I would like .htaccess to perform the following code ONLY if http_referer is from google (.com/ .ru/ .co.uk /.co.in/ etc.). Is this possible?
<filesMatch ".(jpg|jpeg|png|gif)$">
FileETag None
<ifModule mod_headers.c>
Header unset ETag
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
</ifModule>
</FilesMatch>
Well I figured out you can set headers a different way using mod_rewrite making it much easier:
RewriteCond %{HTTP_USER_AGENT} !(googlebot|bingbot|Baiduspider) [NC]
RewriteCond %{HTTP_REFERER} google [NC]
RewriteRule ^.*$ - [ENV=LONGCACHE:true]
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate" env=LONGCACHE
Header set Pragma "no-cache" env=LONGCACHE
Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT" env=LONGCACHE
Note that you can put the condition in the Header command itself, in ap_expr format (does not require mod_rewrite):
Header set Pragma "no-cache" "expr=%{HTTP_USER_AGENT}=~/(googlebot|bingbot|Baiduspider)/i && %{HTTP_REFERER}=~/google/i"
(not very useful in your particular case since you need to add 3 headers)
Related
I recently did a site health test and found none of my security headers are being sent.
Here is the .htaccess:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://enigmapr0ject.live/$1 [R,L]
# Security Headers
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
# Header set Content-Security-Policy ...
Header set Referrer-Policy "same-origin"
Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
</IfModule>
What am I doing wrong?
Ubuntu 20.04 VPS with latest version of LAMP via APT.
Edit: Changed the code, and the redirect from HTTP to HTTPS works perfectly, but the headers are not present on any requests.
Turns out the AllowOverride was set to None in /etc/apache2/apache2.conf...
I have created an htaccess file for my multi-site Wordpress website, which contains the standard rewrite rules followed by a mod_headers section, with conditional FilesMatch directives.
The http headers all apply correctly to subdocuments of any Wordpress page (e.g. png, jpg, js, css etc), but never apply to the root document. Another pure html site on the same host does receive the headers correctly.
For example:
https://www.somedomain.com/site.css
returns:
HTTP/2 200 OK
content-type: text/css
date: Mon, 30 Mar 2020 09:36:10 GMT
server: Apache
x-content-type-options: nosniff
last-modified: Sun, 29 Mar 2020 12:55:43 GMT
etag: "14546d-5a1fdda3e88c5-gzip"
accept-ranges: bytes
cache-control: must-revalidate, public, max-age=31536000
expires: Sat, 20 Mar 2021 09:36:10 GMT
vary: Accept-Encoding,User-Agent
content-encoding: gzip
but https://www.somedomain.com/ only returns:
HTTP/1.1 200 Connection established
content-type: text/html; charset=UTF-8
date: Mon, 30 Mar 2020 09:36:09 GMT
server: Apache
x-powered-by: PHP/7.3.16
cache-control: no-cache
content-encoding: gzip
The htaccess code is below:
#BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
#add a trailing slash to /wp-admin
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^(wp-(content|admin|includes).*) web/$1 [L]
RewriteRule ^(.*\.php)$ web/$1 [L]
RewriteRule . index.php [L]
</IfModule>
#END WordPress
#BEGIN Headers
<IfModule mod_headers.c>
#Remove server headers
Header always unset X-Redirect-By
Header always unset X-Powered-By
Header always unset Location
#Set server headers
Header always set X-Content-Type-Options nosniff
Header append Vary "Accept-Encoding, User-Agent"
#Set Cache-Control
<FilesMatch "\.(ico|jpe?g|png|gif|svg|webp|swf|css|mp4)$">
Header set Cache-Control "must-revalidate, public, max-age=31536000"
</FilesMatch>
<FilesMatch "\.(js)$">
Header set Cache-Control "private"
</FilesMatch>
<FilesMatch "\.(php|x?html?|pdf|xlsx?|docx?|pptx?|zipx?)$">
Header set Cache-Control "private, must-revalidate"
</FilesMatch>
#PHP/HTML specific headers
<FilesMatch "\.(php|x?html?)$">
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-DNS-Prefetch-Control "on"
Header always set Connection "keep-alive"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set X-Clacks-Overhead "GNU Terry Pratchett"
</FilesMatch>
</IfModule>
#END Headers
I have a domain hosted on a shared server with the following .htaccess headers:
RewriteEngine On
RewriteCond %{SERVER_PORT} !=443
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]
Header set Strict-Transport-Security: "max-age=31536000 ; includeSubDomains ;" env=HTTPS
Header set X-Frame-Options: SAMEORIGIN
Header set X-Content-Type-Options: nosniff
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy: strict-origin-when-cross-origin
Header set Content-Security-Policy-Report-Only: default-src: https:
The first group of headers seem to work perfectly but when I include the last line I get a 500 internal server error and the site doesn't load. I don't have access to the server logs and the host support agents aren't trained in this field at all.
Is there something I'm doing wrong here? Any help would be really appreciated!
Just worked this out, should have had 'default-src: https:' in quotes, as in:
Header set Content-Security-Policy-Report-Only: "default-src: https:"
Hope this helps someone!
I use precomposed gzipped CSS and JS files, so that server doesn't do this on the fly.
So in the same folder I have file.css (gzipped version), file.nozip.css (nogzipped version). Then depending whether browser accepts gzipped files or not, send proper version.
So I have the following in .htaccess:
RewriteEngine On
RewriteRule ^(.*)\.[0-9]+\.css$ $1.css [L]
#redirect Konqueror and "old browsers"
RewriteCond %{REQUEST_FILENAME} !\.nogzip\.css$
RewriteCond %{HTTP:Accept-encoding} !gzip [OR]
RewriteCond %{HTTP_USER_AGENT} Konqueror
RewriteRule ^(.*)\.css$ $1.nogzip.css [L]
<IfModule mod_headers.c>
Header set Vary User-Agent
#set Content-Encoding for all css files
<FilesMatch .*\.css$>
Header set Content-Encoding: gzip
Header set Cache-control: private
</FilesMatch>
#drop Content-Encoding in case we send not gzipped file
<FilesMatch .*\.nogzip\.css$>
Header unset Content-Encoding
</FilesMatch>
</IfModule>
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault A36000000
</IfModule>
This approach I used many times before both as on Windows as well on Linux servers. Worked fine always.
However, recently while developing another site I face issue with the browser not recognizing the gzipped file as gzipped.
On localhost is working, here is the response header:
Accept-Ranges:bytes
Cache-control:private
Connection:Keep-Alive
Content-Encoding:gzip
Content-Length:39115
Content-Type:text/css
Date:Wed, 17 Jun 2015 11:27:28 GMT
ETag:"98cb-517998d9e690c"
Keep-Alive:timeout=5, max=100
Last-Modified:Wed, 03 Jun 2015 09:19:16 GMT
Server:Apache/2.4.12 (Win64) OpenSSL/1.0.1m PHP/5.6.9
Vary:User-Agent
X-Distributed-by:AHC
Here is the header received from the production server (not working - css file displayed as zipped in the browser):
Accept-Ranges:bytes
Cache-control:private
Connection:Keep-Alive
Content-Encoding:gzip
Content-Length:39099
Content-Type:text/css
Date:Wed, 17 Jun 2015 11:30:08 GMT
ETag:"98cb-517998d8fcd00-gzip"
Keep-Alive:timeout=5, max=99
Last-Modified:Wed, 03 Jun 2015 09:19:16 GMT
Server:Apache/2.4.10 (Debian)
Vary:User-Agent
The only difference is "X-Distributed-by:AHC", but this hardly be the reason for problem.
Any ideas what else to check?
In case 2, it strongly implies mod_deflate compressed it on the fly due to the etag:
ETag:"98cb-517998d8fcd00-gzip"
Maybe it would be best to set no-gzip for e.g. the konqueror case?
I made my own cache-control rule in httpd.conf. ANd need to apply different rules on each different sub directories.
I made no-cache for .do extension for default(httpd.conf).
# use .htaccess files for overriding,
AccessFileName .htaccess
...
<ifModule mod_headers.c>
<LocationMatch "\.(do)$">
Header append Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
</LocationMatch>
</ifModule>
And need to cache for some directories(.htaccess).
example URL : XXX.com/en/product.do
So I made a .htaccess on <webRoot>/en.
<ifModule mod_headers.c>
<LocationMatch "\.(do)$">
Header set Cache-Control "max-age=216000, public, must-revalidate"
</LocationMatch>
</ifModule>
Am I going wrong? Is there other way to rule different on different directories?
Nothing like <locationMatch> can be used in .htaccess; it will generate a runtime error.
Also, usually *.do is proxied, in which case no filesystem directory would ever be read for .htaccess.
I suggest putting the second stanza first, and adding ^/en/ to the front.