-Request-Id: 4762503a-a9a8-41ce-b1a7-26269b7e9184
X-Runtime: 0.963198
X-Frame-Options: *
there is only 1 time declare this option so why i see it twice? and how do i remove this option so any one will be able to use my domain with iFrame?
OK so i found the solution and Rails was the problem he sent the header, just needed to add into production.rb file:
config.action_dispatch.default_headers = {
'X-Frame-Options' => 'ALLOWALL'
}
Website making request to clients1.google.com/ocsp with POST.
Its making 2 requests in the same page. and both requests are identical.
What its for? and why it make same 2 requests?
Request Header:-
(Request-Line) POST /ocsp HTTP/1.1
Host clients1.google.com
User-Agent Mozilla/5.0 (Windows NT 6.2; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language en-US,en;q=0.5
Accept-Encoding gzip, deflate
Content-Length 107
Content-Type application/ocsp-request
Connection keep-alive
Response Header :
(Status-Line) HTTP/1.1 200 OK
Content-Type application/ocsp-response
Date Sat, 21 Sep 2013 14:08:40 GMT
Expires Wed, 25 Sep 2013 14:08:40 GMT
Cache-Control public, max-age=345600
Server ocsp_responder
Content-Length 463
X-XSS-Protection 1; mode=block
X-Frame-Options SAMEORIGIN
Alternate-Protocol 80:quic
It's probably checking certificate status of various certs in the browser.
Im having loads of issues with the Twitter API and GET. Hopefully someone can point out my mistake of help me in the correct direction. I got the POST correct for posting statusses, but i want to get the users mentions, but Im receiving "Could not authenticate with OAuth" the whole time.
Below are all my strings and headers as I set / get it. Please help. :)
- Generate Base URL -
base=GET&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fmentions.xml&oauth_consumer_key%3D0RaXE4T4CuMFJHI1jViEQ%26oauth_nonce%3DDGTQVDPXRAYASJJFJLJF%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1309954505%26oauth_token%3D298006718-8yTikfcuvQ3Xq1ZGuykhkxK2wY0ZAOxcI0jesRxd%26oauth_version%3D1.0
----------------------------------
- Build Signature -
SignKey=ey75K0x7bgyI4BwwG5mn7vLVNQiyphJo9MMT8t6bj0&Syk7tpizLGSo2xvJ9Q8Y1G318eKO8QXvPGWoOpdXWw
Signature=Q844NOw7T0oq8tNQkdR/6ez6Z8s=
----------------------------------
- Request twit Start -
postvars=
url=http://api.twitter.com/1/statuses/mentions.xml
----------------------------------
- Socket Before Header Send -
GET /1/statuses/mentions.xml HTTP/1.0
Accept: */*
Referer: http://eden.fm
User-Agent: Mozilla/4.0 (compatible; ICS)
Host: api.twitter.com
Authorization: OAuth oauth_nonce="DGTQVDPXRAYASJJFJLJF", oauth_callback="oob", oauth_token="298006718-8yTikfcuvQ3Xq1ZGuykhkxK2wY0ZAOxcI0jesRxd", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1309954505", oauth_consumer_key="0RaXE4T4CuMFJHI1jViEQ", oauth_signature="Q844NOw7T0oq8tNQkdR%2F6ez6Z8s%3D", oauth_version="1.0"
----------------------------------
- Socket Header End -
HTTP/1.1 401 Unauthorized
Date: Wed, 06 Jul 2011 12:16:11 GMT
Server: hi
Status: 401 Unauthorized
WWW-Authenticate: OAuth realm="http://api.twitter.com"
X-Runtime: 0.00899
Content-Type: application/xml; charset=utf-8
Content-Length: 152
Cache-Control: no-cache, max-age=1800
Set-Cookie: k=41.133.180.120.1309954571265496; path=/; expires=Wed, 13-Jul-11 12:16:11 GMT; domain=.twitter.com
Set-Cookie: guest_id=v1%3A130995457172572573; domain=.twitter.com; path=/; expires=Sat, 06 Jul 2013 00:16:11 GMT
Set-Cookie: original_referer=ojItV1ByhTzWh74Jc1NQEw%3D%3D; path=/
Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCNR9YP8wAToHaWQiJTQzZGVmMTE3YTI5ZjEz%250AOGYzZWEwYjlmNTRlM2I3MzA2IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--dd24ddb28d1207c2ebf479e57b6f9edb82553bbe; domain=.twitter.com; path=/; HttpOnly
Expires: Wed, 06 Jul 2011 12:46:11 GMT
Vary: Accept-Encoding
Connection: close
----------------------------------
- Request Done Socket DocEnd -
result=
status code=401
headers=HTTP/1.1 401 Unauthorized
Date: Wed, 06 Jul 2011 12:16:11 GMT
Server: hi
Status: 401 Unauthorized
WWW-Authenticate: OAuth realm="http://api.twitter.com"
X-Runtime: 0.00899
Content-Type: application/xml; charset=utf-8
Content-Length: 152
Cache-Control: no-cache, max-age=1800
Set-Cookie: k=41.133.180.120.1309954571265496; path=/; expires=Wed, 13-Jul-11 12:16:11 GMT; domain=.twitter.com
Set-Cookie: guest_id=v1%3A130995457172572573; domain=.twitter.com; path=/; expires=Sat, 06 Jul 2013 00:16:11 GMT
Set-Cookie: original_referer=ojItV1ByhTzWh74Jc1NQEw%3D%3D; path=/
Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCNR9YP8wAToHaWQiJTQzZGVmMTE3YTI5ZjEz%250AOGYzZWEwYjlmNTRlM2I3MzA2IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--dd24ddb28d1207c2ebf479e57b6f9edb82553bbe; domain=.twitter.com; path=/; HttpOnly
Expires: Wed, 06 Jul 2011 12:46:11 GMT
Vary: Accept-Encoding
Connection: close
----------------------------------
result=<?xml version="1.0" encoding="UTF-8"?>
<hash>
<error>Could not authenticate with OAuth.</error>
<request>/1/statuses/mentions.xml</request>
</hash>
Why not take a look at my open source TTwitter library? Even though this version of the project is now depreciated (I've rolled TTwitter into a larger project to develop more social networking components) it'll still point you in the right direction :)