We Keep Coding

Adding HTTP Strict Transport Security to .htaccess

I would like to add HTTP Strict Transport Security directive to my .htaccess file. I've added the lock at the end of the code here but when I test Testing the HSTS preload process it show the setting not set. I checked my Apache config and see the headers module enabled.
What am I missing?
<Files .htaccess>
order allow,deny
deny from all
</Files>
<FilesMatch "\.(png|gif|js|css)$">
ExpiresActive on
ExpiresDefault "access plus 1 month"
</FilesMatch>
# disable directory autoindexing
Options -Indexes
ErrorDocument 400 http://%{HTTP_HOST}
ErrorDocument 401 http://%{HTTP_HOST}
ErrorDocument 402 http://%{HTTP_HOST}
ErrorDocument 403 http://%{HTTP_HOST}
ErrorDocument 405 http://%{HTTP_HOST}
ErrorDocument 404 /incl/pages/error404.php
ErrorDocument 500 http://%{HTTP_HOST}
RewriteEngine On
RewriteBase /
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
# BEGIN GZIP
<ifmodule mod_deflate.c>
AddOutputFilterByType DEFLATE text/text text/html text/plain text/xml text/css application/x-javascript application/javascript
</ifmodule>
# END GZIP
# Use HTTP Strict Transport Security to force client to use secure connections only
<ifmodule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
</ifmodule>
I tested here and here.

For redirects you need to use always attribute:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
From the mod_headers documentation:
You're adding a header to a locally generated non-success (non-2xx) response, such as a redirect, in which case only the table corresponding to always is used in the ultimate response.

For Apache 2.2 somehow Header always set x x env=HTTPS is never matched for redirects whether you specify SSLOptions +StdEnvVars or not.
My suggestion: separate your VirtualHosts so that they not mix plaintext/ssl ports, and then on the ssl-only VirtualHosts specify simply Header always set x x without any conditions.
Checked on httpd-2.2.15-60.el6.centos.6.x86_64

apache2 redirect not adding trailing /

Okay so I am having a little difficulty with my site, I created a sub-domain and it points to the correct folder /var/www/html/pathfinder/ but it does not create the trailing slash www.example.com
that causes an issue because then it attempts to load css files at www.example.comcss/file.css
I am using SSL and can't figure out what I have done wrong.
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/html/pathfinder
ServerName www.subdomain.example.com
ServerAlias subdomain.example.com
<Directory /var/www/html/pathfinder/>
Options Indexes FollowSymLinks
AllowOverride All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error_1.log
CustomLog ${APACHE_LOG_DIR}/access_1.log combined
SSLCertificateFile /etc/letsencrypt/live/www.subdomain.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.subdomain.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>
# HTTPS over SSL version
# Information: https://github.com/exodus4d/pathfinder/wiki/Apache
# Enable rewrite engine and route requests to framework ===========================================
RewriteEngine On
# HTTP to HTTPS ===================================================================================
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$
RewriteCond %{HTTP_HOST} !=localhost
# First rewrite to HTTPS:
# Don't put www. here. If it is already there it will be included, if not
# the subsequent rule will catch it.
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Rewrite NONE www. to force www. =================================================================
RewriteCond %{HTTP_HOST} !^www\.
# skip "localhost" (dev environment)...
RewriteCond %{HTTP_HOST} !=localhost
# skip IP calls (dev environment)
RewriteCond %{HTTP_HOST} !^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$
# rewrite everything else to "https://" and "www."
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Some servers require you to specify the `RewriteBase` directive
# In such cases, it should be the path (relative to the document root)
# containing this .htaccess file:
# RewriteBase /app/
# Protect system files ============================================================================
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^(lib|tmp)\/|\.(ini|php)$ - [R=404]
# Rewrite "everything" to index.php (dispatcher) ==================================================
RewriteCond %{REQUEST_FILENAME} !-l
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* index.php [L,QSA]
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
# PHP global Vars (can be set in php.ini as well,...) =============================================
php_value max_input_vars 5000
php_value suhosin.get.max_vars 5000
php_value suhosin.post.max_vars 5000
php_value suhosin.request.max_vars 5000
# Activate PHP error log ==========================================================================
php_flag log_errors on
# php_value error_log "/www/htdocs/www.pathfinder-w.space/logs/php_errors.log"
# Cache Header ====================================================================================
# You should not change anything in here!
# New versioned files come with a unique path (e.g. ../js/v1.0.0/..) to force client cache busting.
<ifmodule mod_expires.c>
# fonts
<Filesmatch "\.(eot|woff2|woff|ttf|ttf|svg)$">
ExpiresActive on
ExpiresDefault "access plus 1 month"
Header append Cache-Control "public"
</Filesmatch>
# images/vector graphics
<Filesmatch "\.(jpg|jpeg|png|gif|swf|ico|svg)$">
ExpiresActive on
ExpiresDefault "access plus 1 year"
Header append Cache-Control "public"
FileETag None
Header unset ETag
</Filesmatch>
# css
<Filesmatch "\.(css)$">
ExpiresActive on
ExpiresDefault "access plus 1 month"
</Filesmatch>
## js/source maps
<Filesmatch "\.(js|map)$">
ExpiresActive on
ExpiresDefault "access plus 1 year"
Header append Cache-Control "public"
FileETag None
Header unset ETag
</Filesmatch>
# html templates
<Filesmatch "\.(htm|html)$">
ExpiresActive on
ExpiresDefault "access plus 1 week"
</Filesmatch>
</ifmodule>

owncloud webpage has a redirect loop

I have Ubuntu 14.04.3 LTS server on hyper-v virtual machine.
Mysql 14.14
Apache 2.4.7
php 5.5.9
Owncloud 8.1.3.0
After an unexpected shutdown of vm, main page have redirect loop. All attempts to modify htaccess not successful (i try deleted it, redirect remains). The following configuration of htaccess
<IfModule mod_headers.c>
<IfModule mod_fcgid.c>
<IfModule mod_setenvif.c>
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
</IfModule>
</IfModule>
<IfModule mod_env.c>
# Add security and privacy related headers
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Robots-Tag "none"
Header set X-Frame-Options "SAMEORIGIN"
SetEnv modHeadersAvailable true
</IfModule>
# Add cache control for CSS and JS files
<FilesMatch "\.(css|js)$">
Header set Cache-Control "max-age=7200, public"
</FilesMatch>
</IfModule>
<IfModule mod_php5.c>
php_value upload_max_filesize 10G
php_value post_max_size 10G
php_value memory_limit 512M
php_value mbstring.func_overload 0
php_value always_populate_raw_post_data -1
php_value default_charset 'UTF-8'
php_value output_buffering off
<IfModule mod_env.c>
SetEnv htaccessWorking true
</IfModule>
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
RewriteRule ^\.well-known/carddav /remote.php/carddav/ [R=301,L]
RewriteRule ^\.well-known/caldav /remote.php/caldav/ [R=301,L]
RewriteRule ^apps/calendar/caldav\.php remote.php/caldav/ [QSA,L]
RewriteRule ^apps/contacts/carddav\.php remote.php/carddav/ [QSA,L]
RewriteRule ^remote/(.*) remote.php [QSA,L]
RewriteRule ^(build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
RewriteRule ^(\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_mime.c>
AddType image/svg+xml svg svgz
AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
ModPagespeed Off
</IfModule>
ErrorDocument 403 /core/templates/403.php
ErrorDocument 404 /core/templates/404.php
And apache config
<VirtualHost *:80>
#ServerName ***
ServerAdmin ***
DocumentRoot /var/www/owncloud
<Directory /var/www/owncloud>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/owncloud-error.log
CustomLog ${APACHE_LOG_DIR}/owncloud-access.log combined
</VirtualHost>

DROP TABLE oc_storagecharts2;
DROP TABLE oc_storagecharts2_uconf;
rm -rf /var/www/owncloud/apps/storagecharts2
This helped me.

Magento is not loading pages? Htaccess issue?

I have a site # 1928.voicemktg.com - the pages load excruciatingly slow, however, when I remove the RewriteRule .* index.php [L] from the htaccess file, it works fast. Either way, I can't access other pages from the homepage - anyone know what would cause this? I would like the site to properly load the links and pages.
NOTE: This issue does not only make the site slow (not just an issue about speed), but it also breaks all links within the site.
Here is what is in my .htaccess - it's the default Magento .htaccess file:
############################################
## uncomment these lines for CGI mode
## make sure to specify the correct cgi php binary file name
## it might be /cgi-bin/php-cgi
# Action php5-cgi /cgi-bin/php5-cgi
# AddHandler php5-cgi .php
############################################
## GoDaddy specific options
# Options -MultiViews
## you might also need to add this line to php.ini
## cgi.fix_pathinfo = 1
## if it still doesn't work, rename php.ini to php5.ini
############################################
## this line is specific for 1and1 hosting
#AddType x-mapp-php5 .php
#AddHandler x-mapp-php5 .php
############################################
## default index file
DirectoryIndex index.php
<IfModule mod_php5.c>
############################################
## adjust memory limit
php_value memory_limit 512M
php_value max_execution_time 18000
############################################
## disable magic quotes for php request vars
php_flag magic_quotes_gpc off
############################################
## disable automatic session start
## before autoload was initialized
php_flag session.auto_start off
############################################
## enable resulting html compression
#php_flag zlib.output_compression on
###########################################
# disable user agent verification to not break multiple image upload
php_flag suhosin.session.cryptua off
###########################################
# turn off compatibility with PHP4 when dealing with objects
php_flag zend.ze1_compatibility_mode Off
</IfModule>
<IfModule mod_security.c>
###########################################
# disable POST processing to not break multiple image upload
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
<IfModule mod_deflate.c>
############################################
## enable apache served files compression
## http://developer.yahoo.com/performance/rules.html#gzip
# Insert filter on all content
###SetOutputFilter DEFLATE
# Insert filter on selected content types only
#AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript
# Netscape 4.x has some problems...
#BrowserMatch ^Mozilla/4 gzip-only-text/html
# Netscape 4.06-4.08 have some more problems
#BrowserMatch ^Mozilla/4\.0[678] no-gzip
# MSIE masquerades as Netscape, but it is fine
#BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
# Don't compress images
#SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
# Make sure proxies don't deliver the wrong content
#Header append Vary User-Agent env=!dont-vary
</IfModule>
<IfModule mod_ssl.c>
############################################
## make HTTPS env vars available for CGI mode
SSLOptions StdEnvVars
</IfModule>
<IfModule mod_rewrite.c>
############################################
## enable rewrites
Options +FollowSymLinks
RewriteEngine on
############################################
## you can put here your magento root folder
## path relative to web root
#RewriteBase /magento/
############################################
## workaround for HTTP authorization
## in CGI environment
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
############################################
## always send 404 on missing files in these folders
RewriteCond %{REQUEST_URI} !^/(media|skin|js)/
############################################
## never rewrite for existing files, directories and links
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-l
############################################
## rewrite everything else to index.php
RewriteRule .* index.php [L]
</IfModule>
############################################
## Prevent character encoding issues from server overrides
## If you still have problems, use the second line instead
AddDefaultCharset Off
#AddDefaultCharset UTF-8
<IfModule mod_expires.c>
############################################
## Add default Expires header
## http://developer.yahoo.com/performance/rules.html#expires
ExpiresDefault "access plus 1 year"
</IfModule>
############################################
## By default allow all access
Order allow,deny
Allow from all
############################################
## If running in cluster environment, uncomment this
## http://developer.yahoo.com/performance/rules.html#etags
#FileETag none

mod_rewrite not working with reverse proxy in vhost

All I am trying to do is:
rewrite /static/styles/min.css to /static/styles/min.css.gz
rewrite /static/scripts/min.js to /static/scripts/min.js.gz
The trick is that those files are on a remote (public) server which I'm reverse proxying to.
I am doing this so I can workaround the same-origin issue with our javascript, and to speed up delivery in general. The .gz files already exist.
No matter what I do, I cannot request the .js file and have the .gz file returned.
I have tried this with numerous different RewriteConds to no avail.
I have also tried it with RequestHeader unset Accept-Encoding enabled, and commented out.
Google PageSpeed keeps telling me that it is not receiving the compressed versions, and when I request using curl and manually setting the "Accept-Encoding: gzip, deflate" header, I continue to receive the non-compressed versions. I cannot put the rewrites in the .htaccess file because the reverse proxy is processed before the .htaccess, and I need the rewrite to already be in effect when the reverse proxy happens. I'm at a total loss.
Here is my non-production setup (I know it needs securing):
<VirtualHost *:80>
ServerName ww.test.com
DocumentRoot "/htdocs/public"
Options +MultiViews
AddEncoding x-gzip .gz
AddEncoding gzip .gz
RewriteEngine on
RewriteCond %{HTTP:Accept-Encoding} gzip
RewriteRule ^\.js$ $1\.js\.gz [L]
RewriteCond %{HTTP:Accept-Encoding} gzip
RewriteRule ^\.css$ $1\.css\.gz [L]
<FilesMatch .*\.css\.gz>
ForceType text/css
Header append Content-Encoding gzip
</FilesMatch>
<FilesMatch .*\.js\.gz>
ForceType text/javascript
Header append Content-Encoding gzip
</FilesMatch>
ProxyRequests off
ProxyPass /static/ http://www.ourCDN.com/ourAccount/environmentName/
<Location /static/>
ProxyPassReverse /
#RequestHeader unset Accept-Encoding
</Location>
<Directory />
Options FollowSymLinks
AllowOverride All
Order deny,allow
</Directory>
</VirtualHost>

FilesMatch rules apply only to files on disk - a proxied request isn't a file on disk and therefore won't be captured by a FilesMatch rule.
You probably want
<LocationMatch "^/static/.*\.css\.gz$">
ProxyPassReverse /
....
</LocationMatch>