I set up a cert for an IP address with nginx, and enabled http strict transport security:
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
The directive is in the header
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 17 Sep 2014 22:46:54 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubdomains;
X-UA-Compatible: IE=Edge,chrome=1
... but it's not respected by the browsers (instead they do for FQDN).
If I understand you correctly, you direct you browser to IP address (https://xx.xx.xx.xx/) instead of domain name and expect it to obey HSTS rule?
But RFC 6797 Appendix A explicitly exclude IP addresses:
HSTS Hosts are identified only via domain names -- explicit IP address identification of all forms is excluded.
Related
In my images folder, I have an .htaccess file with the following:
<IfModule mod_headers.c>
# Browsers may cache images for 24 hours, including disk cache for SSL
Header set Cache-Control "max-age=2628000, public, must-revalidate"
</IfModule>
When I curl an image in that folder, I get the following (Notice Cache-Control missing "public" and "must-revalidate"):
HTTP/1.1 200 OK
Server: nginx/1.11.8
Date: Fri, 14 Dec 2018 17:57:00 GMT
Content-Type: image/jpeg
Content-Length: 46563
Last-Modified: Fri, 29 Sep 2017 03:16:20 GMT
Connection: keep-alive
ETag: "59cdbb04-b5e3"
Expires: Fri, 21 Dec 2018 17:57:00 GMT
Cache-Control: max-age=604800
Strict-Transport-Security: max-age=31536000
Accept-Ranges: bytes
It does not matter what I put in the .htaccess file, I always get the above response.
If I create a new image in that folder, I also get the same above response.
If I change the extension on an image in that folder (.bak) I get the expected response (Cache-Control is correct):
HTTP/1.1 200 OK
Server: nginx/1.11.8
Date: Fri, 14 Dec 2018 17:59:35 GMT
Content-Type: image/gif
Content-Length: 19164
Connection: keep-alive
Last-Modified: Fri, 14 Dec 2018 16:07:12 GMT
ETag: "183ca-4adc-57cfd9fbbac00"
Accept-Ranges: bytes
Cache-Control: max-age=2628000, public, must-revalidate
Strict-Transport-Security: max-age=31536000
Any ideas what is going on here? I looked at all parent .htaccess files and apache config, I can not find anything!
Please help!!!
For anyone else experiencing this issue, the Apache .htaccess directive was being overridden by the following Nginx config:
location ~* ^(.+?)(?:\.\d+)?\.(jpe?g|gif|png|svg|ico|bmp|js|css|ttf|eot|woff2?)$ {
root /var/www;
try_files $1.$2 #apache;
expires 7d;
}
Replacing "expires 7d;" with the following did the trick:
add_header Cache-Control "max-age=2628000, public, must-revalidate";
Background
Specs:
OctoPrint 1.3.4 (master branch)
Apache/2.4.10 (Debian) using mod_proxy
I'm trying to run a reverse proxy on my Apache server to OctoPrint as is specified in the developer's Reverse proxy configuration examples.
This is my Apache proxy configuration inside my vhost:
<Location "/3d">
AuthType Basic
AuthName "-----------"
AuthBasicProvider file
AuthUserFile "------------------"
Require user -------------
ProxyPass "http://192.168.------:5000"
ProxyPassReverse "http://192.168.------:5000"
RequestHeader set X-SCRIPT-NAME /3d/
RequestHeader set X-SCHEME https
</Location>
However, on successfully loading the OctoPrint interface through the proxy, I am unable to login, getting the error:
POST https://-----------/3d/api/login 400 (Bad Request) in the network tab on Chrome.
Here's the request headers of both the proxy:
POST /3d/api/login HTTP/1.1
Host: -------------
Connection: keep-alive
Content-Length: 16
Authorization: Basic -----------------
Origin: ----------------
User-Agent: --------------
Content-Type: application/json; charset=UTF-8
Accept: application/json, text/javascript, */*; q=0.01
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
X-Api-Key: -------------------
Referer: https://----------/3d
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
Cookie: session_P443=----------------; PHPSESSID=-------------; JSESSIONID=dummy
And directly from the local IP (not through the proxy):
POST /api/login HTTP/1.1
Host: 192.168.0.-------:5000
Connection: keep-alive
Content-Length: 16
Origin: http://192.168.0.------:5000
User-Agent: -------------
Content-Type: application/json; charset=UTF-8
Accept: application/json, text/javascript, */*; q=0.01
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
X-Api-Key: --------------
Referer: http://192.168.0.------:5000/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: session_P5000=-------------------------------
Question
What is causing this POST https://-----------/3d/api/login 400 (Bad Request) error and how do I fix?
Thanks ahead!
Nevermind, Mod_Security was blocking the POST request for containing JSON.
Look at the logs dummy.
I am trying to achieve a redirection by keeping the existing url in the address bar. I am somehow achieve it, but no matter in which page I redirect I receive error 404. I have mod_proxy and proxy_http enabled. Here is my htaccess code:
#Options +FollowSymLinks -MultiViews
RewriteEngine On
RewriteBase /
RewriteRule ^(.*) http://demo.example.com/$1 [P]
Any ideas? My server is vps with plesk and I have access to any conf file if needed
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-042stab120.5 x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Fri Nov 11 19:59:21 2016 from adsl-152.176.58.250.tellas.gr
root#lvps92-51-132-79:~# curl -vv http://gazzetta.edentalbook.com
* Rebuilt URL to: http://gazzetta.edentalbook.com/
* Hostname was NOT found in DNS cache
* Trying 92.51.132.79...
* Connected to gazzetta.edentalbook.com (92.51.132.79) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: gazzetta.edentalbook.com
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Date: Sun, 13 Nov 2016 20:59:19 GMT
* Server Apache is not blacklisted
< Server: Apache
< Access-Control-Max-Age: 1000
< Access-Control-Allow-Headers: X-Requested-With, Content-Type, Origin, Authorization, Accept, Client-Security-Token, Accept-Encoding
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Access-Control-Allow-Origin: http://demo.edentalbook.com
< X-Powered-By: PleskLin
< MS-Author-Via: DAV
< Vary: Accept-Encoding
< Content-Type: text/html; charset=UTF-8
< Set-Cookie: PHPSESSID=62hctjah1g95c33lprkk2q9m50; expires=Sun, 20-Nov-2016 20:59:19 GMT; path=/; HttpOnly
< X-Powered-By: PleskLin
< Transfer-Encoding: chunked
<
It looks like HTTP header "Host" in request is transmitted but don't match on server.
You can reset this header by:
Header set Host "demo.edentalbook.com"
Or add domain alias gazzetta.edentalbook.com to domain demo.edentalbook.com where it hosted.
I'm trying to use mod_expires and mod_headers to enable browser caching for my site. I have this in my VirtualHost:
<FilesMatch ".(gif|jpg|jpeg|png|ico|swf|js|css|pdf)$">
ExpiresActive On
ExpiresDefault "access plus 1 week"
Header set Cache-Control "public"
Header unset Last-Modified
</FilesMatch>
The Expires and Cache-Control headers are set correctly in my responses:
HTTP/1.1 200 OK
Date: Tue, 28 Jun 2016 16:09:26 GMT
Server: Apache/2.4.7 (Ubuntu)
ETag: "8f44-526a1625962b5-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Cache-Control: public
Expires: Tue, 05 Jul 2016 16:09:26 GMT
Content-Length: 8504
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/javascript
Unfortunately, my browser (Chrome) is still requesting all these static files every time I load my page. I see these requests in my access.log and browser console. What am I doing wrong?
EDIT:
I do have caching enabled in the developer toolbar:
Check if client-side caching is disabled. Google Chrome may disable client-side caching when the DevTools window is open (F12).
I'm trying to download a static file from another domain. In my .htaccess file, which is in the root directory:
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Headers "Accept, If-Modified-Since, Origin"
Header set Access-Control-Allow-Methods "GET, OPTIONS"
And here's the request-response cycle where a browser downloads the resource twice:
GET /file HTTP/1.1
Host: www.example.com
Accept: application/json
Origin: http://www.mydomain.com
HTTP/1.1 200 OK
Date: Sat, 07 Sep 2013 21:01:35 GMT
Server: Apache
Last-Modified: Sat, 07 Sep 2013 20:14:45 GMT
Content-Length: 2
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Accept, If-Modified-Since, Origin
Access-Control-Allow-Methods: GET, OPTIONS
Content-Type: application/json
[]
GET /file HTTP/1.1
Host: www.example.com
Cache-Control: max-age=0
Accept: application/json
Origin: http://www.mydomain.com
If-Modified-Since: Sat, 07 Sep 2013 20:14:45 GMT
HTTP/1.1 304 Not Modified
Date: Sat, 07 Sep 2013 21:01:40 GMT
Server: Apache
The second time you can see that since the file hasn't been modified, the server responds with a 304 Not Modified. Why are the CORS headers not being set for the second response?
It's an apache bug, see below
https://issues.apache.org/bugzilla/show_bug.cgi?id=51223
You can recompile Apache with the patch if you're feeling brave....