Azure CDN should respect origin cache-control

Balazs Orban 11

So we have a Next.js (https://nextjs.org/) and in front of it sits an Azure CDN service.

In the past, I have shot myself in the foot by assuming that the Azure CDN service will follow the cache-control instructions from the origin server, and not cache anything unless it is told to. I accidentally cached my credentials at the CDN, meaning anyone logging in used my credentials on our site. More info on this here: https://github.com/vercel/next.js/discussions/14136, but in short, the main problem was that the origin (Next.js) server sent a request through the CDN WITHOUT a cache-control header, but Azure CDN decided to cache it anyway.

This is a past problem that I resolved by creating a rule in the rules engine, that tells the CDN to bypass caching for any request under a certain path. (/api https://nextjs.org/docs/api-routes/introduction).

In my opinion, this is flawed default behavior of the CDN service, and there should be a configurable option to tell the CDN service "if cache-control headers are present in the origin response, use them. if not, just forward the response".

The CDN should be configurable to not make assumptions on what should and should not be cached but strictly follow cache-control header instruction by the origin server. As far as I can tell, it is currently not possible to act upon a response from the origin server in the rules engine, you can only respond to incoming requests from the user.

Am I missing something?

3 answers

SaiKishor-MSFT 17,176 Reputation points

2021-03-23T20:12:52.523+00:00

@Balazs Orban Thank you for reaching out to Microsoft Q&A. We apologize for the delay in response to your issue.

I understand that you are looking for CDN to be able to honor the cache control header instruction by the origin server. This should be possible with all Azure CDN products except for Verizon DSA and Akamai DSA, please refer to this document for more details.

"Similar to how caching is implemented in a web browser, you can control how caching is performed in a CDN by sending cache-directive headers. Cache-directive headers are HTTP headers, which are typically added by the origin server. Although most of these headers were originally designed to address caching in client browsers, they are now also used by all intermediate caches, such as CDNs." As given here in this document.

Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.
Please sign in to rate this answer.
Balazs Orban 11 Reputation points

2021-03-23T20:34:47.387+00:00

Thank you for answering! So far it's the best answer I have gotten, but still needs a bit more help. Next.js sets the s-maxage cache control header, as (according to my understanding) it is the one type meant for shared/public caches (like a CDN) as opposed to the documentation you linked to, where I am supposed to use maxage, which is meant for private (eg. users' browsers) caches. It feels like Azure should be supporting s-maxage here. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control#expiration

Also you mention that honoring the origin server cache control should be available for most of the tiers. We have "Microsoft" but unfortunately assets without cache control headers from the origin are still getting cached! Any configuration I am unaware of?

Balazs Orban 11 Reputation points

2021-03-23T20:43:23.983+00:00

Please refer to this discussion for more information https://github.com/vercel/next.js/discussions/14136#discussioncomment-25630.

Putting an alternative CDN in front of the origin worked as expected, but wish to use Azure if possible!

Balazs Orban 11 Reputation points

2021-03-24T14:31:25.333+00:00

I attach a picture of the options I get when adding a condition in Rules Engine.

I also attach a picture that is showing what pricing tier our CDN profile is set to.

Still, I have no clue how I should configure the CDN to honor the origin server. Which again, I am pretty sure should be the default behavior!

SaiKishor-MSFT 17,176 Reputation points

2021-03-24T16:12:53.393+00:00

@Balazs Orban If the Origin does not have Cache-Control or Expires HTTP headers set, then the default behavior is to cache it for 2 days as given here in the document.

To bypass this issue configuration needs to be done on the backend to serve requests with cache-derivative headers, as seen in the information on this link:
https://learn.microsoft.com/en-us/azure/cdn/cdn-how-caching-works#cache-directive-headers

OR

override with rules engine:
By setting it to bypass, it will be set to zero
https://learn.microsoft.com/en-us/azure/cdn/cdn-caching-rules#cache-expiration-duration

Does this answer your question? Please let me know if you have any further questions/concerns. Thank you!

Balazs Orban 11 Reputation points

2021-03-24T20:52:15.107+00:00

Thanks!
So if I understand it right, I need to use the "Set If Missing" option, and set all the values to 0, but I get this error:

A CacheExpirationAction where the CacheBehavior is Override or SetIfMissing must have the field CacheDuration filled.

I also see the Bypass option but setting it makes me feel that now ALL my requests are just simply bypassing the CDN without being cached (not honoring the origin). I think this because the response from the CDN takes a significant amount of time (500-2000ms) and the HTTP response code is 200, probably instead of 304, or and I don't see the "X-Cache: TCP_HIT" (From https://learn.microsoft.com/bs-latn-ba/azure/cdn/cdn-msft-http-debug-headers). The X-Cache header is just missing.
Are there any UI where I can analyze the effectiveness of the CDN (how many HITS are there compared to all requests. with stale-while-revalidate, I would expect something near 100%)

Balazs Orban 11 Reputation points

2021-03-24T20:55:55.68+00:00

Still don't get if "s-maxage" is supported or not? The docs only mentions max-age, but according to MDN (and my common sense), public caches like CDNs should be looking at s-maxage instead of max-age. max-age is for private caches, like browsers. (Browsers also won't care about s-maxage)

SaiKishor-MSFT 17,176 Reputation points

2021-03-29T21:12:59.613+00:00

@Balazs Orban

Azure CDN will give preference to s-maxage over maxage provided both are non-zero values. Having maxage=0 or s-maxage=0 will make the resource uncacheable.

Balazs Orban 11 Reputation points

2021-03-30T10:23:14.787+00:00

Thanks. The docs should be updated then to reflect this. I created the following GH issue: https://github.com/MicrosoftDocs/azure-docs/issues/72984

I am still struggling though. Using the bypass cache option (not clear if it will only bypass for responses without a cache header, or it will override for ALL responses from origin), the time to get a response is 6-8x SLOWER than getting it directly from origin. No X-Cache header present, so I don't know why the response is so much slower.

Using the set-if-missing global rule with 1 second (should be possible to set to 0 seconds, but it errors, see in prev. reply) is similarly slower, but at least yields an X-cache: TCP_MISS header so I know it is because the origin had to be visited. Although since stale-while-revalidate is used, the response should come from the CDN anyway and should not affect the response time.

SaiKishor-MSFT 17,176 Reputation points

2021-03-30T14:50:54.83+00:00

I am still looking into this. Please allow me sometime to get back to you. Thank you!

Balazs Orban 11 Reputation points

2021-03-31T09:09:59.053+00:00

Ideally, I would like to set the following cache directive header when it is missing/not set by the origin server: public, max-age=0, must-revalidate

Currently, it only sets public, max-age=1, since I cannot set 0 in the UI. (It throws an error)

I also found out that the CDN from which my content is served - according to its IP - is located in Redmond, Washington, while I am sitting in Norway. I was expecting the CDN to serve content from the nearest POP server, at least something from Europe in my case? https://learn.microsoft.com/en-us/azure/cdn/cdn-pop-locations

Our origin server is located in Northern-Europe, so it would explain the problematic CDN results compared to direct requests to the origin server.

Balazs Orban 11 Reputation points

2021-04-02T09:40:01.58+00:00

@SaiKishor-MSFT Some of your messages seem to have disappeared from this thread, but I could still see them in my e-mails. Here is a screenshot of the issue, when trying to set 0 seconds:

Also, I have an active support ticket for this issue, where I am blocked as well. The person I am assigned to had to check with a technical supervisor if s-maxage was even supported, and I just got a mildly confusing answer, where I think they try to say that s-maxage is not supported at the moment? So getting mixed signals here. I am sent a link where I can give general feedback...

SaiKishor-MSFT 17,176 Reputation points

2021-04-02T16:32:09.363+00:00

@Balazs Orban Yes I was able to replicate it. I am working internally regarding this issue with my team and will update you soon with any new findings.
Sign in to comment
SaiKishor-MSFT 17,176 Reputation points

2021-04-05T17:27:43.423+00:00

@Balazs Orban Thank you for your patience while we were investigating this issue further.

So to summarize, you want Azure CDN to not cache traffic whenever the cache directive headers are missing in the response. However, upon further investigation, this is not possible with Azure CDN i.e., you cannot set up rules engine rules based on response headers. Absence of Cache-control header leads to CDN caching the traffic.

The only solution possible through Azure CDN is to know which specific url paths can end up in this situation and set up rules accordingly in the rules engine.

Regarding s-maxage, this is still true:

Azure CDN will give preference to s-maxage over maxage provided both are non-zero values. Having maxage=0 or s-maxage=0 will make the resource uncacheable.

And we are working via the Github thread that you created to include this in our documentation as well. Hope this dissolves your doubts.

If you still have further questions, please feel free to let us know and we will gladly discuss further. Thank you so much for your patience.

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.
Please sign in to rate this answer.
Balazs Orban 11 Reputation points

2021-04-05T17:53:11.207+00:00

Thank you for investigating. Unfortunately I cannot mark anything here as an answer because apparently there is none for my problem. Where can I create a feature request for this issue? Because it is definitely something a modern CDN should consider in my opinion. I don't see the proper reasoning behind default caching without no instructions. As mentioned earlier this was a big foot gun where I ended up exposing sensitive information to the world by caching something was never meant to be cached (therefore I never instructed the CDN to do so, but it did it anyway)

SaiKishor-MSFT 17,176 Reputation points

2021-04-05T18:12:50.42+00:00

@Balazs Orban I understand the issues you are running into with the current setup, however, the solutions are only as suggested at the moment. Here is the page for Feedback- https://feedback.azure.com/forums/34192--general-feedback
Sign in to comment
Balazs Orban 11 Reputation points

2021-04-06T18:20:45.29+00:00

@SaiKishor-MSFT I do have a follow-up question though! I was wondering what the support state of stale-while-revalidate cache directive was? From my results, it really looks like it is ignored/unsupported as well, and my research can confirm that: https://www.ctrl.blog/entry/cdn-rfc5861-support.html

Here is the spec: https://tools.ietf.org/html/rfc5861#section-3

The part I am missing is the async nature of revalidating a resource in the CDN cache, meaning if the s-maxage value indicates expired content, STILL serve a stale version to the user, and re-fetch the resource from the origin WITHOUT blocking the user response.

I tried to use it in the above-mentioned app, and it looks like when there is a TCP_MISS, the client will WAIT for the origin to respond to the CDN even when this directive is present, instead of receiving a stale version of the content and the CDN updating the content in the background, without blocking for the user.

Is this possible/supported/planned?
Please sign in to rate this answer.
SaiKishor-MSFT 17,176 Reputation points

2021-04-08T18:39:42.99+00:00

@Balazs Orban Currently we do not support stale and re validate feature and there are no plans to support it yet. Please let me know if you have any further questions. Thank you!

Balazs Orban 11 Reputation points

2021-04-09T12:05:56.2+00:00

Sorry to hear that Azure CDN lags behind on this and has no plan to change. It is unfortunately a dealbreaker for us. Thank you for your time, but I now have to look for better alternatives than Azure CDN.

SaiKishor-MSFT 17,176 Reputation points

2021-04-12T17:14:25.873+00:00

@Balazs Orban I understand that your requirements does not meet the Azure CDN available features yet. Please feel free to add on to the feature requests in the Azure Feature Request Page so we our team can consider this in the future. Thank you!

Balazs Orban 11 Reputation points

2021-04-12T17:58:14.3+00:00

Just a last question. Since there are several plans under Azure CDN, is it possible that some of the other plans (so not Microsoft's) would meet our requirements?

So no caching when no cache-control header, support of s-maxage, support of stale-while-revalidate, and prioritizing physically close POP servers over US servers?

SaiKishor-MSFT 17,176 Reputation points

2021-04-14T20:09:28.463+00:00

@Balazs Orban Just to clarify regarding s-maxage-

Azure CDN Standard/Premium from Verizon and Azure CDN Standard from Microsoft honors caching behaviors for Cache-Control directives in RFC 7234 - Hypertext Transfer Protocol (HTTP/1.1): Caching (ietf.org) i.e., Azure CDN will give preference to s-maxage over maxage provided both are non-zero values. Having maxage=0 or s-maxage=0 will make the resource uncacheable.

Azure CDN Standard from Akamai supports only the following Cache-Control directives; all others are ignored:
max-age: A cache can store the content for the number of seconds specified. For example, Cache-Control: max-age=5. This directive specifies the maximum amount of time the content is considered to be fresh.
no-cache: Cache the content, but validate the content every time before delivering it from the cache. Equivalent to Cache-Control: max-age=0.
no-store: Never cache the content. Remove content if it has been previously stored.

SaiKishor-MSFT 17,176 Reputation points

2021-04-15T17:30:07.537+00:00

@Balazs Orban Verizon Premium has the features- stale-while-revalidate & modify response header features as seen from this document here.

Balazs Orban 11 Reputation points

2021-04-16T08:45:22.193+00:00

I presented the different issues/obstacles to my team, and we decided to proceed with exploring alternatives to Azure CDN. Thank you for following up anyway.

Franz Ombler 16 Reputation points

2022-03-13T05:27:03.187+00:00

Thank you for asking this question, Balazs. You might like to upvote this feature request:
https://feedback.azure.com/d365community/idea/1b9e3901-9fa1-ec11-a81c-6045bd7d1bee
Sign in to comment