Which Xenforo urls have unique content for every logged-out user? For example, any pages with server-generated honeypots or URLs that are unique to specific users such as password-reset links. I'm working on setting up FastCGI caching for Nginx (similar to Varnish) and I already don't cache anything if the user is logged in, if it's anything other than a `GET`, or if it includes any query strings/arguments. I've searched around a good bit for both FastCGI cache and Varnish, and there's a number of folks with questions, but no one has managed to put together a cannonical list of which URLs are okay to cache for guests and which aren't. So I suspect if we can put this together, a good number of folks will find it handy. I don't care if the page content changes on every new post--it's fine if my guests don't see the latest posts for a minute or two--it's only when the content changes for every single visitor that I don't want it cached. Here's my blacklist so far in Regex form: Code: # For sure don't cache search.* # Search queries have unique value appended that changes every time find-new/.* # URL changes every query lost-password.* # lost password requests append random string, won't have cookie set yet # Pages with honeypots that change every pageload: login/login/? register/? # Shouldn't be accessible to logged-out users, but uber-important not to cache, so including just to be safe: admin\.php.* conversations/.* account/.* logout.* However, I'm unsure whether the following should be blacklisted or not: Code: # Does Nginx ever access these url subfolders, or only PHP? Do logged-out users ever need to access? internal_data library data # Does the normal login page have honeypots? login/? Any other urls that have honeypots or otherwise shouldn't be cached for logged-out users? Alternatively, I've considered using a whitelist. Do I open any security holes if I whitelist the following URLs for logged-out users? Code: Whitelist: homepage /forums/.* /threads/.* /members/.* /posts/.* /media/.* /resources/.* However, it's really tricky to set/check a bunch of nested if statements in Nginx, so if possible I'm much prefer to use a blacklist.