I am setting Cache-Control in the httpd.conf where i also have Mellon SSO Configuration. I am getting two cache-control included in the response headers. So i have commented out the MellonEnable "info" and restarted the apache. Now my Cache-Control got reflected and now it is only mine. But this is not an exact solution to turn off/override the cache-control, so i find out that there is an option that controls whether the Cache-control header is sent back in responses in Mellon configuration.
So i have given MellonSendCacheControlHeader Off in the conf file, but the apache is throwing issue like "Invalid command 'MellonSendCacheControlHeader', perhaps misspelled or defined by a module not included in the server configuration"
Can someone help ?
Forgot to Update the Answer.
Actually the latest Mellon version 0.13.0 have the fix. Here there is a fix to "Allow disabling the Cache-Control HTTP response header". So the duplicate Cache-Control will be avoided, if we set the MellonSendCacheControlHeader Off in the conf file.
Un-install the older version of Mellon and install the version 0.13.0 and update the conf file with the configuration MellonSendCacheControlHeader Off. Restart the Apache Server once all changes done. It will work.
Related
I have an issue where my Apache server is returning an Upgrade H2 header response sporadically. This causes the following issue with Safari and HTTP2:
http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [upgrade], value: [h2]
HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)
I have seen similar issues on stackoverflow but none of the proposed solutions have worked for me. I have tried setting "Header unset Upgrade" in the httpd.conf file as well as the ssl.conf and virtualhost specific configuration files. I also tried to unset the header in a location directive in those files.
I have removed the h2c protocol from the mod_http2.c configuration in httpd.conf based on other people having this problem but it did not work by itself or in conjunction with the other changes above.
Protocols h2 http/1.1
I have no idea why the Header unset Upgrade statement is not working. We are using Apache as a reverse proxy with a tomcat application backend. We also have an AWS ALB in front of Apache. Does anyone know why this would not be working or another way to remove the response header "Upgrade"?
I am trying to make sure that visitors to my website see the latest version. To this end I have written a script to rename appropriate files and requests so that they append a fresh version number at build time. This includes the index file, let's call it index-v123.html.
I have uploaded this built source and pointed my apache2 server to the new index file by including
DirectoryIndex index-v123.html
in my apache2.conf. I have restarted it, and when viewing the website in chrome incognito mode or on hard refresh I can see that all the new files are loaded and the website works as expected.
My issue is that in my normal browser, when I visit the URL, I still load up a cached version of index.html. Clearly changing the DirectoryIndex didn't convince the client to go to the new index file like I'd hoped...
So can I do anything to make this happen?
(Also may be relevant: I am running a progressive web app using Polymer 2.0, with a service-worker.js that is built automatically by polymer build.)
This turned out to be a service worker issue: service-worker.js was being cached on the client side, and hence was providing outdated content as if the client was in offline mode. Could only be updated by deregistering the worker. The solution was to implement max-age=0 on the service worker at the apache2 server side:
<Files index.html|service-worker.js>
FileETag None
Header unset ETag
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
</Files>
Was surprised this wasn't better highlighted in the polymer build/production docs somewhere. For reference, in the google primer on service workers it says:
The caching headers on the service worker script are respected (up to
24 hours) when fetching updates. We're going to make this opt-in
behaviour, as it catches people out. You probably want a max-age of 0
on your service worker script.
Earlier I was using apache 2.2.31.But due to some security Issue like removing of Etag header from http header.
For this purpose I need to have mod_headers.so is not availabe in 2.2.31. is there any way to remove Etag Header without upgrading to apache 2.4.16 on AIX 5.3.0.0 ?
Thank you
You can remove the inode from ETAG headers with the "FileETAG" directive. It's available in 2.2 (so is mod_headers):
https://httpd.apache.org/docs/2.2/mod/core.html#fileetag
FileETag MTime Size
I don't want the server type to be shown in the response headers.
I've tried to add this to httpd.conf, as I saw in many answers:
ServerSignature Off
ServerTokens Prod
But I still see "Server: Apache" in the response:
Can I remove the "Apache" from the response?
Update
Also tried this:
LoadModule headers_module modules/mod_headers.so
Header unset Server
Header unset X-Powered-By
But I got the same response.
You cannot remove the header Server: Apache unless you modify the source code and recompile Apache. And if you do, still it may be not so difficult to find out which server software you are running.
Make a search for "webserver fingerprinting", you will find about HTTP header response ordering, answers to malformed requests and other ways to discover which server you are running. Spend your time securing your application instead of trying to achieve this obfuscation.
From Apache doc:
Setting ServerTokens to less than minimal is not recommended because
it makes it more difficult to debug interoperational problems. Also
note that disabling the Server: header does nothing at all to make
your server more secure.
I am experiencing some odd behaviour.
I have debian 7(on the vmware if it matters) with apache 2.2.22. For my cakephp application I want to set custom header, so I put this in app/webroot/.htaccess file (without removing what already exists of course)
<IfModule mod_headers.c>
Header append X-FRAME-OPTIONS: DENY
</IfModule>
but when I request the page, in firebug net panel it does not show X-FRAME-OPTIONS header. Headers mod is enabled. a2enmod headers outputs Module headers already enabled. Apache is restarted (even OS is rebooted). This cakephp application(copied by 100%) I tested on my vps(again debian 7), and it shows that header just fine. So, first it made me believe there is smth wrong with my local debian, but then I tested this. I created single file index.php in www/some_test folder and put echo "ok". Also created .htaccess with the same content
<IfModule mod_headers.c>
Header append X-FRAME-OPTIONS: DENY
</IfModule>
And the funny part is, I could see in firebug that X-FRAME-OPTIONS header. So, the bottom line with cakephp application, in the server1 custom headers are fine, in server2 - does not show, for simple index.php 'app' in server2 headers are fine again. Can someone help what the problem can be. I need to set custom headers.
Thanks
I am not sure what was the problem, but removing and reinstalling the php solved it
apt-get remove php5*
apt-get install php5
https://superuser.com/questions/673837/php5-ini-file-is-blank/674408#674408