0

I have a curious issue:

I have a bunch of headers that are the same for every website on a server. I think " this can be set just once in httpd.conf so as to save writing out into a pile of .htaccess every time there's a new one to add / change. "

So this is what I do;

In the httpd.conf file before the virtual hosts I set:

<IfModule mod_headers.c>
  <Directory '/'>
Header always set Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'"
Header always set Cache-Control no-cache,must-revalidate
Header always set X-Clacks-Overhead "GNU Terry Pratchett"
Header always set X-XSS-Protection 1;mode=block
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options SAMEORIGIN
Header always set Content-Language en
Header always set Referrer-Policy origin-when-cross-origin
Header unset Last-Modified
Header unset X-Powered-By
Header always set Strict-Transport-Security "max-age=31536000;" "expr=%{HTTPS} == 'on'"
Header always set Expect-CT enforce,max-age=2592000
  </Directory>
</IfModule>

However, after doing this and hard restarting the Apache (version 2.4.37), I find that additional or edited Header instructions in the .htaccess are not being sent.

For example; each account has its own CSP policy and this is reflected in the account public_html/.htaccess file:

example:

Header set Content-Security-Policy "upgrade-insecure-requests; default-src 'self' https:;"

But when the headers are read by any browser the headers recieved are only the ones from the httpd.conf and no addditional or changed headers are showing from the .htaccess.

I can't work out why this is?

What have I tried

  • I have wrapped the headers in the .htaccess in qualifier <IfModule ...> statements.
  • I have used different browsers to force apache to reread the .htaccess files.
  • I have read google and can find no reference of httpd.conf messing with htaccess reading of headers.
  • Other parts to the .Htaccess files are being read ok.

Notes

  • Apache version 2.4.37
  • All of these headers work in the .htaccess prior to the above changes. It's not Header syntax as far as I can tell.

Any help gratefully received.

Community
  • 1
  • 1
Martin
  • 22,212
  • 11
  • 70
  • 132
  • Can't reproduce it. For me headers from both places i,e. `vhost.conf` and `.htaccess` are seen be client. – anubhava Nov 24 '18 at 08:10
  • Hi @anubhava -- whereabouts are you putting the headersin the vhost.conf file -- before or after the vhost definitions? – Martin Nov 24 '18 at 14:20
  • I am putting all of your first section before my vhost definitions. – anubhava Nov 24 '18 at 16:24

1 Answers1

0

I found after much exploring that the reason this occurred was due to PHP being run via a CGI handler. Changing to suphp handler immediately resolved this issue.

Please see this question/answer and this answer.

Martin
  • 22,212
  • 11
  • 70
  • 132