Hi list I have a Apache web site serving REST-resources from a Tomcat server via proxypass. I have set up the cache_disk_module so that resources are cached server side. My httpd.conf looks like this:
<IfModule cache_disk_module> CacheDefaultExpire 300 CacheIgnoreNoLastMod On CacheIgnoreQueryString Off CacheIgnoreCacheControl On CacheIgnoreHeaders Set-Cookie CacheQuickHandler Off CacheRoot "C:/Program Files (x86)/Apache Software Foundation/Apache24/cache" CacheEnable disk / CacheDirLevels 1 CacheDirLength 2 </IfModule> I have been experimenting with the Cache-Control response-header using either: 1) Cache-Control: public 2) Cache-Control: public, no-cache If I use public only my basic http authentication page is cached including username and password, so when just one client has authenticated, all clients are able to access the page without authenticating. If I use "public, no-cache” the protected page is never cached. The cache-log says "cache miss: attempting entity save” every time. The second solution as I read it is supposed to be the official way to do things: "If you’d like such pages to be cacheable, but still authenticated for every user, combine the Cache-Control: public and no-cache headers. This tells the cache that it must submit the new client’s authentication information to the origin server before releasing the representation from the cache.” (https://www.mnot.net/cache_docs/) On the other hand I found an old post on list stating: "An in any case, as you've noticed, it isn't supported at the moment." (http://osdir.com/ml/httpd-apache/2006-12/msg00493.html) So my question is: Is this feature still not supported in Apache httpd/mod_cache_disk? Are there other ways to accomplish caching of basic authentication protected ressources without caching username and password? With regards, Rune
