When Authorization header is present in the request, its' always a Cache Miss

Question

When Authorization header present in the inbound request, it's always a Cache Miss. My requirement is, I need ATS to treat the Authorization header like any other header (It should not cause cache miss and it should get forwarded to upstream service). How can I achieve this.

This may sound non-secure, but, I have a specific usecase for this. This cache is for internal use and it's access is controlled by other means.

I tried this

As per the official documentation

By default, Traffic Server does not cache objects with the following request headers:

Authorization

Cache-Control: no-store

Cache-Control: no-cache

To configure Traffic Server to ignore this request header,

Edit proxy.config.http.cache.ignore_client_no_cache in records.config.

CONFIG proxy.config.http.cache.ignore_client_no_cache INT 1 Run the command traffic_ctl config reload to apply the configuration changes.

but, no luck

Answer 1

Actually this https://docs.trafficserver.apache.org/en/latest/admin-guide/configuration/cache-basics.en.html#configuring-traffic-server-to-ignore-www-authenticate-headers did the trick for me.

The following instructions was applicable for Authorization header as well, besides WWW-Authenticate Header. They need to update the documentation.

Configuring Traffic Server to Ignore WWW-Authenticate Headers

By default, Traffic Server does not cache objects that contain WWW-Authenticate response headers. The WWW-Authenticate header contains authentication parameters the client uses when preparing the authentication challenge response to an origin server.

When you configure Traffic Server to ignore origin server WWW-Authenticate headers, all objects with WWW-Authenticate headers are stored in the cache for future requests. However, the default behavior of not caching objects with WWW-Authenticate headers is appropriate in most cases. Only configure Traffic Server to ignore server WWW-Authenticate headers if you are knowledgeable about HTTP 1.1.

To configure Traffic Server to ignore server WWW-Authenticate headers:

Edit proxy.config.http.cache.ignore_authentication in records.config.

CONFIG proxy.config.http.cache.ignore_authentication INT 1

Run the command traffic_ctl config reload to apply the configuration changes.

Answer 2

If your origin returns a cache-control header with the 'public' directive (for instance, "Cache-Control: max-age=60,public") or including the s-maxage directive (for instance, "Cache-Control: s-maxage=60"), ATS should start caching the object. The relevant http RFC: https://www.rfc-editor.org/rfc/rfc2616#section-14.8

When a shared cache (see section 13.7) receives a request

  containing an Authorization field, it MUST NOT return the
  corresponding response as a reply to any other request, unless one
  of the following specific exceptions holds:
  1. If the response includes the "s-maxage" cache-control
     directive, the cache MAY use that response

... 3. If the response includes the "public" cache-control directive, it MAY be returned in reply to any subsequent request.

Similarly, you could also use the header_rewrite plugin to remove the Authorization header from the request, or to add public/s-maxage.