i've calculated the size of the response document generated by a cgi script and sent the correct Content-Length header - it's quite doable in a script.

mod_deflate certainly knows what the size of the compressed and uncompressed content is, so that would be an easy header to send.
i haven't had a chance to test and see if mod_deflate always sends Content-Length or which length it sends.

the following (as seen in lucy24's examples) should always be paired headers:
Vary: Accept-Encoding
Content-Encoding: gzip
this is done so that proxy servers will cache both gzip-encocoded and uncompressed versions of the response and then serve the appropriate cached resource depending on recognition of subsequently sent "Accept-Encoding: gzip" HTTP Request headers.

as i mentioned in a previous post, mod_expires easily handles the Expires and Cache-Control HTTP headers for static files - it works like magic.

i always prefer to turn off any X-Powered-By headers.
why expose your technology?
"Server: Apache" is okay but i would show much more than that.

i've calculated the size of the response document generated by a cgi script and sent the correct Content-Length header - it's quite doable in a script.

Very doable -- It's just necessary to make sure it's actually the content-length that's calculated, and not the full PHP file-size or any code or any headers sent by the script, etc.

i always prefer to turn off any X-Powered-By headers.

Definitely [most of the time lol] -- I do like to have some fun and just overwrite the x-powered-by sometimes by setting is as something like X-Powered-By: Electricity once in a while :)

"Server: Apache" is okay but i would show much more than that.

Definitely x 2 -- Unfortunately many are at the mercy of their host since the Server: header is set within the Apache core and can only be changed in the cofig file.

This setting applies to the entire server, and cannot be enabled or disabled on a virtualhost-by-virtualhost basis.

http://httpd.apache.org/docs/2.4/mod/core.html#servertokens

And, just to quash any "obscurity is not security" arguments before they start:

One of the reasons why combination padlocks usually stay locked, even in a public area, is the information to open them is obscure -- I think anyone agree it would be pretty silly to think "an obscure combination won't do any good, because obscurity is not security" so they write the combo on the back, or, that every combination padlock should open with 1-1-1.

Also, the "more obscure" a password is the more secure password protection becomes, which is why "special characters", "different case characters + numbers", etc. are requirements for many passwords these days.

Obviously: More Obscurity === Better Security

Obscurity is not "the final line" of security wrt servers, but it's certainly better than just broadcasting "this is exactly what I'm using, so feel free to hack right in if you already know of a hole that exists."

Seriously illogical arguments about obscuring information not being a form of security are seriously illogical.

yours is the first I've seen send both those two via .htaccess rather than having to set them in PHP -- I think I've seen cache-control sent by one server before not expires or content length

I don't understand this part. But I misremembered something about how I set caching. The live site's htaccess says

ExpiresActive On
ExpiresDefault "access plus 1 month"
ExpiresByType text/html "access plus 7 days"

On MAMP the last line is
ExpiresByType text/html "access"

My test site says
ExpiresByType text/html "access"
ExpiresByType text/php "access"

Both of those are for the obvious reason: these sites exist only for testing, so I don't want the browser to cache things that may change tomorrow. My primary site (whether live or MAMP) doesn't say anything about expiration for php. But, again, I'd forgotten until this instant that expiration settings of this type apply to the real, physical file, not to the URL. (I used to use administrative gifs taking advantage of this detail.)


My MAMP installation is basically default settings throughout. I don't suppose it gzips anything, because why would it?

Isn't the content-length header supposed to be the actual size of the material being sent out? It shouldn't make any difference how the material was generated in the first place, just what the browser should be prepared to take in.

---

My host won't say what apache version we're on "for security reasons". But then they turn around and point to a simple routine that will tell you exactly which mods are available. That's the only reason I know we're on 2.2 rather than 2.4 or --shudder-- 1.3.

Isn't the content-length header supposed to be the actual size of the material being sent out? It shouldn't make any difference how the material was generated in the first place, just what the browser should be prepared to take in.

Apache only calculates content-length if the calculation will not holdup the output, which it would for PHP and other parsed files that may change in size for every request depending on variables present, so for "dynamic files" content-length will generally [by default] not be calculated -- IDK if there's an override for this or not, but yours being sent for the gzipped files are likely, imo, being calculated and set because of, or, by mod_deflate.

web2008, see earlier post about mod_speling.

Lucy thank you for your help. I appreciate it. Your expertise is way beyond my knowledge. I didn’t realize how complex this issue was.

If I understand correctly, all I have to do is rename physical directories to lowercase letters and add CheckSpelling Off and CheckCaseOnly On in htaccess?

Please review htacces file.
I have added (Options –MultiViews) per 1&1 instruction and added (301 Redirect old file example) just in case I need to change some file name.

.htaccess
-----------------------------------------------------------
# whenever using mod_rewrite and/or the rewrite engine, it MAY not function properly on standard shared hosting without the following line added.

Options -MultiViews


# redirect only example.com to www.example.com. Keep subdomains as it is.

RewriteEngine On
RewriteCond %{HTTP_HOST} ^example\.com [NC]
RewriteRule ^(.*) http://www.example.com/$1 [L,R=301]

# parse php in html PHP 5.4

AddHandler x-mapp-php6 .html .htm

# turning "spell checking" off. This is on by default and will therefore load http://example.com/file.html if http://example.com/file1.html does not exist

CheckSpelling Off

# enable case checking

CheckCaseOnly On

# custom error page

ErrorDocument 404 http://www.example.com/404.html

# 301 Redirect Old File

Redirect 301 www.example.com/old_file.html www.example.com/new/new-file.html
---------------------------------------------------------

Is everything correct?

Once you have one RewriteRule you should not use Redirect or RedirectMatch for any of the other rules. Convert all such directives to use RewriteRule.

The non-www/www redirect must be the last of the RewriteRules that redirect.

The RegEx pattern in the condition in the non-www/www redirect is non-optimum, replace

^example\.com [NC] 

with

!^(www\.example\.com)?$

Do not specify protocol and hostname in the 404 directive, otherwise it will return a 302 response.

RewriteRule ^(.*)

.* is greedy so you don't need the anchor - "RewriteRule (.*) http:..." is sufficient

Once you have one RewriteRule you should not use Redirect or RedirectMatch for any of the other rules. Convert all such directives to use RewriteRule.
The non-www/www redirect must be the last of the RewriteRules that redirect.
The RegEx pattern in the condition in the non-www/www redirect is non-optimum, replace ^example\.com [NC] with !^(www\.example\.com)?$
Do not specify protocol and hostname in the 404 directive, otherwise it will return a 302 response.

I would appreciate if you could write correct htaccess – as I don’t understand any of commands here.

Anyhow, I tried to follow your input. Is this htaccess correct now?


Options -MultiViews

ErrorDocument 404 http://www.example.com/404.html

AddHandler x-mapp-php6 .html .htm

CheckSpelling Off

CheckCaseOnly On

RewriteEngine On
RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$
RewriteRule ^(.*) http://www.example.com/$1 [L,R=301]

Redirect 301 www.example.com/old_file.html www.example.com/new/new-file.html

ErrorDocument 404 http://www.example.com/404.html

You may have missed g1smd's note above. ErrorDocument lines, unlike redirect targets, must NOT include a protocol and hostname. In fact if you do include them, the 404 response is discarded and is replaced with a 302 redirect to the named document. This is the very last thing you want.

CheckSpelling Off
CheckCaseOnly On

This is what I would do, but it isn't what you meant. "CheckSpelling off" disables all of mod_speling, so the second line no longer does anything. What you meant to do was say "On" for both options-- except that, as noted above, this is not a desirable approach. mod_speling has to be considered the very last resort among redirect options.

Do not combine mod_alias (Redirect by that name) with mod_rewrite (RewriteRule).

# whenever using mod_rewrite and/or the rewrite engine, it MAY not function properly on standard shared hosting without the following line added.

Options -MultiViews

News to me. You do need to enable FollowSymLinks-- but that is almost certainly turned on in the config file already. (Because the alternative is for the host to be flooded with tech-support questions asking why their RewriteRules don't work.)

Following advices, I wrote .htaccess again. Is this correct now?
.htaccess
-----------------------------------------------------------
# whenever using mod_rewrite and/or the rewrite engine, it MAY not function properly on standard shared hosting without the following line added.
Options -MultiViews

RewriteEngine On

# Redirect Old File to New file permanent
RewriteRule archive/old.html company/new.html [R=301]
RewriteRule archive/old2.html company/new2.html [R=301]

# redirect only example.com to www.example.com. The non-www/www redirect must be the last of the RewriteRules that redirect.
# The "L” flag means that this is the “last” rewrite rule and to stop rewrite process.
RewriteCond %{HTTP_HOST} ^example\.com [NC]
RewriteRule ^(.*) http://www.example.com/$1 [L,R=301]

# parse php in html PHP 5.4
AddHandler x-mapp-php6 .html .htm

# turning "spell checking" off. This is on by default and will therefore load http://example.com/file.html if http://example.com/file1.html does not exist
CheckSpelling On

# enable case checking
CheckCaseOnly On

# add custom error page
ErrorDocument 404 /404.html

# Redirect Old File to New file permanent
RewriteRule archive/old.html company/new.html [R=301]
RewriteRule archive/old2.html company/new2.html [R=301]

You missed a chapter.
#1 the target of any redirect should include the full protocol plus hostname. Even the target of a rewrite should begin in /
#2 every redirect (flag in [R]) must also include the [L] flag unless you have a specific reason for omitting it. (I have never personally seen an R without an L. But obviously they exist, or else [L] would be implied in [R]. It isn't.)

# redirect only example.com to www.example.com. The non-www/www redirect must be the last of the RewriteRules that redirect.
# The "L” flag means that this is the “last” rewrite rule and to stop rewrite process.
RewriteCond %{HTTP_HOST} ^example\.com [NC]
RewriteRule ^(.*) http://www.example.com/$1 [L,R=301]

You may have misunderstood what [L] means. It doesn't mean "this is the end of all RewriteRules in the current htaccess file". It simply means "stop here if the rule has executed". That's why you need it on each separate RewriteRule.

Also: as previously noted, your domain-name-canonicalization redirect should be expressed as a negative. "If the hostname is anything other than my preferred form", so the condition is

RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$

The part with the question mark is because http/1.0 doesn't send a hostname. This mainly applies to robots, but some humans do still use 1.0-- and it's generally out of their control.

# turning "spell checking" off. This is on by default and will therefore load http://example.com/file.html if http://example.com/file1.html does not exist
CheckSpelling On

# enable case checking
CheckCaseOnly On

This seems to be what you want (though I don't personally approve of it) but the comment is misleading. "CheckSpelling On" simply means enable mod_speling. To turn off the whole module, "CheckSpelling Off". Once you have said this, "CheckCaseOnly" is ignored, because it only applies within mod_speling.

What Lucy24 said, plus:

If there are additional subdomains in use, then they should be added to the negative match in the condition, if practical -- If it's not practical, then what you have is okay, even though it's not ideal.

RewriteCond %{HTTP_HOST} !^((some-sub|another-sub|www)\.example\.com)?$

---

I would write the file like this if there were multiple sub's -- If not, then I would use what Lucy24 posted for a negative match in the canonicalization condition:

Options -MultiViews
CheckSpelling Off
ErrorDocument 404 /404.html
AddHandler x-mapp-php6 .html .htm

RewriteEngine on
RewriteRule ^archive/old\.html$ http://www.example.com/company/new.html [R=301,L]
RewriteRule ^archive/old2\.html$ http://www.example.com/company/new2.html [R=301,L]

RewriteCond %{HTTP_HOST} !^((some-sub|another-sub|www)\.example\.com)?$
RewriteRule .? http://www.example.com%{REQUEST_URI} [R=301,L]

Redirect/rewrite and non-www/www that I used were from other forums over internet. Thank you for indicating errors and advice how to write correct code.

Hope that everything is fine now. By the way what for do I need ^ character in front of folder RewriteRule ^archive. Can I use like RewriteRule /archive?

.htaccess
-----------------------------------------------------------
# whenever using mod_rewrite and/or the rewrite engine
# it MAY not function properly on standard shared hosting without the following line added.
Options -MultiViews
# parse php in html PHP 5.4
AddHandler x-mapp-php6 .html .htm
# enable mod_speling
CheckSpelling On
# enable case checking
CheckCaseOnly On
# add custom error page
ErrorDocument 404 /404.html

# turns on the rewrite engine
RewriteEngine On

# Redirect Old File to New file
# 301-permanent R-redirect URL as well
# The "L” flag means stop here if the rule has executed.

RewriteRule ^archive/oldfile.html http://www.example.com/new/newfile.html [R=301,L]
or
RewriteRule /archive/oldfile.html http://www.example.com/new/newfile.html [R=301,L]

# redirect only example.com to www.example.com
# do not redirect subdomains
# The non-www/www redirect must be the last of the RewriteRules that redirect.

RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$
RewriteRule ^(.*) http://www.example.com/$1 [L,R=301]

By the way what for do I need ^ character in front of folder RewriteRule ^archive. Can I use like RewriteRule /archive?

In Regular Expressions, ^ and $ are anchors meaning "the very beginning of the expression" and "the very end of the expression". (Sometimes "beginning/end of a single line", but this doesn't apply in mod_rewrite, because a request has no line breaks.) In mod_rewrite, "expression" means "the thing you're currently evaluating". In a condition it might be almnost anything; in the body of a rule, it's the "path" part of the request, generally beginning with the directory name.

Concrete example:

^rats/

means "in my /rats/ directory"

rats/

means "in /rats/ OR /paintings/rats/ OR /paintings/refrats/" and a couple of others.

Use $ when the expression has to end in the specified way, as opposed to simply containing the text somewhere along the way.

The ^ anchor has two uses. One is the same as $: use it if the specified text has to come at the very beginning. The other is to save time: if the specified text will come at the very beginning if it's anywhere at all, the opening anchor lets the RegEx engine get out of there faster. If the very first thing in the request is not
r
ra
rat
rats
rats/
then stop looking.

RewriteRule /archive

In htaccess (or in a <directory> section of the config file), this form will never match, unless there is another directory before /archive.

---

Come to think of it, how often do you have RewriteRules lying loose in a config file? At a minimum they'd be inside something like a /users/ or /sites/ directory.

RewriteRule ^archive/oldfile.html http://www.example.com/new/newfile.html [R=301,L]
or
RewriteRule /archive/oldfile.html http://www.example.com/new/newfile.html [R=301,L]

# redirect only example.com to www.example.com
# do not redirect subdomains
# The non-www/www redirect must be the last of the RewriteRules that redirect.

RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$
RewriteRule ^(.*) http://www.example.com/$1 [L,R=301]

The preceding is incorrect - it will redirect archive/oldfileXhtml, archive/oldfileShtml, archive/oldfile/html, archive/oldfileQhtml, etc. and also not *only* redirect example.com with no sub-domain, but all sub-domains.

RewriteRule ^archive/oldfile\.html http://www.example.com/new/newfile.html [R=301,L]

# redirect only example.com to www.example.com
# do not redirect subdomains
# The non-www/www redirect must be the last of the RewriteRules that redirect.

RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$
RewriteRule ^(.*) http://www.example.com/$1 [L,R=301]

# The preceding rule/condition redirects *anything* that's not www.example.com
# It's why I presented a different condition in a previous post.

# To redirect *only* non-www example.com, the following is correct:

RewriteCond %{HTTP_HOST} ^example\.com$
RewriteRule .? http://www.example.com%{REQUEST_URI} [L,R=301]

:: detour to first page of thread ::

web2008, do you have subdomains? I mean real ones, not "www." (technically a subdomain, but never mind that). The only mention of the word "subdomain" I can find is this bit:

# redirect only example.com to www.example.com. Keep subdomain as it is.

It isn't clear from context whether there are actual subdomains that you want to keep, or whether this is just a pasted-in comment from somewhere else.

web2008, do you have subdomains? I mean real ones, not "www."

Yes, we do have subdomains: m.example.com and blog.example.com We had problem with non-www/www redirect, as subdomains were not working correctly (www.m.example.com) so we don’t want subdomains redirection.

We tried many codes but the only one that was not messing subdomains and we still use is:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^example\.com [NC]
RewriteRule ^(.*) http://www.example.com/$1 [L,R=301]

But per JD_Toims advice we will use now:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^example\.com$
RewriteRule .? http://www.example.com%{REQUEST_URI} [L,R=301]

I have learned a lot thankfully to you guys. I didn’t have any idea how complex is setting htaccess and server. Thank you. Without your help I couldn’t do nothing.

Finally, correct code :-) Thank you!

Options -MultiViews
CheckSpelling On
CheckCaseOnly On
ErrorDocument 404 /404.html
AddHandler x-mapp-php6 .html .htm

RewriteEngine on

# old.htm to new.html

RewriteRule ^old\.htm$ http://www.example.com/company/new.html [R=301,L]
RewriteRule ^archive/old2\.html$ http://www.example.com/company/new2.html [R=301,L]

# To redirect *only* non-www example.com
RewriteCond %{HTTP_HOST} ^example\.com$
RewriteRule .? http://www.example.com%{REQUEST_URI} [L,R=301]

The pattern in the final condition should be something like:

!^((www|m|blog)\.example\.com)?$

so that it doesn't redirect requests for the specific listed subdomains.

I think he said somewhere along the line that there are requests for www.m.example.com, so those would have to be dealt with too.

Something like

RewriteCond %{HTTP_HOST} m\.example
RewriteCond %{HTTP_HOST} !^(m\.example\.com)?$
RewriteRule (.*) http://www.example.com/$1 [R=301,L]

and the same for blog.example.com. Once those are out of the way, you can default to the standard domain-name rule for the last one.

I wish it were possible to say

RewriteCond %{HTTP_HOST} (m|blog|sub1|sub2)\.example
RewriteCond %{HTTP_HOST} !^(%1\.example\.com)?$

but it falls apart when you reach the target :( I think you could do it if it were an access-control rule with no target at the end.

RewriteCond %{HTTP_HOST} !^((www\.)?(www|m|blog)\.example\.com)?$

Check that the response for

www.www.example.com

is acceptable to you.

Hi,
Thank you very much for helping me learn how to config htaccess. This is what I am using now.

Options -MultiViews
CheckSpelling On
CheckCaseOnly On
ErrorDocument 404 /404.html
AddHandler x-mapp-php6 .html .htm
RewriteEngine on
RewriteRule ^old\.htm$ http://www.example.com/company/new.html [R=301,L]
RewriteRule ^archive/old2\.html$ http://www.example.com/company/new2.html [R=301,L]
RewriteCond %{HTTP_HOST} ^example\.com$
RewriteRule .? http://www.example.com%{REQUEST_URI} [L,R=301]

However, with new htaccess I am getting errors when using secure connection (https) to site subdomains.

1. When I type [blog.example.com[...]
I get Chrome browser warning:

You attempted to reach blog.example.com but instead you actually reached a server identifying itself as www.example.com. This may be cause by a misconfiguration on the server.

If I proceed, I get 'Error 404-Not Found'

2. When I type [example.com...] it goes to www.example.com

3. When I type [example.com...] it goes to [example.com[...]

Under blog.example.com I have htaccess created by WordPress installation that I didn’t change.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Please advise.

Hi Lucy, thanks for your help. You are real expert!
I have followed your advise and removed WP rewrite rules htaccess from blog.example.com to root htacees.

RewriteEngine on
RewriteCond %{HTTP_HOST} ^example\.com$
RewriteRule .? http://www.example.com%{REQUEST_URI} [L,R=301]

# BEGIN WordPress
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

RewriteCond %{HTTP_HOST} blog\.example\.com

Shouldn’t I write below since WP is under blog folder /blog/?
RewriteBase /blog/
RewriteRule ./blog /index.php [L]


However, it seems that blog is working fine, but there is still issue with https secure connection.

When typing [blog.example.com...] I'm getting Error 404 and server certificate doesn’t match URL. Certificate issued to www.example.com Is this normal behavior?

And when typing [example.com...] I'm getting www.example.com with no secure connection.

This has been a long thread. Did you at some point explain the physical configuration? I'm assuming

URL www.example.com/etcetera >> ordinary non-blog stuff here, based in whatever directory holds example.com

URL blog.example.com/etcetera >> blog stuff, based in a /blog/ directory (not necessarily with that name) physically located inside the example.com directory

If and only if this is the case, then there are two different "roots" depending on whether the hostname is www.example.com or blog.example.com. But all requests pass through the same htaccess; requests for a /blog/ subdirectory don't levitate past the outer directory and go straight to the inner one.

The target of a RewriteRule is the URLpath, beginning with the root. If it isn't an external redirect, it should begin with / slash. This makes the RewriteBase irrelevant. You're serving content from blog.example.com/index.php, not from www.example.com/blog/index.php.

The pattern of a RewriteRule is determined by the physical location of the htaccess file containing the rule. There are further complications if the RewriteRules are inside an envelope such as FilesMatch*; then they use physical paths, so ^ no longer means root.

Come to think of it, what happens if someone explicitly requests www.example.com/blog/something-here? This is one in a longish list of Things You Don't Have To Think About Until They Happen. (Like redirecting long ugly URLs with query strings: if the query-string version has never existed as a publicly visible URL, you may not even need to make a rule.)

---

Edit:
Oops, the http vs https aspect. Any given URL should exist either as a secure (https) or as a non-secure (http) address. Not both. There are further complications if the same non-page material is used by both types of URL. But the starting point is to identify which URLs are which. And don't look at me for the details of the rule. There are at least three possible conditions (HTTP_PROTOCOL, HTTP_PORT or is it REMOTE_PORT?, HTTPS on/off) and I don't know which is which ;)


* By the time I learned that you are not supposed to do this, I had got into the habit and am not prepared to give it up. I use it for image files.

This has been a long thread. Did you at some point explain the physical configuration? I'm assuming

URL www.example.com/etcetera >> ordinary non-blog stuff here, based in whatever directory holds example.com

URL blog.example.com/etcetera >> blog stuff, based in a /blog/ directory (not necessarily with that name) physically located inside the example.com directory

Thanks for checking this long post. It is probably my fault for post length because I was not precise enough. Your assumption about the physical configuration is correct. We have ordinary site with additional blog located at subdomain.
Site
www.example.com
Blog
http://blog.example.com pointing to http://example.com/blog/
I made a mistake to set a subdomain for the blog, because everything would be easier with a subfolder.

All of external blog links are in this format: http://blog.example.com/file-name/ and they are working
fine.

Come to think of it, what happens if someone explicitly requests www.example.com/blog/something-here?

When I try http://example.com/blog/category/file-name/
I get
http://www.example.com/index.php with
300 Multiple Choices: The document name you requested (/index.php) could not be found on this server. However, we found documents with names similar to the one you requested.