I'd like to get your attention on MDL-48023. There, we're discussing about improving performances by letting a reverse proxy doing its own job, given a clear use case.
Indeed, there are some hard coded settings to satisfy the security over performance statement which affect performances, precisely they prevent shared proxies to cache:
- some theme related files, including those from 3rd party themes served via \theme_config::setting_file_serve();
- user profile images.
A proposal has been already provided by hard - again - coding the possibility to expose the items above to shared proxies (including reverse proxies).
We want to have your feedback about:
- your experience with shared proxies, especially when Moodle runs behind a reverse proxy;
- your concerns about disclosing image profiles to shared proxies as per the current Moodle configuration related settings i.e. only if both forcelogin and forceloginforprofileimage are not checked;
Besides we'd like to have thoughts from people coding both plugins and themes, since there could be room to improve the current way of serving files by exposing an option to decide when using the private directive in Cache-Control, giving the Developer the full control - including the ownership! - to manage this cache response directive that will be by default secure and conservative as per now.