J'ai un sous-domaine appelé cdn.domain.com
, à partir de laquelle je sers CSS, JS et quelques images. Quand je lance le audit
de Google Chrome, il est dit que je peux améliorer la vitesse en servant ces fichiers depuis un domaine sans cookie. J'ai cherché sur Internet et a trouvé la plupart du temps ceci:comment supprimer les cookies pour domaine cookieless
<FilesMatch "\.(js|css|jpg|png|jpeg|gif|xml|json|txt|pdf|mov|avi|otf|woff|ico|swf)$">
RequestHeader unset Cookie
Header unset Cookie
Header unset Set-Cookie
</FilesMatch>
Mais quand j'ajoute à mon .htaccess dans ma racine, je ne vois aucun changement dans mes demandes, quand j'ajoute cela à la .htaccess de le cdn.domain.com
, rien ne se passe aussi bien. Quand je regarde je vois toujours dans les en-têtes de demande ceci:
Cookie:__utma=124771992.1672641002.1393489852.1393489852.1393489852.1; __utmz=124771992.1393489852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cve=7%2BOFANPFY6bPsm9274j8hJIz%2BPvLQRT%2FJZG9ftr2o7c%3D; cvp=dNuYumBN%2F642JaRgONUeEq1upp2y%2F%2FtDjt%2BBbV87W%2BA%3D
Le sous-domaine est un sous-dossier du domaine global. deux mondial et le sous-domaine ont ce .htaccess:
# http://www.askapache.com/htaccess/htaccess.html
## ERRORDOCUMENTS
# http://askapache.com/htaccess/apache-status-code-headers-errordocument.html
ErrorDocument 400 /include/html/errorPages/400.html
ErrorDocument 403 /include/html/errorPages/403.html
ErrorDocument 404 /include/html/errorPages/404.html
ErrorDocument 500 /include/html/errorPages/500.html
<IfModule mod_headers.c>
SetEnvIf Origin "http(s)?://(www\.)?(copperviper.com)$" AccessControlAllowOrigin=$0$1
Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header set Access-Control-Allow-Credentials true
</IfModule>
<FilesMatch "\.(js|css|jpg|png|jpeg|gif|xml|json|txt|pdf|mov|avi|otf|woff|ico|swf)$">
RequestHeader unset Cookie
Header unset Cookie
Header unset Set-Cookie
</FilesMatch>
order deny,allow
deny from all
allow from 62.132.244.73
# Possible values for the Options directive are "None", "All", or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
RewriteEngine On
RewriteBase /cdn/
# REWRITE TO WWW
RewriteCond %{REQUEST_URI} !^/robots\.txt$ [NC]
RewriteCond %{HTTP_HOST} !^www\.[a-z-]+\.[a-z]{2,6} [NC]
RewriteCond %{HTTP_HOST} ([a-z-]+\.[a-z]{2,6})$ [NC]
RewriteRule ^/(.*)$ http://%1/$1 [R=301,L]
# REWRITE TO SEF URL'S
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/(.*)/(.*)/(.*) index.php?a=$1&b=$2&c=$3&d=$4 [QSA,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/(.*)/(.*) index.php?a=$1&b=$2&c=$3 [QSA,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/(.*) index.php?a=$1&b=$2 [QSA,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php?a=$1 [QSA,L]
# COMPRESSION
SetOutputFilter DEFLATE
AddOutputFilterByType DEFLATE text/plain text/html text/x-php text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript application/x-httpd-php application/octet-stream image/svg+xml application/font-woff image/svg+xml
# REMOVE BROWSER BUGS
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent
# enable PHP error logging
php_flag log_errors on
php_flag display_startup_errors on
php_flag display_errors on
php_flag html_errors on
php_value docref_root 3
php_value docref_ext 3
php_value upload_max_filesize 2000M
php_value post_max_size 2000M
php_value max_execution_time 200000
php_value max_input_time 200000
# CACHED FOREVER
# MOD_REWRITE TO RENAME EVERY CHANGE
ExpiresActive On
ExpiresDefault A29030400
Header set Cache-Control "public"
Header set Expires "Thu, 15 Apr 2010 20:00:00 GMT"
Header unset Last-Modified
# PROTECT .htaccess
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>
# Commonly used filename extensions to character sets.
AddDefaultCharset UTF-8
DefaultLanguage en-US
# Set the Time Zone of your Server
SetEnv TZ Etc/GMT
# ServerAdmin: This address appears on some server-generated pages, such as error documents.
SetEnv SERVER_ADMIN [email protected]
# SEND CUSTOM HEADERS
Header set P3P "policyref='http://www.askapache.com/w3c/p3p.xml'"
Header set X-Pingback "http://www.askapache.com/xmlrpc.php"
Header set Content-Language "en-US"
Header set Vary "Accept-Encoding"
# ADD VALUES FROM HTTP HEADERS
SetEnvIfNoCase ^If-Modified-Since$ "(.+)" HTTP_IF_MODIFIED_SINCE=$1
SetEnvIfNoCase ^If-None-Match$ "(.+)" HTTP_IF_NONE_MATCH=$1
SetEnvIfNoCase ^Cache-Control$ "(.+)" HTTP_CACHE_CONTROL=$1
SetEnvIfNoCase ^Connection$ "(.+)" HTTP_CONNECTION=$1
SetEnvIfNoCase ^Keep-Alive$ "(.+)" HTTP_KEEP_ALIVE=$1
SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
SetEnvIfNoCase ^Cookie$ "(.+)" HTTP_MY_COOKIE=$1
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
ServerSignature On
## LIMIT UPLOAD FILE SIZE TO PROTECT AGAINST DOS ATTACK
#bytes, 0-2147483647(2GB)
LimitRequestBody 10240000
## MOST SECURE WAY TO REQUIRE SSL
# http://www.askapache.com/htaccess/apache-ssl-in-htaccess-examples.html
#SSLOptions +StrictRequire
#SSLRequireSSL
#SSLRequire %{HTTP_HOST} eq "askapache.com"
#ErrorDocument 403 https://askapache.com
# Safe Request Methods
# Denies any request not using GET,PROPFIND,POST,OPTIONS,PUT,HEAD[403]
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST|PROPFIND|OPTIONS|PUT)$ [NC]
RewriteRule .* - [F,NS,L]
# Forbid Proxies^
# Denies any POST Request using a Proxy Server. Can still access site, but not comment. http://perishablepress.com/press/2008/04/20/how-to-block-proxy-servers-via-htaccess/
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule .* - [F,NS,L]
# HTTP PROTOCOL^
# Denies any badly formed HTTP PROTOCOL in the request, 0.9, 1.0, and 1.1 only
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ .+\ HTTP/(0\.9|1\.0|1\.1) [NC]
RewriteRule .* - [F,NS,L]
# SPECIFY CHARACTERS^
# Denies any request for a url containing characters other than "a-zA-Z0-9.+/-?=&" - REALLY helps but may break your site depending on your links.
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ [a-zA-Z0-9\.\+_/\-\?\=\&]+\ HTTP/ [NC]
RewriteRule .* - [F,NS,L]
# BAD Content Length^
# Denies any POST request that doesnt have a Content-Length Header
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:Content-Length} ^$
RewriteRule .* - [F,NS,L]
# BAD Content Type^
# Denies any POST request with a content type other than application/x-www-form-urlencoded|multipart/form-data
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:Content-Type} !^(application/x-www-form-urlencoded|multipart/form-data.*(boundary.*)?)$ [NC]
RewriteRule .* - [F,NS,L]
# Missing HTTP_HOST^
# Denies requests that dont contain a HTTP HOST Header.
RewriteCond %{HTTP_HOST} ^$
RewriteRule .* - [F,NS,L]
# Bogus Graphics Exploit^
# Denies obvious exploit using bogus graphics
RewriteCond %{HTTP:Content-Disposition} \.php [NC]
RewriteCond %{HTTP:Content-Type} image/.+ [NC]
RewriteRule .* - [F,NS,L]
# No UserAgent, Not POST^
# Denies POST requests by blank user-agents. May prevent a small number of visitors from POSTING.
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule .* - [F,NS,L]
Qu'est-ce que je fais mal ici?
Je n'ai pas étudié votre code à fond, mais: 1) Ce que l'Audit avertit, c'est d'avoir des requêtes HTTP plus importantes - ignorer les données reçues sur le serveur ne va pas résoudre ce problème. 2) 'cdn.domain.com' ne peut empêcher' domain.com' de paramétrer les cookies. Vous devez vous assurer que votre application ne génère pas de cookies pour le domaine complet. –
Comment empêcher mon domaine de définir des cookies pour ces fichiers spécifiques? – SheperdOfFire
Comment paramétrez-vous les cookies? –