Browser fails to cache SWF file - apache

I am having an issue with the browser not caching a SWF file.
I have the following in my apache configuration:
ExpiresByType application/x-shockwave-flash "access plus 2 months"
I can see the headers coming back from the original request for the SWF look like this (the expires header looks like it's being set properly):
Request:
User-Agent Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Accept HTTP Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip,deflate
Cookie auth_token=
Response:
Server Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.5 with Suhosin-Patch proxy_html/3.0.0 mod_ssl/2.2.8 OpenSSL/0.9.8g Phusion_Passenger/2.2.5
Last-Modified Sat, 14 Nov 2009 04:48:19 GMT
Etag "49384-4784d7c3c8ac0"
Accept-Ranges bytes
Content-Length 299908
Cache-Control max-age=5184000
Expires Fri, 15 Jan 2010 20:25:42 GMT
Content-Type application/x-shockwave-flash
However, on subsequent loads of the page, the browser still sends If-Range requests for the SWF as follows:
Request:
User-Agent Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Accept HTTP Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip,deflate
Cookie auth_token=
Range bytes=0-
If-Range "49384-4784d7c3c8ac0"
Response:
Server Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.5 with Suhosin-Patch proxy_html/3.0.0 mod_ssl/2.2.8 OpenSSL/0.9.8g Phusion_Passenger/2.2.5
Last-Modified Sat, 14 Nov 2009 04:48:19 GMT
Etag "49384-4784d7c3c8ac0"
Accept-Ranges bytes
Content-Length 299908
Cache-Control max-age=5184000
Expires Fri, 15 Jan 2010 20:25:45 GMT
Content-Range bytes 0-299907/299908
Content-Type application/x-shockwave-flash
These subsequent requests appear to be sending the Etag in the If-Range header, and are getting 206 responses with the entire content. I've tried setting apache up to unset the Accept-Ranges header and Etags, but the browser will re-request the file in either cases.
Has anyone seen anything like this before and know what to do to get the SWF to cache?
Thanks!

Related

How to apply cache control header to a specific file with .htaccess

I'm trying to apply a no cache header to the style.css file in the child theme of my WordPress site, using the .htaccess file. I want to avoid having to clear my browser cache every time I make CSS styling changes to the site, in order to see the changes. Currently my cache control looks like this -
<Files ~ https://my-domain.org.au/wp-content/themes/church-suite_child_theme/style.css>
FileEtag None
<ifModule mod_headers.c>
Header Unset ETag
Header Set Cache-Control "max-age=0, no-store, no-cache, must-revalidate"
Header Set Pragma "no-cache"
Header Set Expires "Thu, 30 June 2022 00:00:00 GMT"
</ifModule>
</Files>
It doesn't appear to be working. I'm using the Network Inspector in Chrome Dev Tools to view the network requests. The following is returned when I refresh the page and inspect the request -
RESPONSE HEADERS,
cache-control: max-age=31536000
content-encoding: br
content-type: text/css
date: Fri, 12 Nov 2021 01:41:45 GMT
etag: W/"6188f369-73b"
expires: Sat, 12 Nov 2022 01:41:45 GMT
host-header: 8441280b0c35cbc1147f8ba998a563a7
last-modified: Mon, 08 Nov 2021 09:52:41 GMT
server: nginx
vary: Accept-Encoding
x-proxy-cache-info: DT:1

How do I know which access-control-allow-headers to allow for CORS?

Given these request headers:
Host: api.example.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Origin: https://web.example.org
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
And these response headers:
Connection: keep-alive
Content-Length: 0
Content-Type: text/plain; charset=utf-8
Date: Tue, 13 Oct 2015 10:57:34 GMT
Server: nginx/1.8.0
access-control-allow-headers: Authorization, Content-Type
access-control-allow-methods: PUT, DELETE, PATCH
access-control-allow-origin: *
This works even though only the Authorization and Content-Type headers are explicitly allowed. Why didn't I have to allow other headers that my browser sends? (like DNT for example)
Update: this MDN page contains an overview of simple headers (default CORS-safelisted request headers):
A simple header (or CORS-safelisted request header) is one of the
following HTTP headers:
Accept
Accept-Language
Content-Language
Content-Type with a MIME type of its parsed value (ignoring parameters) of either application/x-www-form-urlencoded, multipart/form-data, or text/plain.
Or one of these client hint headers:
DPR
Downlink
Save-Data
Viewport-Width
Width
Without seeing your code to generate the headers, or on which system you are serving from, i.e. nginx or apache, the best I can do is refer you to http://client.cors-api.appspot.com/client which will allow you to test your CORS requests. Also, you should look at http://enable-cors.org/server.html for your specific setup. For instance on nginx, you could have something like this
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
There is a set of normal headers, and then the set of headers that you have to explicitly call out. see http://www.html5rocks.com/en/tutorials/cors/#toc-adding-cors-support-to-the-server about setting it up on a server.
The Access-Control-Allow-Headers is attached by backend, you cannot control that header on client side.Access-Control-Allow-Headers should be returned in response object.
So to include other headers into Access-Control-Allow-Headers header in response object - you have to configure your web server or update backend application which serves requests to attach desired value of Access-Control-Allow-Headers to each request.
To allow any headers in your client requests server should add Access-Control-Allow-Origin: * header to each response.
There are a lot of articles and info of how you can setup CORS to work in the way you want. For example that one - Enabling CORS

UI not updating when using tomcat with apache & mod_jk

Well I have a weired issue, I was trying fronting tomcat with apache mod_jk using worker.
If I update my form with something like http://server.internal:8080 i.e tomcat then it works fine i.e updates are shown on screen and onrefresh the updates retain.
But if I update form with apache i.e http://server.internal/ then updates are seen in database but on refresh UI shows old values only, after refreshing 5-10 times then UI shows new values.
Also during refresh sometimes it shows old values while sometimes new values in the form.
I am using tomcat 7 + apache 2.2 + mod_jk on windows server.
I have disabled caching modules but still getting error.
Not sure where and how to debug such an issue.
Edited ---------
Request headers with apache
Cache-Control no-cache,no-store,private,pre-check=0,post-check=0,max-age=0
Connection close
Content-Encoding gzip
Content-Length 10174
Content-Type text/html;charset=utf-8
Date Thu, 11 Dec 2014 19:39:36 GMT
Expires -1
Pragma no-cache
Server Apache/2.2.25 (Win32) mod_jk/1.2.40
Vary Accept-Encoding
Request headers with tomcat
Content-Type text/html;charset=utf-8
Date Thu, 11 Dec 2014 19:43:43 GMT
Server Apache-Coyote/1.1
Transfer-Encoding chunked
Response Header with apache
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language en-US,en;q=0.5
Cache-Control max-age=0
Connection keep-alive
Cookie JSESSIONID=7D3ACA49B478E8B3A126B37252B62481
Host server
User-Agent Mozilla/5.0 (Windows NT 6.0; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Response header with tomcat
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language en-US,en;q=0.5
Connection keep-alive
Cookie JSESSIONID=7D3ACA49B478E8B3A126B37252B62481
Host server:8080
User-Agent Mozilla/5.0 (Windows NT 6.0; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Does not look a caching issue, tried with KeepAlive off also
I think its problem with the browser local history, delete the history in your browser and try again.mostly it will works fine.
This definitely smells like a caching issue. To be sure, explicitly purge your browser's cache (or disable it) and see if that helps. If it does, you may
want to add this in your apache's httpd.conf (replace the pattern */yourform.jsp by something that matches your form page(s)) in order to mark these pages as "uncacheable":
<Proxy */yourform.jsp>
Header unset Pragma
Header Always set Cache-Control: "no-cache,no-store,private,pre-check=0,post-check=0,max-age=0"
Header Always set Pragma: "no-cache"
Header Always set Expires "-1"
</Proxy>

Force PDF file download using htaccess

i am using Apache as backend server and nginx as frontend server. I need to make PDF files downloadable (at this moment they are opening in a browser window).
Here's a link:
link
Here's what i have tried so far in my .htaccess file:
<FilesMatch "\.(pdf)$">
ForceType application/octet-stream
Header set Content-Disposition attachment
</FilesMatch>
Didn't work, just opens the file in a browser.
AddType application/force-download pdf
Didn't work.
AddType application/octet-stream .pdf
Didn't work.
UPDATE
Tried: wget --server-response -O /dev/null http://domain.com/files/teltomat.pdf
And got response:
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 24 Sep 2014 17:40:54 GMT
Content-Type: application/pdf
Content-Length: 3116445
Last-Modified: Wed, 24 Sep 2014 13:28:07 GMT
Connection: keep-alive
Keep-Alive: timeout=60
ETag: "5422c6e7-2f8d9d"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Accept-Ranges: bytes
Length: 3116445 (3,0M) [application/pdf]
Saving to: ‘/dev/null’
You could try the HTML5 solution of adding a "download" instead of "target":
link
As it looks like the server's end is doing the right thing (by making the disposition "attachment") but maybe the browser is deciding on its own that it can handle PDF's inline and opens a new window instead.

Apache: Get rid of Keep-Alive entry in the headers list

I'm using LAMP (Linux, Apache, MySQL, PHP) server.
Currently the server sends the response with next Headers list. I want to eliminate Keep-Alive entry for security reasons, to have Headers list without it. Is it possible to prevent sending the Keep-Alive entry in the Headers list?
Current Response Headers:
Cache-Control private, no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Connection Keep-Alive
Content-Encoding gzip
Content-Type text/html; charset=UTF-8
Date Thu, 13 Mar 2014 01:43:49 GMT
Expires Thu, 13 Mar 2014 01:43:49 GMT
Keep-Alive timeout=5, max=200
Last-Modified Thu, 13 Mar 2014 01:43:49 GMT
Pragma no-cache
Server Apache
Transfer-Encoding chunked
Vary Accept-Encoding
X-DNS-Prefetch-Control off
X-Frame-Options sameorigin
Response Headers I Would Like Instead:
Cache-Control private, no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Connection Keep-Alive
Content-Encoding gzip
Content-Type text/html; charset=UTF-8
Date Thu, 13 Mar 2014 01:43:49 GMT
Expires Thu, 13 Mar 2014 01:43:49 GMT
Last-Modified Thu, 13 Mar 2014 01:43:49 GMT
Pragma no-cache
Server Apache
Transfer-Encoding chunked
Vary Accept-Encoding
X-DNS-Prefetch-Control off
X-Frame-Options sameorigin
Is it possible to prevent sending the Keep-Alive entry in the Headers list?
To my knowledge, no. The whole purpose of the Keep-Alive header is to communicate the need for a persistent connection to the client. So getting rid of the headers gets rid of the main form of communication between the client & the server.
That said, you might be able to get it unset by using unset in your Apache config or .htaccess as explained here. I emphasize might since I have had header directives not behave as expected in some versions of Apache. But assuming good faith, first be sure the headers module is enabled. In Ubuntu 12.04 you would do this:
sudo a2enmod headers
And then add this to your Apache config or .htaccess:
<IfModule mod_headers.c>
Header unset Keep-Alive
</IfModule>
Now restart Apache:
sudo service apache2 restart
More details on the header directive are here.
There are a few ways to this in apache:
Server-wide using the KeepAlive directive ( KeepAlive ). However you can not have this in per-directory configuration files, so setting KeepAlive Off will turn off keep alive for the entire server.
Using SetEnv or SetEnvIf with mod_env, and set the nokeepalive environmental variable. This will turn off keepalive for the location where the environmental is set, or the rule that is matched by SetEnvIf (depending with you use). e.g.
can be in HTACCESS
SetEnv nokeepalive 1
Using mod_rewrite to again set the environmental for a specific rule, e.g.
RewriteRule some-file.html - [E=nokeepalive:1]
Using PHP (or any other server site language) and sending the header Connection: close. This will cause Apache to omit the Keep-Alive header, since the connection is no longer keepalive. e.g.
php
header('Connection: close');
Use mod_headers to set the connection header to close again, e.g.
Header set Connection "close"
I personally have not tested the last one, but it should work.
KeepAlive behavior (availability and timeouts) is directly configurable:
http://httpd.apache.org/docs/2.4/mod/core.html#keepalive
Changing this is primarily an aspect of performance rather than security, but you're free to test the implications in your own environment.