feat(proxy-cache): add consumer_isolation and cache_set_cookie options#13350
Merged
shreemaan-abhishek merged 2 commits intoMay 14, 2026
Merged
Conversation
- Add `consumer_isolation` (default: true). When an authenticated identity is present (`ctx.consumer_name` or `ctx.var.remote_user`), prepend it to the effective cache key so each consumer gets its own cache namespace. Skipped when the user-supplied `cache_key` already references an identity-bearing variable (`$consumer_name`, `$consumer_group_id`, `$remote_user`, or `$http_authorization`). - Add `cache_set_cookie` (default: false). The in-memory and on-disk strategies refuse to cache responses that include a `Set-Cookie` header unless explicitly opted in. - Always honor upstream `Cache-Control: private` / `no-store` / `no-cache` in the in-memory strategy, regardless of the existing `cache_control` flag, which continues to govern request-side semantics and TTL derivation from `max-age` / `s-maxage`.
dosubot
Bot
added
size:L
- Drop the Set-Cookie check in disk_handler. NGINX's native proxy_cache already refuses to cache responses that include a Set-Cookie header, so the Lua-level check was redundant. - Document that `cache_set_cookie` only applies to the in-memory strategy (the on-disk strategy is governed by NGINX defaults and does not consult this flag). - Rename TEST 37 to reflect that it covers Set-Cookie refusal on an authenticated route. The previous title also claimed per-consumer isolation, but the assertions could not distinguish that from Set-Cookie refusal. - Add TEST 40 that exercises `consumer_isolation` directly: a cacheable upstream endpoint (no Set-Cookie, no Cache-Control: private) is fronted by an auth-protected route; two requests from the same consumer produce MISS then HIT, and a request from a second consumer produces MISS again, proving that the cache key is partitioned by identity. - Add nil/error checks to TEST 38 and TEST 39 so that a request failure surfaces a clear message instead of a nil dereference.
membphis
approved these changes
May 12, 2026
nic-6443
reviewed
May 12, 2026
nic-6443
reviewed
May 12, 2026
nic-6443
approved these changes
May 13, 2026
AlinsRan
approved these changes
May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR adds two new options to the
proxy-cacheplugin and tightens how the in-memory cache strategy treats upstreamCache-Controlresponse directives.New options
consumer_isolation(boolean, default:true). When the request resolves to an APISIX consumer (ctx.consumer_name) or carries a remote user (ctx.var.remote_user), the identity is prepended to the effective cache key so each consumer gets its own cache namespace. The augmentation is skipped when the user-suppliedcache_keyalready references an identity-bearing variable ($consumer_name,$consumer_group_id,$remote_user, or$http_authorization). Set tofalsefor routes where consumers should share cached responses.cache_set_cookie(boolean, default:false). The in-memory and on-disk strategies refuse to cache responses that include aSet-Cookieheader unless explicitly opted in.Set-Cookieis per-recipient and not generally safe for a shared cache to store.Behavior change
The in-memory strategy now always honors upstream
Cache-Control: private,no-store, andno-cachedirectives, regardless of the existingcache_controlflag. Thecache_controlflag continues to govern request-side semantics (clientCache-Controlrequest directives such asmax-age/min-fresh/only-if-cached) and TTL derivation frommax-age/s-maxage. This matches the behavior of NGINX's nativeproxy_cache(used by the on-disk strategy) and brings the two strategies into closer agreement.Backward compatibility
The new defaults change behavior in three ways for users who have proxy-cache enabled today:
proxy-cachewith an authentication plugin will start partitioning the cache by consumer. Existing cache entries become unreachable; new entries accumulate per consumer. Setconsumer_isolation: falseto opt out.Set-Cookie. Setcache_set_cookie: trueto opt back in.Cache-Controlincludesprivate,no-store, orno-cache, irrespective of the route-levelcache_controlflag.Each is independent; users can mix and match opt-outs.
Which issue(s) this PR fixes:
N/A
Checklist