Hi there. Our origin server's config includes "gzip_vary on", which tells proxy caches to vary on Accept-Encoding of the received response. When an nginx cache later caches the response, it takes into account the Vary Accept-Encoding header:
"If the header includes the “Vary” field with the special value “*”, such a response will not be cached (1.7.7). If the header includes the “Vary” field with another value, such a response will be cached taking into account the corresponding request header fields (1.7.7). "
(taken from http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_valid )
Now the question is: a client can send any Accept-Encoding, really. Any bogus string like "foo" there would make nginx fetch normal un-encoded content from the upstream as if Accept-Encoding: none was specified, and cache it on disk under a different key which would include "foo" as per Nginx rules. Which is NFG. Is there any way to restrict the allowed Accept-Encoding to gzip, br (Brotli) and none at all?
"If the header includes the “Vary” field with the special value “*”, such a response will not be cached (1.7.7). If the header includes the “Vary” field with another value, such a response will be cached taking into account the corresponding request header fields (1.7.7). "
(taken from http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_valid )
Now the question is: a client can send any Accept-Encoding, really. Any bogus string like "foo" there would make nginx fetch normal un-encoded content from the upstream as if Accept-Encoding: none was specified, and cache it on disk under a different key which would include "foo" as per Nginx rules. Which is NFG. Is there any way to restrict the allowed Accept-Encoding to gzip, br (Brotli) and none at all?