Redhat – Apache forces Cache-Control: private automatically for HTTPS requests

apache-2.2cacheredhatrhel6

I'm trying to get browsers to cache assets over HTTPS. I am using MD5 fingerprinting method to allow long-term caching and I have this part working OK.

What doesn't work is setting the Cache-Control headers in Apache.

My config for both regular and SSL vhost contains:

ExpiresActive On
ExpiresByType text/css "now plus 1 year"

HTTP request to /test.css produces headers:

Cache-Control: max-age=31536000
Content-Type: text/css
Date: Wed, 15 May 2013 10:33:01 GMT
Etag: "7e572-19-4dcbdc8c04529"
Expires: Thu, 15 May 2014 10:33:01 GMT
Last-Modified: Wed, 15 May 2013 08:46:21 GMT
Server: Apache/2.2.15 (Oracle)
Vary: Accept-Encoding,User-Agent

But HTTPS request to same file produces headers:

Cache-Control: private, must-revalidate, no-cache, no-store
Content-Type: text/css
Date: Wed, 15 May 2013 10:33:58 GMT
Etag: "7e572-19-4dcbdc8c04529"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Last-Modified: Wed, 15 May 2013 08:46:21 GMT
Server: Apache/2.2.15 (Oracle)
Vary: Accept-Encoding,User-Agent

BTW, Adding this right after the ExpiresByType:

Header unset Expires
Header unset Cache-Control

removes these headers from HTTP, but not from HTTPS request.

Also, I have verified that any other header I set gets passed, but not cache related headers like Cache-Control or Expires – these get overwritten somewhere.

Is this normal Apache behavior or some Oracle or Red Hat patch that aims to security?

Can this be turned off somehow?

System info:

OS: Oracle Linux 6.4 (RHEL 6.4 based)
Apache: 2.2.15 (from rpm)

Best Answer

Use the Cache control: public directive to enable HTTPS caching for Firefox.

Some versions of Firefox require that the Cache control: public header to be set in order for resources sent over SSL to be cached on disk, even if the other caching headers are explicitly set. Although this header is normally used to enable caching by proxy servers (as described below), proxies cannot cache any content sent over HTTPS, so it is always safe to set this header for HTTPS resources

Source: https://developers.google.com/speed/docs/best-practices/caching#LeverageBrowserCaching

Related Solutions

Linux – Apache gzip configuration

Here's an ideal .htaccess that both compresses and sets sutiable expire headers.

# Insert filter
SetOutputFilter DEFLATE

# Netscape 4.x has some problems...
BrowserMatch ^Mozilla/4 gzip-only-text/html

# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip

# MSIE masquerades as Netscape, but it is fine
# BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary

<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresDefault "access plus 1 seconds"
  ExpiresByType image/x-icon "access plus 2592000 seconds"
  ExpiresByType image/jpeg "access plus 2592000 seconds"
  ExpiresByType image/png "access plus 2592000 seconds"
  ExpiresByType image/gif "access plus 2592000 seconds"
  ExpiresByType application/x-shockwave-flash "access plus 2592000 seconds"
  ExpiresByType text/css "access plus 604800 seconds"
  ExpiresByType text/javascript "access plus 216000 seconds"
  ExpiresByType application/x-javascript "access plus 216000 seconds"
  ExpiresByType text/html "access plus 600 seconds"
  ExpiresByType application/xhtml+xml "access plus 600 seconds"
</IfModule>

<IfModule mod_headers.c>
  <FilesMatch "\\.(ico|jpe?g|png|gif|swf)$">
    Header set Cache-Control "max-age=2592000, public"
  </FilesMatch>
  <FilesMatch "\\.(css)$">
    Header set Cache-Control "max-age=604800, public"
  </FilesMatch>
  <FilesMatch "\\.(js)$">
    Header set Cache-Control "max-age=216000, private"
  </FilesMatch>
  <FilesMatch "\\.(x?html?|php)$">
    Header set Cache-Control "max-age=600, private, must-revalidate"
  </FilesMatch>
</IfModule>

<IfModule mod_headers.c>
  Header unset ETag
</IfModule>
FileETag None

<IfModule mod_headers.c>
  Header unset Last-Modified
</IfModule>

The following article covers what it does and also talks about compression:

http://www.samaxes.com/2009/01/06/more-on-compressing-and-caching-your-site-with-htaccess/

Hope that helps.

Tomcat – Apache2 – mod_expire and mod_rewrite not working in httpd.conf – serving content from tomcat

Probably the ProxyPass / directive you have in your config routes all requests to the Tomcat backend, bypassing all your mod_rewrite directives. You can try to remove the ProxyPass directive and use RewriteRule with the [P] flag after your other rewrites:

mod_rewrite: P|proxy

For the expire headers the situation is worse — in another similar question a solution was not found.

Option +FollowSymLinks would be needed for using mod_rewrite in .htaccess files; in your case it is not required, because you can put everything in the Apache config. Moving rules from config to .htaccess is pointless and can only make things slower. However, there is an important difference between .htaccess and the Apache config — in .htaccess patterns in RewriteRule are matched against relative filesystem paths (which never start with /), while in the VirtualHost context these patterns are matched against the URL path after the hostname, which always starts with /. Therefore at least one of your rules is incorrect:

RewriteRule ^content/(js|css)/([a-z]+)-([0-9]+)\.(js|css)$ /content/$1/$2.$4

should be

RewriteRule ^/content/(js|css)/([a-z]+)-([0-9]+)\.(js|css)$ /content/$1/$2.$4

(note the additional slash in the beginning).

Best Answer

Related Solutions

Linux – Apache gzip configuration

Tomcat – Apache2 – mod_expire and mod_rewrite not working in httpd.conf – serving content from tomcat

Related Topic