Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add cache buster feature for media files #15155

Merged
merged 1 commit into from
Nov 19, 2020
Merged

Conversation

Gargron
Copy link
Member

@Gargron Gargron commented Nov 14, 2020

Nginx can be configured to bypass proxy cache when a special header is in the request. If the response is cacheable, it will replace
the cache for that request. Proxy caching of media files is desirable when using object storage as a way of minimizing bandwidth
costs, but has the drawback of leaving deleted media files for a configured amount of cache time. A cache buster can make those
media files immediately unavailable. This especially makes sense when suspending and unsuspending an account.

Configuration (trivial):

CACHE_BUSTER_ENABLED=true
CACHE_BUSTER_SECRET_HEADER=secret-header
CACHE_BUSTER_SECRET=true

In nginx (trivial):

location @s3 {
  // ...
  proxy_cache_bypass $http_secret_header;
  // ...
}

Of course, letting anyone bypass your cache is an abuse vector for increasing your object storage bandwidth bill, so in reality you would want to actually secure it. You see, $http_secret_header is not a special variable -- all HTTP headers can be accessed using this variable structure. So it's just accessing the raw value of a HTTP header "secret-header". Furthermore, the proxy_cache_bypass directive works by treating an empty string or 0 value as false and everything else as true. So what we can do is define a map from a better named header (like Cache-Bypass, though it can be anything you want) to our own variable, and make it return 0 for every value except a generated secret value.

map $http_cache_bypass $authorized_cache_bypass {
  default 0;
  YOUR_SECRET_HERE 1;
}

// ...

server {
  // ...
  location @s3 {
    // ...
    proxy_cache_bypass $authorized_cache_bypass;
    // ...
  }
}

Then in Mastodon's configuration, it would simply be:

CACHE_BUSTER_ENABLED=true
CACHE_BUSTER_SECRET_HEADER=Cache-Bypass
CACHE_BUSTER_SECRET=YOUR_SECRET_HERE

Nginx can be configured to bypass proxy cache when a special header
is in the request. If the response is cacheable, it will replace
the cache for that request. Proxy caching of media files is
desirable when using object storage as a way of minimizing bandwidth
costs, but has the drawback of leaving deleted media files for
a configured amount of cache time. A cache buster can make those
media files immediately unavailable. This especially makes sense
when suspending and unsuspending an account.
@Gargron Gargron merged commit df16531 into master Nov 19, 2020
@Gargron Gargron deleted the feature-cache-buster branch November 27, 2020 17:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants