Configuring Cache-Control/Pragma headers in Hippo?

[Brian Snijders]

Hi all,

I'm currently in a setup with Hippo10 and Varnish in front. Varnish is out there for performance boosting and offloading deployment downtime to serve as a static cache.

So, that said, we need to move to Hippo caching oneday, but we can't do that yet. However, Hippo10 by default serves a Cache-Control and Pragma HTTP header valued as "no-cache". Especially the Pragma no-cache causes a massive request hit on the Varnish server, as no-cache instructs the browser to always retrieved a fresh copy at the serving end (Varnish in this case).

I want to temporarily influence the headers, such that Varnish starts functioning again. Probably this blocks usage of Hippo cache for now, but that's okay as a temporary fix. Having this fix in place allows us to move over to a controlled scenario of testing Varnish+Hippo caching together.

My question is, which component and/or valve in the pipeline is responsible for writing these headers? I've tried to locate it myself and haven't found anything. And, since I want to fix in a uniform spot in a generic way, I need to know where to adjust this.

Thanks,

Brian

--

Brian Snijders
Consultant online

t:  +31102020544
m:  +31645540083
w:  www.incentro.com

rotterdam office | van nelle ontwerpfabriek

van nelleweg 2429  |  3044 bc  |  rotterdam

[Ard Schrijvers]

Hey Brian,

On Tue, Feb 7, 2017 at 11:05 AM, Brian Snijders
<brian.s...@incentro.com> wrote:
>
> Hi all,
>
> I'm currently in a setup with Hippo10 and Varnish in front. Varnish is out there for performance boosting and offloading deployment downtime to serve as a static cache.
>
> So, that said, we need to move to Hippo caching oneday, but we can't do that yet. However, Hippo10 by default serves a Cache-Control and Pragma HTTP header valued as "no-cache". Especially the Pragma no-cache causes a massive request hit on the Varnish server, as no-cache instructs the browser to always retrieved a fresh copy at the serving end (Varnish in this case).
>
> I want to temporarily influence the headers, such that Varnish starts functioning again. Probably this blocks usage of Hippo cache for now, but that's okay as a temporary fix. Having this fix in place allows us to move over to a controlled scenario of testing Varnish+Hippo caching together.
>
> My question is, which component and/or valve in the pipeline is responsible for writing these headers? I've tried to locate it myself and haven't found anything. And, since I want to fix in a uniform spot in a generic way, I need to know where to adjust this.

Are you talking about rest responses? Namely, in the past,
incorrectly, these got the pragma no cache and cache control headers
set. I removed that in 11.0, see [1]. For normal pages (html
rendering) we have never set pragma no-cache.

So, you might be on an older version (10.x) and are talking about rest
responses right? If not, I assume something on your end sets the
pragma no-cache. You can take a look at the changes at [1] how I
changed it. For version 10.x you can fix the behavior by overriding
the noCacheResponseHeadersValve

HTH,

Regards Ard

[1] https://issues.onehippo.com/browse/HSTTWO-3622

>
> Thanks,
> Brian
>
> --
>
> Brian Snijders
> Consultant online
>
> t: +31102020544
> m: +31645540083
> w: www.incentro.com
>
> rotterdam office | van nelle ontwerpfabriek
> van nelleweg 2429 | 3044 bc | rotterdam
>

> --
> Hippo Community Group: The place for all discussions and announcements about Hippo CMS (and HST, repository etc. etc.)
>
> To post to this group, send email to hippo-c...@googlegroups.com
> RSS: https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google Groups "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to hippo-communi...@googlegroups.com.
> Visit this group at https://groups.google.com/group/hippo-community.
> For more options, visit https://groups.google.com/d/optout.




--
Hippo Netherlands, Oosteinde 11, 1017 WT Amsterdam, Netherlands
Hippo USA, Inc. 71 Summer Street, 2nd Floor Boston, MA 02110, United
states of America.

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com

[Brian Snijders]

Hi Ard,

Nope, just plain HTML, so the DefaultPipeline. Thanks for getting back, I'll check with your findings and internal infrastuff here. Good to know that Pragma has never been part of Hippo.

Thanks,

Brian

> To post to this group, send email to hippo-community@googlegroups.com

> RSS: https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google Groups "Hippo Community" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to hippo-community+unsubscribe@googlegroups.com.

> Visit this group at https://groups.google.com/group/hippo-community.
> For more options, visit https://groups.google.com/d/optout.

--
Hippo Netherlands, Oosteinde 11, 1017 WT Amsterdam, Netherlands
Hippo USA, Inc. 71 Summer Street, 2nd Floor Boston, MA 02110, United
states of America.

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com

--
Hippo Community Group: The place for all discussions and announcements about Hippo CMS (and HST, repository etc. etc.)

To post to this group, send email to hippo-community@googlegroups.com

RSS: https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
---
You received this message because you are subscribed to the Google Groups "Hippo Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to hippo-community+unsubscribe@googlegroups.com.

Visit this group at https://groups.google.com/group/hippo-community.
For more options, visit https://groups.google.com/d/optout.

--

Brian Snijders
Consultant online

t:  +31102020544
m:  +31645540083
w:  www.incentro.com

rotterdam office | van nelle ontwerpfabriek

van nelleweg 2429  |  3044 bc  |  rotterdam

[Ard Schrijvers]

On Wed, Feb 8, 2017 at 11:56 AM, Brian Snijders
<brian.s...@incentro.com> wrote:
>
> Hi Ard,
>
> Nope, just plain HTML, so the DefaultPipeline. Thanks for getting back, I'll check with your findings and internal infrastuff here. Good to know that Pragma has never been part of Hippo.

That is correct

HTH,

Regards Ard

>> > To post to this group, send email to hippo-c...@googlegroups.com

>> > RSS: https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
>> > ---
>> > You received this message because you are subscribed to the Google Groups "Hippo Community" group.

>> > To unsubscribe from this group and stop receiving emails from it, send an email to hippo-communi...@googlegroups.com.

>> > Visit this group at https://groups.google.com/group/hippo-community.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>>
>>
>>
>> --
>> Hippo Netherlands, Oosteinde 11, 1017 WT Amsterdam, Netherlands
>> Hippo USA, Inc. 71 Summer Street, 2nd Floor Boston, MA 02110, United
>> states of America.
>>
>> US +1 877 414 4776 (toll free)
>> Europe +31(0)20 522 4466
>> www.onehippo.com
>>
>> --
>> Hippo Community Group: The place for all discussions and announcements about Hippo CMS (and HST, repository etc. etc.)
>>

>> To post to this group, send email to hippo-c...@googlegroups.com

>> RSS: https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
>> ---
>> You received this message because you are subscribed to the Google Groups "Hippo Community" group.

>> To unsubscribe from this group and stop receiving emails from it, send an email to hippo-communi...@googlegroups.com.

>> Visit this group at https://groups.google.com/group/hippo-community.
>> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
> --
>
> Brian Snijders
> Consultant online
>
> t: +31102020544
> m: +31645540083
> w: www.incentro.com
>
> rotterdam office | van nelle ontwerpfabriek
> van nelleweg 2429 | 3044 bc | rotterdam
>

> --
> Hippo Community Group: The place for all discussions and announcements about Hippo CMS (and HST, repository etc. etc.)
>

> To post to this group, send email to hippo-c...@googlegroups.com

> RSS: https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google Groups "Hippo Community" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to hippo-communi...@googlegroups.com.

[Brian Snijders]

Hi Ard,

Found it :).. it happens to be Spring Security. In newer version the cache-control headers are set by Spring Sec to prevent man in the middle attacks and retrieval of cached authenticated pages from a local browser. From the Spring Security reference documentation:

20.1.1 Cache Control

In the past Spring Security required you to provide your own cache control for your web application. This seemed reasonable at the time, but browser caches have evolved to include caches for secure connections as well. This means that a user may view an authenticated page, log out, and then a malicious user can use the browser history to view the cached page. To help mitigate this Spring Security has added cache control support which will insert the following headers into you response.

Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0

Simply adding the <headers> element with no child elements will automatically add Cache Control and quite a few other protections. However, if you only want cache control, you can enable this feature using Spring Security’s XML namespace with the <cache-control> element and the headers@defaults-disabled attribute.

Since this also might impact usage of Spring Security with Hippo caching in H10 and up, I'm hereby notifying you of my findings.

Kind regards,
Brian

>> > To post to this group, send email to hippo-community@googlegroups.com

>> > RSS: https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
>> > ---
>> > You received this message because you are subscribed to the Google Groups "Hippo Community" group.

>> > To unsubscribe from this group and stop receiving emails from it, send an email to hippo-community+unsubscribe@googlegroups.com.

>> > Visit this group at https://groups.google.com/group/hippo-community.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>>
>>
>>
>> --
>> Hippo Netherlands, Oosteinde 11, 1017 WT Amsterdam, Netherlands
>> Hippo USA, Inc. 71 Summer Street, 2nd Floor Boston, MA 02110, United
>> states of America.
>>
>> US +1 877 414 4776 (toll free)
>> Europe +31(0)20 522 4466
>> www.onehippo.com
>>
>> --
>> Hippo Community Group: The place for all discussions and announcements about Hippo CMS (and HST, repository etc. etc.)
>>

>> To post to this group, send email to hippo-community@googlegroups.com

>> RSS: https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
>> ---
>> You received this message because you are subscribed to the Google Groups "Hippo Community" group.

>> To unsubscribe from this group and stop receiving emails from it, send an email to hippo-community+unsubscribe@googlegroups.com.

>> Visit this group at https://groups.google.com/group/hippo-community.
>> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
> --
>
> Brian Snijders
> Consultant online
>
> t:  +31102020544
> m:  +31645540083
> w:  www.incentro.com
>
> rotterdam office | van nelle ontwerpfabriek
> van nelleweg 2429  |  3044 bc  |  rotterdam
>
> --
> Hippo Community Group: The place for all discussions and announcements about Hippo CMS (and HST, repository etc. etc.)
>

> To post to this group, send email to hippo-community@googlegroups.com

> RSS: https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google Groups "Hippo Community" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to hippo-community+unsubscribe@googlegroups.com.

> Visit this group at https://groups.google.com/group/hippo-community.
> For more options, visit https://groups.google.com/d/optout.




--
Hippo Netherlands, Oosteinde 11, 1017 WT Amsterdam, Netherlands
Hippo USA, Inc. 71 Summer Street, 2nd Floor Boston, MA 02110, United
states of America.

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com

--
Hippo Community Group: The place for all discussions and announcements about Hippo CMS (and HST, repository etc. etc.)

To post to this group, send email to hippo-community@googlegroups.com

RSS: https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
---
You received this message because you are subscribed to the Google Groups "Hippo Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to hippo-community+unsubscribe@googlegroups.com.

Visit this group at https://groups.google.com/group/hippo-community.
For more options, visit https://groups.google.com/d/optout.

--

Brian Snijders
Consultant online

t:  +31102020544
m:  +31645540083
w:  www.incentro.com

rotterdam office | van nelle ontwerpfabriek

van nelleweg 2429  |  3044 bc  |  rotterdam

[Minos Chatzidakis]

Thanks for the heads-up Brian! Very nice to know this

minos.ch...@bloomreach.com

Amsterdam - Oosteinde 11, 1017 WT Amsterdam +31 20 522 44 66 
Boston - 71 Summer Street, 2nd Floor, MA 02110 +1 877 414 47 76 

London - 2 Eastbourne Terrace London W2 6LG +44 20 35 14 99 60 

Oldenburg - Blumenstraße 1 26121 Oldenburg +49 441 36138 290

www.onehippo.com

[Brian Snijders]

Allright guys, I've got a solution in place which actually works :). The steps needed to get proper caching are like this:

Step 1: Override default Spring Security cache controls

In your Spring Security applicationContext, you'll find <http>-pattern matchers. Override the headerwriter for cachecontrol in the <http>-pattern you want to configure, disabling the default cache-control and injecting a new cache control header writer:

<security:headers>
  <security:cache-control disabled="true"/>
  <security:header ref="cacheControlHeadersWriter"/>
</security:headers>

Step 2: Write your custom implementation for cache control headers

Create a Spring bean (referenced in Step 1) which implements HeaderWriter. By default Spring writes a Pragma/Expires header. Below I chose just to write a Cache-Control header, merely because Pragma in fact is deprecated, but is still being used sometimes to instruct browsers to fetch fresh copies.

@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class CacheControlHeadersWriter implements HeaderWriter {

    @Override
    public void writeHeaders(final HttpServletRequest request, final HttpServletResponse response) {
        response.addHeader(HttpHeaders.CACHE_CONTROL, "no-cache, no-store, no-transform, max-age=0, must-revalidate");
    }
}

Great, now you've got your application caching covered, but still you want to allow pages in Hippo to be cached by downstream cache servers and browsers. 
So, we need to plug in a custom cache control valve, which respects the hst:cacheable property on sitemap items.


Step 3: Inject a custom cache control valve in the DefaultSitePipeline
In your hst-assembly overrides, add a new XML file to attach a cache control valve to the DefaultSitePipeline. Don't forget to change your implementation package.
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">

  <bean id="cacheControlValve" class="my.custom.CacheControlValve">
    <property name="valveName" value="cacheControlValve" />
    <property name="afterValves" value="aggregationValve"/>
    <property name="beforeValves" value="cleanupValve"/>
  </bean>

  <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
    <property name="targetObject">
      <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
        <property name="targetObject" ref="org.hippoecm.hst.core.container.Pipelines" />
        <property name="targetMethod" value="getPipeline"/>
        <property name="arguments">
          <value>DefaultSitePipeline</value>
        </property>
      </bean>
    </property>
    <property name="targetMethod" value="addProcessingValve"/>
    <property name="arguments">
      <ref bean="cacheControlValve" />
    </property>
  </bean>
</beans>

Step 4: Implement your custom cache control valve
We like sitemap items which are marked as cacheable (hst:cacheable = true) to be cached nicely by downstream servers and browsers. An example implementation:
public class CacheControlValve extends AbstractOrderableValve {
    private static final Logger log = LoggerFactory.getLogger(CacheControlValve.class);

    @Override
    public void invoke(ValveContext context) throws ContainerException {
        try {
            // Determine if this request should be cached
            HstRequestContext requestContext = context.getRequestContext();
            ResolvedSiteMapItem resolvedSiteMapItem = requestContext.getResolvedSiteMapItem();

            if (resolvedSiteMapItem != null) {
                HstSiteMapItem siteMapItem = resolvedSiteMapItem.getHstSiteMapItem();

                if (siteMapItem.isCacheable() && !requestContext.isCmsRequest()) {
                    // Request is configured as cacheable and is not a CMS request, rewrite Spring Security native cache-control to perform caching
                    log.debug("Hippo request for resolved sitemapitem '{}' is configured as cacheable. Writing Cache-Control headers", resolvedSiteMapItem.getPathInfo());

                    HttpServletResponse response = context.getServletResponse();
                    if (response.containsHeader(HttpHeaders.CACHE_CONTROL)) {
                        response.setHeader(HttpHeaders.CACHE_CONTROL, "no-transform, max-age=300, must-revalidate");
                    } else {
                        response.addHeader(HttpHeaders.CACHE_CONTROL, "no-transform, max-age=300, must-revalidate");
                    }
                }
            }
        } finally {
            context.invokeNext();
        }
    }
}

HTH,

Brian

minos.chatzidakis@bloomreach.com

Amsterdam - Oosteinde 11, 1017 WT Amsterdam +31 20 522 44 66 
Boston - 71 Summer Street, 2nd Floor, MA 02110 +1 877 414 47 76 

London - 2 Eastbourne Terrace London W2 6LG +44 20 35 14 99 60 

Oldenburg - Blumenstraße 1 26121 Oldenburg +49 441 36138 290

www.onehippo.com

--
Hippo Community Group: The place for all discussions and announcements about Hippo CMS (and HST, repository etc. etc.)
 
To post to this group, send email to hippo-community@googlegroups.com
RSS: https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
---
You received this message because you are subscribed to the Google Groups "Hippo Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hippo-community+unsubscribe@googlegroups.com.
Visit this group at https://groups.google.com/group/hippo-community.
For more options, visit https://groups.google.com/d/optout.