Ignore Set-Cookie from token and introspection endpoint to fix caching

https://stackoverflow.com/a/9232739/2217862: > Make sure your backend does not return Set-Cookie header. If Nginx sees > it, it disables caching. > > proxy_ignore_header will ensure that the caching takes place. > proxy_hide_header will ensure the Cookie payload is not included in the > cached payload. This is important to avoid leaking cookies via the > NGINX cache.
jirutka · Mar 7, 2024 · 277b63c · 277b63c
1 parent ae531d7
commit 277b63c
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/conf/server.conf b/conf/server.conf
@@ -68,8 +68,10 @@ location = /-/internal/request-token {
   # If the last request passed to the server has not completed for the specified time,
   # one more request may be passed.
   proxy_cache_lock_age 2s;
-  # Ignore caching headers (OIDC Provider sends no-cache).
-  proxy_ignore_headers Cache-Control Expires;
+  # Ignore caching headers (OIDC Provider sends no-cache) and Set-Cookie.
+  # If the OIDC server returns Set-Cookie, the response will not be cached,
+  # so we must ignore it.
+  proxy_ignore_headers Cache-Control Expires Set-Cookie;
 }
 
 location = /-/internal/introspect-token {
@@ -93,4 +95,9 @@ location = /-/internal/introspect-token {
   proxy_cache_lock_age 2s;
   # Use stale responses if we cannot reach the server.
   proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
+  # If the OIDC server returns Set-Cookie, the response will not be cached,
+  # so we must ignore it.
+  proxy_ignore_headers Set-Cookie;
+  # Don't include Set-Cookie in the cached payload.
+  proxy_hide_header Set-Cookie;
 }