Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add all headers to cache key by default #46

Closed
ofhouse opened this issue Jan 31, 2021 · 1 comment · Fixed by #82
Closed

Add all headers to cache key by default #46

ofhouse opened this issue Jan 31, 2021 · 1 comment · Fixed by #82
Assignees
@ofhouse
Labels
feature/AWS Missing feature from AWS feature/terraform Missing feature from Terraform upstream/terraform Waits for implementation in Terraform
Milestone
v0.8.0

Comments

@ofhouse
Copy link
Member

ofhouse commented Jan 31, 2021
edited
Loading

Currently, no headers are part of the cache key.
This is generally better for caching but when people use Authorization headers this could cause a security risk.

So the ideal behaviour would be a caching based on all headers that can be configured through input variables.

https://github.com/dealmore/terraform-aws-next-js/blob/30cc0bff5c330ed59fa071d3f9ba35a7cf72eb82/modules/proxy/main.tf#L119

Blocked by hashicorp/terraform-provider-aws#14373.
@ofhouse ofhouse added the feature/terraform Missing feature from Terraform label Jan 31, 2021
@ofhouse ofhouse self-assigned this Jan 31, 2021
@ofhouse ofhouse added feature/AWS Missing feature from AWS upstream/terraform Waits for implementation in Terraform labels Feb 1, 2021
@ofhouse
Copy link
Member Author

ofhouse commented Feb 1, 2021
edited
Loading

To resolve the issue the default_cache_behavior needs to add headers to forwarded_values:

 forwarded_values {
      query_string = true
+     headers      = var.cloudfront_cache_headers

      cookies {
        forward = "all"
      }
    }

Unfortunately, headers property cannot be set on S3 origin resources.

A possible solution would be to set the API Gateway origin as default origin, but then we lose the ability to use origin access identity: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html

  • You can’t use an OAI when you change the request from a custom origin to an Amazon S3 origin.

So we have to wait until we can use the origin request policies to add headers to the S3 origin, which should be possible.

@ofhouse ofhouse added the blocked Blocked by other issues label Feb 1, 2021
@ofhouse ofhouse mentioned this issue Feb 1, 2021
Closed
@ofhouse ofhouse removed the blocked Blocked by other issues label Feb 12, 2021
@ofhouse ofhouse added this to the v0.8.0 milestone Feb 13, 2021
@ofhouse ofhouse mentioned this issue Mar 17, 2021
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ofhouse ofhouse

Labels
feature/AWS Missing feature from AWS feature/terraform Missing feature from Terraform upstream/terraform Waits for implementation in Terraform
Projects
None yet
Milestone
v0.8.0
1 participant
@ofhouse