Merge pull request hestiacp#2037 from hestiacp/fix-caching

jaapmarcus · web-flow · commit b13682986a5c · 2021-08-04T09:24:43.000+02:00
Fix caching template when nginx is used as reverse proxy
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,7 +10,8 @@ All notable changes to this project will be documented in this file.
 
 ### Bugfixes
 
-- Fix UI issues after upgrade jQuery + jQuery UI to last version (#2021 and #2032)
+- Fixed UI issues after upgrade jQuery + jQuery UI to last version (#2021 and #2032)
+- Fixed security issues in caching templates of Nginx when used as Reverse Proxy
 
 ## [1.4.9] - Service release 
 
diff --git a/install/deb/templates/web/nginx/caching.sh b/install/deb/templates/web/nginx/caching.sh
@@ -6,8 +6,8 @@ ip=$3
 home=$4
 docroot=$5
 
-str="proxy_cache_path /var/cache/nginx/$domain levels=2" 
-str="$str keys_zone=$domain:10m inactive=60m max_size=512m;" 
+str="proxy_cache_path /var/cache/nginx/$domain levels=1:2" 
+str="$str keys_zone=$domain:10m max_size=256m inactive=30m;" 
 conf='/etc/nginx/conf.d/01_caching_pool.conf'
 if [ -e "$conf" ]; then
     if [ -z "$(grep "=${domain}:" $conf)" ]; then
diff --git a/install/deb/templates/web/nginx/caching.stpl b/install/deb/templates/web/nginx/caching.stpl
@@ -18,11 +18,22 @@ server {
         proxy_pass      https://%ip%:%web_ssl_port%;
 
         proxy_cache %domain%;
-        proxy_cache_valid 15m;
-        proxy_cache_valid 404 1m;
+        proxy_cache_valid 200 5m;
+        proxy_cache_valid 301 302 10m;
+        proxy_cache_valid 404 10m;
+        proxy_cache_bypass $no_cache $cookie_session $http_x_update;
         proxy_no_cache $no_cache;
-        proxy_cache_bypass $no_cache;
-        proxy_cache_bypass $cookie_session $http_x_update;
+
+        set $no_cache 0;
+            if ($request_uri ~* "/wp-admin/|wp-.*.php|xmlrpc.php|/store.*|/cart.*|/my-account.*|/checkout.*|/user/|/admin/|/administrator/|/manager/|index.php") {
+                set $no_cache 1;
+            }
+            if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|woocommerce_items_in_cart|woocommerce_cart_hash|PHPSESSID") {
+                set $no_cache 1;
+            }
+            if ($http_cookie ~ SESS) {
+                set $no_cache 1;
+            }
 
         location ~* ^.+\.(%proxy_extensions%)$ {
             proxy_cache    off;
diff --git a/install/deb/templates/web/nginx/caching.tpl b/install/deb/templates/web/nginx/caching.tpl
@@ -13,11 +13,22 @@ server {
         proxy_pass      http://%ip%:%web_port%;
 
         proxy_cache %domain%;
-        proxy_cache_valid 15m;
-        proxy_cache_valid 404 1m;
+        proxy_cache_valid 200 5m;
+        proxy_cache_valid 301 302 10m;
+        proxy_cache_valid 404 10m;
+        proxy_cache_bypass $no_cache $cookie_session $http_x_update;
         proxy_no_cache $no_cache;
-        proxy_cache_bypass $no_cache;
-        proxy_cache_bypass $cookie_session $http_x_update;
+
+        set $no_cache 0;
+            if ($request_uri ~* "/wp-admin/|wp-.*.php|xmlrpc.php|/store.*|/cart.*|/my-account.*|/checkout.*|/user/|/admin/|/administrator/|/manager/|index.php") {
+                set $no_cache 1;
+            }
+            if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|woocommerce_items_in_cart|woocommerce_cart_hash|PHPSESSID") {
+                set $no_cache 1;
+            }
+            if ($http_cookie ~ SESS) {
+                set $no_cache 1;
+            }
 
         location ~* ^.+\.(%proxy_extensions%)$ {
             proxy_cache    off;
