Why Do My HTTP Headers only apply to sub-documents? - apache

I have created an htaccess file for my multi-site Wordpress website, which contains the standard rewrite rules followed by a mod_headers section, with conditional FilesMatch directives.
The http headers all apply correctly to subdocuments of any Wordpress page (e.g. png, jpg, js, css etc), but never apply to the root document. Another pure html site on the same host does receive the headers correctly.
For example:
https://www.somedomain.com/site.css
returns:
HTTP/2 200 OK
content-type: text/css
date: Mon, 30 Mar 2020 09:36:10 GMT
server: Apache
x-content-type-options: nosniff
last-modified: Sun, 29 Mar 2020 12:55:43 GMT
etag: "14546d-5a1fdda3e88c5-gzip"
accept-ranges: bytes
cache-control: must-revalidate, public, max-age=31536000
expires: Sat, 20 Mar 2021 09:36:10 GMT
vary: Accept-Encoding,User-Agent
content-encoding: gzip
but https://www.somedomain.com/ only returns:
HTTP/1.1 200 Connection established
content-type: text/html; charset=UTF-8
date: Mon, 30 Mar 2020 09:36:09 GMT
server: Apache
x-powered-by: PHP/7.3.16
cache-control: no-cache
content-encoding: gzip
The htaccess code is below:
#BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
#add a trailing slash to /wp-admin
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^(wp-(content|admin|includes).*) web/$1 [L]
RewriteRule ^(.*\.php)$ web/$1 [L]
RewriteRule . index.php [L]
</IfModule>
#END WordPress
#BEGIN Headers
<IfModule mod_headers.c>
#Remove server headers
Header always unset X-Redirect-By
Header always unset X-Powered-By
Header always unset Location
#Set server headers
Header always set X-Content-Type-Options nosniff
Header append Vary "Accept-Encoding, User-Agent"
#Set Cache-Control
<FilesMatch "\.(ico|jpe?g|png|gif|svg|webp|swf|css|mp4)$">
Header set Cache-Control "must-revalidate, public, max-age=31536000"
</FilesMatch>
<FilesMatch "\.(js)$">
Header set Cache-Control "private"
</FilesMatch>
<FilesMatch "\.(php|x?html?|pdf|xlsx?|docx?|pptx?|zipx?)$">
Header set Cache-Control "private, must-revalidate"
</FilesMatch>
#PHP/HTML specific headers
<FilesMatch "\.(php|x?html?)$">
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-DNS-Prefetch-Control "on"
Header always set Connection "keep-alive"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set X-Clacks-Overhead "GNU Terry Pratchett"
</FilesMatch>
</IfModule>
#END Headers

Related

500 Internal Server Error when setting Content-Security-Policy header in .htaccess

I have a domain hosted on a shared server with the following .htaccess headers:
RewriteEngine On
RewriteCond %{SERVER_PORT} !=443
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]
Header set Strict-Transport-Security: "max-age=31536000 ; includeSubDomains ;" env=HTTPS
Header set X-Frame-Options: SAMEORIGIN
Header set X-Content-Type-Options: nosniff
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy: strict-origin-when-cross-origin
Header set Content-Security-Policy-Report-Only: default-src: https:
The first group of headers seem to work perfectly but when I include the last line I get a 500 internal server error and the site doesn't load. I don't have access to the server logs and the host support agents aren't trained in this field at all.
Is there something I'm doing wrong here? Any help would be really appreciated!
Just worked this out, should have had 'default-src: https:' in quotes, as in:
Header set Content-Security-Policy-Report-Only: "default-src: https:"
Hope this helps someone!

How to remove gzip encoding from nonexistent images in httpd-deflate.conf?

What I have at this moment.
In httpd-deflate.conf in Location section:
SetEnvIfNoCase Request_URI \
\\.(?:gif|jpe?g|jpg|png|rar|zip|exe|flv|swf|mov|wma|mp3|mp4|avi|mp?g)$ no-gzip dont-vary
In .htaccess:
Options +FollowSymlinks
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/index\.php$ [NC]
RewriteRule ^(.+)$ /index.php?_route_=$1 [L,QSA]
With these settings images that are actually on the server are processed as needed - without gzip encoding and without "Content-Encoding: gzip" header in the server response.
But nonexistent images are processed in index.php file.
http://example.com/nonexistent-path/non-existent-image.jpg
The response body:
Cache-Control: max-age=84148768
Connection: keep-alive
Content-Encoding: gzip
Content-Length: 49860
Content-Type: image/jpeg - ((I set it in php manually after image generation before output))
Date: Mon, 01 May 2017 22:04:48 GMT
Expires: Tue, 31 Dec 2019 20:44:16 GMT
Last-Modified: Thu, 17 Nov 2016 14:51:10 GMT
Server: nginx
Strict-Transport-Security: max-age=2592000
Vary: Accept-Encoding
X-XSS-Protection: 1; mode=block
x-content-type-options nosniff
As you see this nonexistent image was processed as a document, not as a .jpg image.
On the server I have Apache and nginx proxy, as I understand. What should I paste in httpd-deflate.conf or in any other place to remove gzip encoding for nonexistent images and to remove "Content-Encoding: gzip" in the server response?
Thank you.
Use
apache_setenv( 'no-gzip', '1' );
in your PHP script before output.

Apache settings to send gzipped CSS/JS files to browser

I use precomposed gzipped CSS and JS files, so that server doesn't do this on the fly.
So in the same folder I have file.css (gzipped version), file.nozip.css (nogzipped version). Then depending whether browser accepts gzipped files or not, send proper version.
So I have the following in .htaccess:
RewriteEngine On
RewriteRule ^(.*)\.[0-9]+\.css$ $1.css [L]
#redirect Konqueror and "old browsers"
RewriteCond %{REQUEST_FILENAME} !\.nogzip\.css$
RewriteCond %{HTTP:Accept-encoding} !gzip [OR]
RewriteCond %{HTTP_USER_AGENT} Konqueror
RewriteRule ^(.*)\.css$ $1.nogzip.css [L]
<IfModule mod_headers.c>
Header set Vary User-Agent
#set Content-Encoding for all css files
<FilesMatch .*\.css$>
Header set Content-Encoding: gzip
Header set Cache-control: private
</FilesMatch>
#drop Content-Encoding in case we send not gzipped file
<FilesMatch .*\.nogzip\.css$>
Header unset Content-Encoding
</FilesMatch>
</IfModule>
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault A36000000
</IfModule>
This approach I used many times before both as on Windows as well on Linux servers. Worked fine always.
However, recently while developing another site I face issue with the browser not recognizing the gzipped file as gzipped.
On localhost is working, here is the response header:
Accept-Ranges:bytes
Cache-control:private
Connection:Keep-Alive
Content-Encoding:gzip
Content-Length:39115
Content-Type:text/css
Date:Wed, 17 Jun 2015 11:27:28 GMT
ETag:"98cb-517998d9e690c"
Keep-Alive:timeout=5, max=100
Last-Modified:Wed, 03 Jun 2015 09:19:16 GMT
Server:Apache/2.4.12 (Win64) OpenSSL/1.0.1m PHP/5.6.9
Vary:User-Agent
X-Distributed-by:AHC
Here is the header received from the production server (not working - css file displayed as zipped in the browser):
Accept-Ranges:bytes
Cache-control:private
Connection:Keep-Alive
Content-Encoding:gzip
Content-Length:39099
Content-Type:text/css
Date:Wed, 17 Jun 2015 11:30:08 GMT
ETag:"98cb-517998d8fcd00-gzip"
Keep-Alive:timeout=5, max=99
Last-Modified:Wed, 03 Jun 2015 09:19:16 GMT
Server:Apache/2.4.10 (Debian)
Vary:User-Agent
The only difference is "X-Distributed-by:AHC", but this hardly be the reason for problem.
Any ideas what else to check?
In case 2, it strongly implies mod_deflate compressed it on the fly due to the etag:
ETag:"98cb-517998d8fcd00-gzip"
Maybe it would be best to set no-gzip for e.g. the konqueror case?

Is it possible to set headers conditionally?

I would like .htaccess to perform the following code ONLY if http_referer is from google (.com/ .ru/ .co.uk /.co.in/ etc.). Is this possible?
<filesMatch ".(jpg|jpeg|png|gif)$">
FileETag None
<ifModule mod_headers.c>
Header unset ETag
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
</ifModule>
</FilesMatch>
Well I figured out you can set headers a different way using mod_rewrite making it much easier:
RewriteCond %{HTTP_USER_AGENT} !(googlebot|bingbot|Baiduspider) [NC]
RewriteCond %{HTTP_REFERER} google [NC]
RewriteRule ^.*$ - [ENV=LONGCACHE:true]
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate" env=LONGCACHE
Header set Pragma "no-cache" env=LONGCACHE
Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT" env=LONGCACHE
Note that you can put the condition in the Header command itself, in ap_expr format (does not require mod_rewrite):
Header set Pragma "no-cache" "expr=%{HTTP_USER_AGENT}=~/(googlebot|bingbot|Baiduspider)/i && %{HTTP_REFERER}=~/google/i"
(not very useful in your particular case since you need to add 3 headers)

Apache .htaccess : serve precompressed #font-face fonts

I need Apache to serve precompressed fonts (not using deflate).
My .htaccess in the /path_to/fonts/ folder look like
RewriteEngine On
RewriteBase /path_to/fonts/
RewriteCond %{HTTP:Accept-Encoding} .*gzip.*
RewriteRule (.*)\.ttf $1.ttf.gz
AddEncoding x-gzip gz
RemoveType application/x-gzip .gz
Response Headers:
Accept-Ranges bytes
Connection Keep-Alive
Content-Encoding **gzip**
Content-Length **31709**
Content-Type **text/plain**
Date Tue, 06 Mar 2012 18:14:51 GMT
Etag "7200000008e241-7bdd-4ba954a7395a8"
Keep-Alive timeout=5, max=99
Last-Modified Tue, 06 Mar 2012 16:11:08 GMT
Server Apache/2.2.11 (Win32) PHP/5.2.9
Vary Accept-Encoding
The Content Length says 31709, that would be the compressed size, but I'm not able to download it.
Could you give a hint?
Here is my solution. It has a bit more polish mostly.
It wont set the type and encoding unless the client supports gzip. Also declares the modules that are used so nothing happens if not all modules are supported.
Folder structure:
fonts/
Shanti-Regular.ttf.gz
Federo-Regular.ttf.gz
Shanti-Regular.ttf
Federo-Regular.ttf
.htaccess
Then .htaccess contains:
# Rewrite URLs to add gzipped version of font when it exits.
<IfModule mod_rewrite.c>
<IfModule mod_mime.c>
RewriteEngine on
#Serve gzip compressed TTF files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteRule ^(.*)\.ttf $1\.ttf\.gz [QSA]
# update the response header of compressed file
# makes browser think mod_gzip did it.
<FilesMatch "\.ttf\.gz$">
AddEncoding gzip .gz
ForceType "application/x-font-ttf"
</FilesMatch>
</IfModule>
</IfModule>