Return private cache headers when IP allowlist is triggered

Created on 20 May 2025, 19 days ago

Problem/Motivation

The IP address allowlist feature currently has a warning message on it:

Warning: IP allowlists interfere with reverse proxy caching! Do not use allowlist if reverse proxy caching is in use!

We've definitely run into this problem before, with a CDN cache storing the responses when first accessed from the allowed IP address and then served to users who don't match the IP address. However it seems like this problem should be fixable if we return the correct headers in a response when the IP allowlist is triggered, to indicate to caching proxies that the response should not be cached.

Proposed resolution

When a response is allowed due to the IP allowlist, send cache headers back marking the response as uncacheable. This could either be done with a page cache response policy service to mark the response as uncacheable, or potentially just setting the headers directly in ShieldSubscriber (based on what FinishResponseSubscriber does) so that the internal page cache can still be used. ShieldMiddleware runs before the page cache so it should still be fine to serve from the page cache.

User interface changes

Remove the warning message or perhaps just update it to suggest the feature should be tested with any caching proxy setup to ensure it works correctly.

✨ Feature request

Status

Active

Version

1.0

Component

Code

Created by

🇦🇺Australia richard.thomas

Live updates comments and jobs are added and updated live.

Merge Requests

!29Return private cache headers when IP allowlist is triggered
Open
🇦🇺Australia richard.thomas
updated 19 days ago

Comments & Activities

Issue created by @richard.thomas
Merge request !29Set responses to uncacheable when the IP address allowlist is matched. → (Open) created by richard.thomas
Pipeline finished with Success
19 days ago
Total: 360s
#501464
Pipeline finished with Success
19 days ago
Total: 281s
#502309
Comment 18 days ago →
🇦🇺Australia richard.thomas
I've added the required logic to a merge request and added some tests for the IP address allowlist feature (including checking for the additional cache headers).

It's a bit hard to test with actual caching proxies but we have seen some success with our sites behind a CDN (and I don't believe this will do any harm even if it doesn't work in every case).

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024