Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Caching layer can lead to mixed up responses between API backends with same frontend host and backend path #322

Closed
GUI opened this issue Mar 8, 2016 · 2 comments
Closed

Caching layer can lead to mixed up responses between API backends with same frontend host and backend path #322

GUI opened this issue Mar 8, 2016 · 2 comments
Assignees
@GUI
Labels
bug

Comments

@GUI
Copy link
Member

GUI commented Mar 8, 2016

Thanks to @shawnbot and @ultrasaurus for brining this to our attention on College Scorecard. After debugging with them, we unfortunately uncovered a rather nasty bug in how our caching layer interacts with certain API setups. Here's what's happening:

Let's say you have 2 API backends with the following setup:

  • Staging API Backend:
    • Frontend Host: api.data.gov
    • Frontend URL Prefix: /staging/
    • Backend Host: my-staging-server.example.com
    • Backend URL Prefix: /
  • Production API Backend:
    • Frontend Host: api.data.gov
    • Frontend URL Prefix: /production/
    • Backend Host: my-prod-server.example.com
    • Backend URL Prefix: /

If your APIs responded with cache control headers instructing api.data.gov to cache responses, then it's possible identical requests to staging and production would get mixed up (eg, https://api.data.gov/staging/foo and https://api.data.gov/production/foo).

The problem is that at the step when we perform the caching we've rewritten the URL with the backend URL prefix (so /staging/foo is rewritten to /foo). However we are not taking into account the backend host at this phase, which is what causes collisions (since /production/foo will also be rewritten to the exact same /foo). So basically this could cause unexpected caching collisions for any API backends allowing caching that use the exact same URL structure as other API backends.

This was definitely an unfortunate and glaring oversight on our part. I believe this bug has been around for as long as we've been offering caching, so I'm just baffled we hadn't run into it before. Not all API setups would be affected by this (it hinges upon multiple backends with the same URL structure), but it's definitely possible people have been encountering this without realizing it (for example, staging and production results might have been mixed up which might not be noticeable if the API and data is the same, but might prove much more problematic in other situations).
@GUI GUI added the bug label Mar 8, 2016
@GUI GUI self-assigned this Mar 8, 2016
GUI added a commit to NREL/api-umbrella that referenced this issue Mar 8, 2016
@GUI
Fix cache collisions for separate API backends with same URL paths.
b02b647 
See 18F/api.data.gov#322 for more detailed
description.
@GUI
Copy link
Member Author

GUI commented Mar 8, 2016

Solved by NREL/api-umbrella@b02b647 and deployed to production.

In addition to ensuring hosts are treated separately, this update also ensures all API backends are kept completely separate in the cache even if the backend host is the same (I don't think we had any instances of this, but this could technically happen if the backend hostname was the same, but being served from different HTTP ports).

@GUI GUI closed this as completed Mar 8, 2016
@shawnbot
Copy link

shawnbot commented Mar 8, 2016

🎉 thank you, Nick! 👏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@GUI GUI

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@GUI @shawnbot