htaccess settings and PHP generated pages

phiw13

In short: some settings /directives specified in an htaccess file have no effect on PHP generated pages. A few that comes to mind: use of mod_deflate for gzipping pages, setting /unsetting headers to control CSP policies. Both work perfectly on .html or JS, CSS, …

The first one I can work around by setting zlib.output_compression = On in a .user.ini file. The second issue I would then have to set those headers in PHP in my templates (easily done in Textpattern, my CMS, makes that actually very easy)?

Or did I miss a setting somewhere that magically make my old tricks work at Opalstack, Apache + PHP configuration?

Thank you for any insight.

sean

phiw13 we can enable gzip compression for individual applications from our end. If you'd like that done then please email support @ opalstack.com to let us know which apps.

For your CSP headers, if you're using an Apache + PHP-CGI app then you should be able to set that in .htaccess. If you're using Nginx + PHP-FPM then you'll need to do it in PHP.

phiw13

Hi Sean,

Thank you for your comment. As noted in my OP, configuration is Apache + PHP-CGI.

Compare the results of (curl, or check the browser console):

curl -L -I https://emps.l-c-n.com
curl -L -I https://emps.l-c-n.com/about/

In the second URL, I set those HTTP headers with PHP.

the htaccess files contains the following (which works correctly for other resources: html / JS / CSS / …):

<ifModule mod_headers.c>
    Header unset P3P
    Header unset ETag
    FileETag None
    Header always set Strict-Transport-Security "max-age=16070400"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set X-Frame-Options "DENY"
    Header always set X-Content-Type-Options "nosniff"
    Header set Content-Security-Policy " default-src 'self'; font-src 'self'; img-src 'self' data: * https://*;  media-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https:"
    Header always set Permissions-Policy: accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),display-capture=(),fullscreen=(self),geolocation=(),gyroscope=(),interest-cohort=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),screen-wake-lock=()

I will email support next for the gzip part.

Thank you again