We Keep Coding

Excluding a specific URL from HTTP Basic Auth - mod_rewrite causing problems

We have "HTTP Basic Auth" on a certain subdomain of ours, but would like to allow everything to access a specific URL on that subdomain without authenticating (for a 3rd party hitting our webhook URL).
So I tried to use SetEnvIf Request_URI ^/webhook/ allow to allow with Allow from env=allow (full file below) but it seems that because we've got some mod_rewrite rules to rewrite all these URLs to a PHP entry point, the Request_URI is never actually /webhook once it gets to this point (guessing but didn't know how to 100% confirm this.
It's still asking for a basic auth user/pass regardless of the URL.
Note that the .htaccess file is the same on all our domains / subdomains, whereas the VirtualHost can be configured just for this subdomain.
Full VirtualHost config with the "HTTP Basic Auth" config section:
<VirtualHost *:80>
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=permanent,L]
DocumentRoot /var/www/sub.ourdomain.co.uk/blah/www
ServerAdmin x#ourdomain.co.uk
ServerName sub.ourdomain.co.uk
ServerAlias www.sub.ourdomain.co.uk
ErrorDocument 400 /error.php
ErrorDocument 401 /error.php
ErrorDocument 403 /403.html
ErrorDocument 404 /error.php
ErrorDocument 405 /error.php
ErrorDocument 408 /error.php
ErrorDocument 410 /error.php
ErrorDocument 411 /error.php
ErrorDocument 412 /error.php
ErrorDocument 413 /error.php
ErrorDocument 414 /error.php
ErrorDocument 415 /error.php
ErrorDocument 500 /error.php
ErrorDocument 501 /error.php
ErrorDocument 502 /error.php
ErrorDocument 503 /error.php
ErrorDocument 506 /error.php
ErrorLog /var/log/httpd/sub.ourdomain.co.uk.apache.log
CustomLog /var/log/httpd/sub.ourdomain.co.uk.access.log combined
<Directory "/var/www/sub.ourdomain.co.uk/blah/www">
SetEnvIf Request_URI ^/webhook/ allow
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/passwords/sub.ourdomain.co.uk
# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "allow" var is set
Allow from env=allow
</Directory>
</VirtualHost>
.htaccess mod_rewrite rules:
RewriteCond %{REQUEST_METHOD} !(^GET|^POST|^HEAD)
RewriteRule .* - [R=405,L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !(/img|/js|/css|/fonts)
RewriteRule ^(.*)$ /boot.php
RewriteCond %{REQUEST_URI} ^/$
RewriteRule ^(.*)$ /boot.php
Edit 1 - based on the comments I also tried: SetEnv allow true and SetEnv allow 1 to remove the doubt of whether it's the URL and it still asks for the basic auth password, so it may not be related to the URL afterall.
Edit 2 - Adding the entire .htaccess to make sure I'm not missing something else:
php_value max_input_vars 4000
RewriteEngine on
# Disallow other HTTP verbs such as PUT and DELETE
RewriteCond %{REQUEST_METHOD} !(^GET|^POST|^HEAD)
RewriteRule .* - [R=405,L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !(/img|/js|/css|/fonts|/twig|/pdf|/vendors|/server-status)
RewriteRule ^(.*)$ /boot.php
RewriteCond %{REQUEST_URI} ^/$
RewriteRule ^(.*)$ /boot.php
AddType font/ttf .ttf
AddType font/eot .eot
AddType font/otf .otf
AddType font/woff .woff
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/css text/javascript application/x-javascript application/javascript text/x-component text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json font/woff font/otf font/eot font/ttf
</IfModule>
<ifModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 seconds"
ExpiresByType text/html "access plus 1 seconds"
ExpiresByType image/gif "access plus 2592000 seconds"
ExpiresByType image/jpeg "access plus 2592000 seconds"
ExpiresByType image/png "access plus 2592000 seconds"
ExpiresByType text/css "access plus 604800 seconds"
ExpiresByType font/ttf "access plus 604800 seconds"
ExpiresByType font/eot "access plus 604800 seconds"
ExpiresByType font/otf "access plus 604800 seconds"
ExpiresByType font/woff "access plus 604800 seconds"
ExpiresByType text/javascript "access plus 604800 seconds"
ExpiresByType application/x-javascript "access plus 604800 seconds"
</ifModule>
<ifModule mod_headers.c>
<filesMatch "\\.(ico|pdf|flv|jpg|jpeg|png|gif|swf)$">
Header set Cache-Control "max-age=2592000, public, proxy-revalidate"
</filesMatch>
<filesMatch "\\.(js|css|ttf|eot|otf|woff)$">
Header set Cache-Control "max-age=604800, public, proxy-revalidate"
</filesMatch>
<filesMatch "\\.(xml|txt)$">
Header set Cache-Control "max-age=216000, public, must-revalidate"
</filesMatch>
</ifModule>
Edit 3 - Sorry, should have mentioned that we're stuck on Apache 2.2 for now.

Using Apache 2.4+ you can use <If> expression to disable auth or use allow from all directive for a URI using THE_REQUEST variable. THE_REQUEST represents original request sent to Apache and it doesn't get updated in the context of a single request:
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/passwords/sub.ourdomain.co.uk
Require valid-user
Satisfy any
Order deny,allow
Deny from all
<If "%{THE_REQUEST} =~ /webhook/">
Satisfy any
Allow from all
</If>
# your current mod_rewrite rules can appear below this line:
DirectoryIndex boot.php
RewriteEngine on
# Disallow other HTTP verbs such as PUT and DELETE
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
RewriteRule ^ - [R=405,L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !(/img|/js|/css|/fonts|/twig|/pdf|/vendors|/server-status)
RewriteRule ^ boot.php [L]
Update: Here is a workaround solution that works on Apache 2.2 using <FilesMatch> directive:
DirectoryIndex boot.php
RewriteEngine on
# Disallow other HTTP verbs such as PUT and DELETE
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
RewriteRule ^ - [R=405,L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !(/img|/js|/css|/fonts|/twig|/pdf|/vendors|/server-status)
RewriteRule ^ boot.php [L]
SetEnvIfNoCase Request_URI ^/webhook/ allow
<FilesMatch "^(?!boot\.php$).*$">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/passwords/sub.ourdomain.co.uk
Require valid-user
Order Deny,Allow
Deny from all
Allow from env=allow
Satisfy any
</FilesMatch>

How to optimize Apache for Drupal 8?

I have an LAMP server for my Drupal 8 site.
I do not know what I can optimize to improve the performance of my site.
This is a dynamic site.
Should I use the htaccess files or disable them and put everything in vhost ?
Is the file below correct ?
What can I add ?
.htaccess :
#
# Apache/PHP/Drupal settings:
#
# Protect files and directories from prying eyes.
<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
</IfModule>
</FilesMatch>
# Don't show directory listings for URLs which map to a directory.
Options -Indexes
# Set the default handler.
DirectoryIndex index.php index.html index.htm
# Add correct encoding for SVGZ.
AddType image/svg+xml svg svgz
AddEncoding gzip svgz
# Most of the following PHP settings cannot be changed at runtime. See
# sites/default/default.settings.php and
# Drupal\Core\DrupalKernel::bootEnvironment() for settings that can be
# changed at runtime.
# PHP 5, Apache 1 and 2.
<IfModule mod_php5.c>
php_value assert.active 0
php_flag session.auto_start off
php_value mbstring.http_input pass
php_value mbstring.http_output pass
php_flag mbstring.encoding_translation off
# PHP 5.6 has deprecated $HTTP_RAW_POST_DATA and produces warnings if this is
# not set.
php_value always_populate_raw_post_data -1
</IfModule>
# Requires mod_expires to be enabled.
<IfModule mod_expires.c>
# Enable expirations.
ExpiresActive on
ExpiresDefault "access plus 30 seconds"
ExpiresByType text/html "access plus 15 days"
ExpiresByType image/gif "access plus 1 months"
ExpiresByType image/jpg "access plus 1 months"
ExpiresByType image/jpeg "access plus 1 months"
ExpiresByType image/png "access plus 1 months"
ExpiresByType text/js "access plus 1 months"
ExpiresByType text/javascript "access plus 1 months"
<FilesMatch \.php$>
# Do not allow PHP scripts to be cached unless they explicitly send cache
# headers themselves. Otherwise all scripts would have to overwrite the
# headers set by mod_expires if they want another caching behavior. This may
# fail if an error occurs early in the bootstrap process, and it may cause
# problems if a non-Drupal PHP file is installed in a subdirectory.
ExpiresActive Off
</FilesMatch>
</IfModule>
# Set a fallback resource if mod_rewrite is not enabled. This allows Drupal to
# work without clean URLs. This requires Apache version >= 2.2.16. If Drupal is
# not accessed by the top level URL (i.e.: http://example.com/drupal/ instead of
# http://example.com/), the path to index.php will need to be adjusted.
<IfModule !mod_rewrite.c>
FallbackResource /index.php
</IfModule>
# Various rewrite rules.
<IfModule mod_rewrite.c>
RewriteEngine on
# Set "protossl" to "s" if we were accessed via https://. This is used later
# if you enable "www." stripping or enforcement, in order to ensure that
# you don't bounce between http and https.
RewriteRule ^ - [E=protossl]
RewriteCond %{HTTPS} on
RewriteRule ^ - [E=protossl:s]
# Make sure Authorization HTTP header is available to PHP
# even when running as CGI or FastCGI.
RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Block access to "hidden" directories whose names begin with a period. This
# includes directories used by version control systems such as Subversion or
# Git to store control files. Files whose names begin with a period, as well
# as the control files used by CVS, are protected by the FilesMatch directive
# above.
#
# NOTE: This only works when mod_rewrite is loaded. Without mod_rewrite, it is
# not possible to block access to entire directories from .htaccess because
# <DirectoryMatch> is not allowed here.
#
# If you do not have mod_rewrite installed, you should remove these
# directories from your webroot or otherwise protect them from being
# downloaded.
RewriteRule "/\.|^\.(?!well-known/)" - [F]
# If your site can be accessed both with and without the 'www.' prefix, you
# can use one of the following settings to redirect users to your preferred
# URL, either WITH or WITHOUT the 'www.' prefix. Choose ONLY one option:
#
# To redirect all users to access the site WITH the 'www.' prefix,
# (http://example.com/foo will be redirected to http://www.example.com/foo)
# uncomment the following:
RewriteCond %{HTTP_HOST} .
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ http%{ENV:protossl}://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# To redirect all users to access the site WITHOUT the 'www.' prefix,
# (http://www.example.com/foo will be redirected to http://example.com/foo)
# uncomment the following:
# RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
# RewriteRule ^ http%{ENV:protossl}://%1%{REQUEST_URI} [L,R=301]
# Modify the RewriteBase if you are using Drupal in a subdirectory or in a
# VirtualDocumentRoot and the rewrite rules are not working properly.
# For example if your site is at http://example.com/drupal uncomment and
# modify the following line:
# RewriteBase /drupal
#
# If your site is running in a VirtualDocumentRoot at http://example.com/,
# uncomment the following line:
# RewriteBase /
# Redirect common PHP files to their new locations.
RewriteCond %{REQUEST_URI} ^(.*)?/(install.php) [OR]
RewriteCond %{REQUEST_URI} ^(.*)?/(rebuild.php)
RewriteCond %{REQUEST_URI} !core
RewriteRule ^ %1/core/%2 [L,QSA,R=301]
# Rewrite install.php during installation to see if mod_rewrite is working
RewriteRule ^core/install.php core/install.php?rewrite=ok [QSA,L]
# Pass all requests not referring directly to files in the filesystem to
# index.php.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^ index.php [L]
# For security reasons, deny access to other PHP files on public sites.
# Note: The following URI conditions are not anchored at the start (^),
# because Drupal may be located in a subdirectory. To further improve
# security, you can replace '!/' with '!^/'.
# Allow access to PHP files in /core (like authorize.php or install.php):
RewriteCond %{REQUEST_URI} !/core/[^/]*\.php$
# Allow access shariff-backend-php.
RewriteCond %{REQUEST_URI} !/shariff-backend-php/
# Allow access to test-specific PHP files:
RewriteCond %{REQUEST_URI} !/core/modules/system/tests/https?.php
# Allow access to Statistics module's custom front controller.
# Copy and adapt this rule to directly execute PHP files in contributed or
# custom modules or to run another PHP application in the same directory.
RewriteCond %{REQUEST_URI} !/core/modules/statistics/statistics.php$
# Deny access to any other PHP files that do not match the rules above.
# Specifically, disallow autoload.php from being served directly.
RewriteRule "^(.+/.*|autoload)\.php($|/)" - [F]
# Rules to correctly serve gzip compressed CSS and JS files.
# Requires both mod_rewrite and mod_headers to be enabled.
<IfModule mod_headers.c>
# Serve gzip compressed CSS files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteRule ^(.*)\.css $1\.css\.gz [QSA]
# Serve gzip compressed JS files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteRule ^(.*)\.js $1\.js\.gz [QSA]
# Serve correct content types, and prevent mod_deflate double gzip.
RewriteRule \.css\.gz$ - [T=text/css,E=no-gzip:1]
RewriteRule \.js\.gz$ - [T=text/javascript,E=no-gzip:1]
<FilesMatch "(\.js\.gz|\.css\.gz)$">
# Serve correct encoding type.
Header set Content-Encoding gzip
# Force proxies to cache gzipped & non-gzipped css/js files separately.
Header append Vary Accept-Encoding
</FilesMatch>
</IfModule>
</IfModule>
# Various header fixes.
<IfModule mod_headers.c>
# Disable content sniffing, since it's an attack vector.
Header always set X-Content-Type-Options nosniff
# Disable Proxy header, since it's an attack vector.
RequestHeader unset Proxy
</IfModule>
<IfModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</IfModule>
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
</IfModule>
/etc/apache2/sites-available/www-domaine-com-le-ssl.conf :
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin contact#domaine.com
ServerName domaine.com
ServerAlias www.domaine.com
Protocols h2 http/1.1
DocumentRoot /var/www/www-domaine-com/web/
<Directory /var/www/www-domaine-com/web>
Options FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>
<FilesMatch \.php$>
SetHandler "proxy:unix:/var/run/php/php7.2-fpm.sock|fcgi://localhost/"
</FilesMatch>
<Proxy "fcgi://localhost/" enablereuse=on flushpackets=on max=10>
</Proxy>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/domaine.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domaine.com/privkey.pem
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Download-Options "noopen"
Header always set X-Permitted-Cross-Domain-Policies "none"
Header always set Content-Security-Policy "default-src https: data: wss: 'unsafe-inline' 'unsafe-eval'; base-uri 'self';"
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
</VirtualHost>
</IfModule>

Using dynamic configuration files (".htaccess") will definitely slow down your server. That is documented and actually easy to understand:
The static configuration is read exactly once at startup time. When dynamic configuration files are enabled, then the server has to check each physical folder from the root up to the requested object (if mapped to the file system) whether there are such configuration files (which can occur on every level of the file system). And if some are found then each has to be read and interpreted for every single request. All that is additional load.
These files are only supported for two typical situations:
when you have no access to the actual host configuration of the server (read: really cheap hosting providers)
for applications that insist on writing their own rewriting rules (which is an obvious security nightmare once you start thinking about it)
If none of the two situations apply to you, then the clear recommendation is to not use dynamic configuration files but use the static configuration instead. And possibly even to disable those files completely.
Take care however for the details. You cannot simply move the directives in all cases, sometimes you need to adapt them:
there are directives you cannot use in all locations (consult the http server documentation for details on that, it is of excellent quality and comes with great examples and details)
you may have to adjust a few details, for examples the matching pattern in RewriteRules which is applied to absolute paths in the static configuration but to relative paths in dynamic configuration files. Again this is clearly documented.

Very slow https redirect - Adds 10 seconds to load time

I am experience wait times of up to 12 seconds due to the ssl redirect. I've tried may things and can't seem to figure out why. It seems to be the worst when using 'www.thesoapopera.com.'
Almost twelve seconds with www.thesoapopera.com:
https://tools.pingdom.com/#!/BBsdZ/www.thesoapopera.com
1.13 Seconds with the full https://www.thesoapopera.com:
https://tools.pingdom.com/#!/cPx3LD/https://www.thesoapopera.com
Almost back to back tests and the website takes 10 seconds longer to load! Here is my htaccess file:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# BEGIN WpFastestCache
# Start WPFC Exclude
# End WPFC Exclude
# Start_WPFC_Exclude_Admin_Cookie
RewriteCond %{HTTP:Cookie}
!wordpress_logged_in_[^\=]+\=aacc|aaWoocommerce|acd4494|KenzieTrezise|Luna
RewriteCond %{HTTP:Cookie} !wordpress_logged_in_[^\=]+\=Sean|Stacey|Steppe
# End_WPFC_Exclude_Admin_Cookie
RewriteCond %{HTTP_HOST} ^www.thesoapopera.com
RewriteCond %{HTTP_USER_AGENT} !(facebookexternalhit|WhatsApp|Mediatoolkitbot)
RewriteCond %{HTTP_USER_AGENT} !
(WP\sFastest\sCache\sPreload(\siPhone\sMobile)?\s*Bot)
RewriteCond %{REQUEST_METHOD} !POST
RewriteCond %{REQUEST_URI} !(\/){2}$
RewriteCond %{REQUEST_URI} \/$
RewriteCond %{QUERY_STRING} !.+
RewriteCond %{HTTP:Cookie} !wordpress_logged_in
RewriteCond %{HTTP:Cookie} !comment_author_
RewriteCond %{HTTP:Cookie} !wp_woocommerce_session
RewriteCond %{HTTP:Cookie} !safirmobilswitcher=mobil
RewriteCond %{HTTP:Profile} !^[a-z0-9\"]+ [NC]
RewriteCond %{DOCUMENT_ROOT}/wp-content/cache/all/$1/index.html -f [or]
RewriteCond /home/spscannell/public_html/wp-content/cache/all/$1/index.html -f
RewriteRule ^(.*) "/wp-content/cache/all/$1/index.html" [L]
</IfModule>
<FilesMatch "index\.(html|htm)$">
AddDefaultCharset UTF-8
<ifModule mod_headers.c>
FileETag None
Header unset ETag
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires "Mon, 29 Oct 1923 20:30:00 GMT"
</ifModule>
</FilesMatch>
# END WpFastestCache
# BEGIN GzipWpFastestCache
<IfModule mod_deflate.c>
AddType x-font/woff .woff
AddType x-font/ttf .ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE font/opentype font/ttf font/eot font/otf
</IfModule>
# END GzipWpFastestCache
# BEGIN WEBPWpFastestCache
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_ACCEPT} image/webp
RewriteCond %{REQUEST_URI} \.(jpe?g|png)
RewriteCond %{DOCUMENT_ROOT}/$1.webp -f [or]
RewriteCond /home/spscannell/public_html/$1.webp -f
RewriteRule ^(.*) "/$1.webp" [L]
</IfModule>
<IfModule mod_headers.c>
Header append Vary Accept env=REDIRECT_accept
</IfModule>
AddType image/webp .webp
# END WEBPWpFastestCache
# BEGIN LBCWpFastestCache
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|webp|js|css|swf|x-html|css|xml|js|woff|woff2|ttf|svg|eot)(\.gz)?$">
<IfModule mod_expires.c>
AddType application/font-woff2 .woff2
ExpiresActive On
ExpiresDefault A0
ExpiresByType image/webp A2592000
ExpiresByType image/gif A2592000
ExpiresByType image/png A2592000
ExpiresByType image/jpg A2592000
ExpiresByType image/jpeg A2592000
ExpiresByType image/ico A2592000
ExpiresByType image/svg+xml A2592000
ExpiresByType text/css A2592000
ExpiresByType text/javascript A2592000
ExpiresByType application/javascript A2592000
ExpiresByType application/x-javascript A2592000
ExpiresByType application/font-woff2 A2592000
</IfModule>
<IfModule mod_headers.c>
Header set Expires "max-age=2592000, public"
Header unset ETag
Header set Connection keep-alive
FileETag None
</IfModule>
</FilesMatch>
# END LBCWpFastestCache
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
# BEGIN EWWWIO
# END EWWWIO
# BEGIN cPanel-generated php ini directives, do not edit
# Manual editing of this file may result in unexpected behavior.
# To make changes to this file, use the cPanel MultiPHP INI Editor (Home >> Software >> MultiPHP INI Editor)
# For more information, read our documentation (https://go.cpanel.net/EA4ModifyINI)
<IfModule php7_module>
php_flag display_errors Off
php_value max_execution_time 90
php_value max_input_time 60
php_value max_input_vars 1000
php_value memory_limit 512M
php_value post_max_size 8M
php_value session.gc_maxlifetime 1440
php_value session.save_path "/var/cpanel/php/sessions/ea-php70"
php_value upload_max_filesize 64M
php_flag zlib.output_compression Off
</IfModule>
# END cPanel-generated php ini directives, do not edit

In case of direct access to the https:// site no cookie is send yet and the response is comparably small: only 20KByte. In case of access to http:// this site provides a cookie which then gets sent on the redirect to the https:// site which results in a much larger response of 121 KByte.
My guess is that the application logic does a lot of database lookups if a session cookie is send which results both in a longer time needed to create the response and also in a different and larger content. Also, you can see that the https:// version results in only 50 total requests while the http:// version results in 77 requests, i.e. more requests are done (probably because of different content served) which additionally impacts the performance.

Try grouping all your rewrites in one single IfModule section, of course keeping the SSL redirection first as it is now, but the correct syntax :
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Prevent apache from changing content type when rewriting

I have a static web page and want to improve the loading performance by providing gzip-versions of all available files. The page is running on an apache server mod_gzip and I can't change any configuration except the .htaccess file.
Thus I create gzip files during the build process and want to rewrite the incoming requests to the .gz files.
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /
ReWriteCond %{HTTP:accept-encoding} gzip
ReWriteCond %{REQUEST_FILENAME} !.+\.gz$
RewriteCond %{REQUEST_FILENAME}.gz -f
RewriteRule (.+) $1.gz [L]
</IfModule>
The rewriting works perfectly, but unfotunately the server also changes the Content-Type of the response to application/x-gzip which makes the browser downloading the file and not rendering it. Is there a way to prevent the apache server from changing the content type and to render the page instead of downloading the gz?

This requires you to have 2 versions of the file in the following format. For instance:
index.html
index.html.gz
styles.css
styles.css.gz
scripts.js
scripts.js.gz
This htaccess will rewrite the request to send the gz version to the browser but also maintain the type of the original file. You have to force the type of the file you want to send. Otherwise it will use the application/x-gzip and the browser will download the file.
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/css application/json application/javascript application/vnd.ms-fontobject application/font-ttf application/font-woff application/font-otf image/svg+xml
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP:Accept-Encoding} gzip
RewriteCond %{REQUEST_FILENAME}.gz -f
RewriteRule (.*\.(html|css|js|eot|ttf|woff|otf|svg))$ $1.gz [L]
</IfModule>
AddEncoding x-gzip .gz
<FilesMatch .*\.html.gz>
ForceType text/html
</FilesMatch>
<FilesMatch .*\.css.gz>
ForceType text/css
</FilesMatch>
<FilesMatch .*\.js.gz>
ForceType application/javascript
</FilesMatch>
<FilesMatch .*\.eot.gz>
ForceType application/vnd.ms-fontobject
</FilesMatch>
<FilesMatch .*\.ttf.gz>
ForceType application/font-ttf
</FilesMatch>
<FilesMatch .*\.woff.gz>
ForceType application/font-woff
</FilesMatch>
<FilesMatch .*\.otf.gz>
ForceType application/font-otf
</FilesMatch>
<FilesMatch .*\.svg.gz>
ForceType image/svg+xml
</FilesMatch>

RewriteRules not matching on cPanel (Apache) server

I'm using the below .htaccess file with Magento but a URL won't match and I can't see what I'm doing wrong.
The URL that I'm inputting is http://domain.com/product/66_fit_foam_roller_15_x_90cm/ and I'm trying to get that to redirect to http://domain.com/66-fit-foam-roller-blue-15-x-90cm.html
It shouldn't matter whether the incoming url has www or not. I tested the rules on http://htaccess.madewithlove.be/ and it outputs the expected URL but on the live site it doesn't work (No redirect)
Snipped for readability
####################################################################
################## Creare's Magento .htaccess File #################
####################################################################
##### Block unwanted Bots that clog the server #####
RewriteCond %{HTTP_USER_AGENT} MJ12bot
RewriteRule .* - [F]
RewriteCond %{HTTP_USER_AGENT} 80legs [NC]
RewriteRule ^ - [F]
##### Add support for SVG Graphics and CSS3 Pie #####
AddType image/svg+xml svg svgz
AddEncoding gzip svgz
AddType text/x-component .htc
DirectoryIndex index.php
##### Domain-specific PHP Settings #####
<IfModule mod_php5.c>
php_value memory_limit 512M
php_value max_execution_time 18000
php_flag magic_quotes_gpc off
php_flag session.auto_start off
php_flag suhosin.session.cryptua off
php_flag zend.ze1_compatibility_mode Off
</IfModule>
##### Necessary redirects and rewrites for search engines #####
<IfModule mod_rewrite.c>
</IfModule>
##### mod_deflate compresses your output to lower the file size being sent to the client #####
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
Header append Vary User-Agent env=!dont-vary
php_flag zlib.output_compression on
</IfModule>
<Files *.php>
SetOutputFilter DEFLATE
</Files>
<IfModule mod_ssl.c>
SSLOptions StdEnvVars
</IfModule>
##### Header Directives #####
<ifModule mod_headers.c>
Header unset ETag
Header unset Last-Modified
</ifModule>
##### disable POST processing to not break multiple image upload #####
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
##### Enable apache served files compression #####
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
Header append Vary User-Agent env=!dont-vary
</IfModule>
##### Mod gzip and caching for improved site speed #####
<ifModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file \.(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</ifModule>
##### Default expires headers for all file types #####
##### Not recommended for development environment #####
<ifModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 seconds"
ExpiresByType text/html "access plus 1 seconds"
ExpiresByType image/gif "access plus 2592000 seconds"
ExpiresByType image/jpeg "access plus 2592000 seconds"
ExpiresByType image/png "access plus 2592000 seconds"
ExpiresByType text/css "access plus 604800 seconds"
ExpiresByType text/javascript "access plus 216000 seconds"
ExpiresByType application/x-javascript "access plus 216000 seconds"
</ifModule>
##### Mime Type Caching #####
<IfModule mod_mime.c>
##### AUDIO #####
AddType audio/mp4 m4a f4a f4b
AddType audio/ogg oga ogg
##### JAVASCRIPT #####
# Normalize to standard type (it's sniffed in IE anyways):
# http://tools.ietf.org/html/rfc4329#section-7.2
AddType application/javascript js jsonp
AddType application/json json
##### VIDEO #####
AddType video/mp4 mp4 m4v f4v f4p
AddType video/ogg ogv
AddType video/webm webm
AddType video/x-flv flv
##### WEB FONTS #####
AddType application/font-woff woff
AddType application/vnd.ms-fontobject eot
##### Browsers usually ignore the font MIME types #####
##### and sniff the content, however, Chrome shows #####
##### a warning if other MIME types are used for #####
##### the following fonts. #####
AddType application/x-font-ttf ttc ttf
AddType font/opentype otf
##### OTHER #####
AddType application/octet-stream safariextz
AddType application/x-chrome-extension crx
AddType application/x-opera-extension oex
AddType application/x-shockwave-flash swf
AddType application/x-web-app-manifest+json webapp
AddType application/x-xpinstall xpi
AddType application/xml atom rdf rss xml
AddType image/webp webp
AddType image/x-icon ico
AddType text/cache-manifest appcache manifest
AddType text/vtt vtt
AddType text/x-component htc
AddType text/x-vcard vcf
</IfModule>
<IfModule mod_mime.c>
AddCharset utf-8 .atom .css .js .json .rss .vtt .webapp .xml
</IfModule>
##### Disable ETags http://developer.yahoo.com/performance/rules.html#etags #####
FileETag None
##### Prevent character encoding issues from server overrides #####
AddDefaultCharset Off
#AddDefaultCharset UTF-8
##### Force IE8 compatibility when using IE8+ #####
##### May cause issues within Windows Mobile Browsers #####
BrowserMatch MSIE best-standards-support
Header set X-UA-Compatible IE=8 env=best-standards-support
##### By default allow all access #####
Order allow,deny
Allow from all
<IfModule mod_rewrite.c>
# remove trailing slash
RewriteRule ^(.*)/$ /$1
RewriteRule ^product/66_fit_foam_roller_15_x_90cm$ /66-fit-foam-roller-blue-15-x-90cm.html [R=301]
##### Redirect away from /index.php and /home
##### Warning: This index.php rewrite will prevent Magento
##### Connect from working. Simply comment out the
##### following two lines of code when using Connect.
##### Please note - http://www. if not using www simply use http://
RewriteCond %{THE_REQUEST} ^.*/index.php
RewriteRule ^(.*)index.php$ http://domain.com/$1 [R=301,L]
##### Please note - http://www. if not using www simply use http://
redirect 301 /home http://domain.com
Options +FollowSymLinks
RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteCond %{REQUEST_URI} !^/(media|skin|js)/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-l
RewriteRule .* index.php [L]
</IfModule>

You're htaccess rule maybe conflicts with Magento's own built in URL Rewrite Management system. I highly recommend using that URL Rewrite Management if possible.
Maybe you first have to remove old, unwanted redirects from Catalog > URL Rewrite Management and search for the matching path.
Next, you can "Add URL Rewrite" and choose "For Product" (or custom) and fill in the form.