Forum Discussion

Jeff_80625's avatar
Jeff_80625
Icon for Nimbostratus rankNimbostratus
May 18, 2007

http header no-cache

I need to create a rule that will send the cache-control directive "no-cache" to the browser so that firefox will not put an SSL page in the bfcache. I can find some help on creating the rule with version 9.x, but does anyone know how to do it with version 4.x?
application delivery
dev
devops
iRules
v4

6 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    May 21, 2007
    I could be wrong, but I don't believe there is an option to insert HTTP headers in responses in 4.x. Are you able to upgrade the unit to 9.x?

     

     

    Aaron
  • Jeff_80625's avatar
    Jeff_80625
    Icon for Nimbostratus rankNimbostratus
    May 21, 2007
    Our test environment is 4.x, production is 9.x. Not going to be getting test upgraded for a bit, needed to find a way in test to make it work if possible.

     

     

    How would you do it in 9.x?
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    May 21, 2007
    Could you set up a test virtual server on your 9.x production units to test this.

    To insert a header in the response in 9.x, you could use:

    
when HTTP_RESPONSE {
   HTTP::header insert my_header_name my_header_value
}

    Can you configure the web app to insert the headers?

    Else, if you have to test on 4.x and it's very limited manual testing, you could use an HTTP interception proxy (like BURP or Paros). An interception proxy runs on the client and allows you to manipulate the request and or response headers and data after the browser sends the request and before the browser gets the response. You would need to change each response individually though. I wouldn't recommend it for anything more than a handful of tests.

    http://www.portswigger.net/proxy/download.html

    http://www.parosproxy.org/download.shtml

    Aaron
  • Jeff_80625's avatar
    Jeff_80625
    Icon for Nimbostratus rankNimbostratus
    May 21, 2007
    The application is running on an application server (WebLogic) that is behind a web server (Sun One), both of which are attempting to set the header.

     

     

    The problem we are having is that even though pages are protected by SSL the "cache-control: no-cache" HTTP header is not being set so firefox and IE7 are caching the pages. We absolutely do not want caching to happen for these pages.

     

     

    In my development environment - where there is not F5 LB - even though the application is trying to set the header I had to change the web server config so that the header was being set. I assumed that since the browser is talking to the F5, even though both the web and app servers are attempting to set the header, only the F5 can actually do so.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    May 22, 2007
    BIG-IP shouldn't modify cache headers unless you have that configured in the HTTP profile. Are you seeing headers set by the web or app server not being received by the client as they were set? If so, do you have RAM cache enabled on the HTTP profile?

     

     

    Aaron
  • Jeff_80625's avatar
    Jeff_80625
    Icon for Nimbostratus rankNimbostratus
    May 23, 2007
    The problem actually ended up being that the headers being set by the application were not set correctly so that all browsers would be instructed not to cache an SSL protected page. Firefox needs the no-cache directive, Opera needs the must-revalidate directive. The headers were also only being set through meta tags on the page, the application is java and has the ability to use the HttpServletResponse.setHeader() method. Once I got all of that in place the problem was resolved and now none of the popular browsers are caching my SSL pages.