Origin Cache-Control Headers Not Passed by CF
Hi guys, for some reason Cloudflare is not passing the cache control headers I've specified in my apache configuration on ONE domain only. My other website passes its cache control values through Cloudflare just fine. I've verified through using
Any help or insights you could provide will be helpful! Thanks!
curl -Icurl -I on the origin server that the apache conf IS valid, and that it is returning the proper cache-control values. But for some reason CF still chooses to send its own despite Respect Existing HeadersRespect Existing Headers being selected under Browser Cache TTL. My conf file is below. Any help or insights you could provide will be helpful! Thanks!
<IfModule mod_ssl.c>
<VirtualHost *:443>
#### Virtual Host Configuration for my.website
ServerAdmin webmaster@my.website
ServerName my.website
ServerAlias www.my.website
DocumentRoot /var/www/my.website
<Directory /var/www/my.website>
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
#### Cache rules and security headers
<IfModule mod_headers.c>
## Security headers
<IfModule mod_rewrite.c>
RewriteEngine On
#### RewriteRule ^ - [E=CSP_NONCE:%{UNIQUE_ID}e]
</IfModule>
## CORS headers
Header always set Access-Control-Allow-Origin "https://my.website https://cloudflareinsights.com"
Header always set Access-Control-Allow-Methods "GET, POST, OPTIONS"
Header always set Access-Control-Allow-Headers "Content-Type, Authorization"
Header always set Content-Security-Policy "default-src 'self'; style-src 'self' https://cdnjs.cloudflare.com https://fonts.googleapis.com; font-src 'self' https://cdnjs.cloudflare.com https://fonts.gstatic.com; img-src 'self'; script-src 'self' https://static.cloudflareinsights.com 'nonce-%{CSP_NONCE}e'; connect-src 'self' https://cloudflareinsights.com; object-src 'none';"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
## Cache Control Rules - Specific Rules First
<FilesMatch "\.(ttf|otf|eot|woff|woff2)$">
Header set Cache-Control "max-age=31536000, public, immutable"
</FilesMatch>
<FilesMatch "\.(jpg|jpeg|png|gif|ico|webp|svg)$">
Header set Cache-Control "max-age=31536000, public"
</FilesMatch>
<FilesMatch "\.(css|js)$">
Header set Cache-Control "max-age=2628000, public"
</FilesMatch>
<FilesMatch "\.(html|htm)$">
Header set Cache-Control "max-age=3600, public"
</FilesMatch>
<FilesMatch ".*">
Header setifempty Cache-Control "max-age=604800, public"
</FilesMatch>
</IfModule>
#### SSL Configuration
#[redacted]
#### Logging
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
</IfModule><IfModule mod_ssl.c>
<VirtualHost *:443>
#### Virtual Host Configuration for my.website
ServerAdmin webmaster@my.website
ServerName my.website
ServerAlias www.my.website
DocumentRoot /var/www/my.website
<Directory /var/www/my.website>
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
#### Cache rules and security headers
<IfModule mod_headers.c>
## Security headers
<IfModule mod_rewrite.c>
RewriteEngine On
#### RewriteRule ^ - [E=CSP_NONCE:%{UNIQUE_ID}e]
</IfModule>
## CORS headers
Header always set Access-Control-Allow-Origin "https://my.website https://cloudflareinsights.com"
Header always set Access-Control-Allow-Methods "GET, POST, OPTIONS"
Header always set Access-Control-Allow-Headers "Content-Type, Authorization"
Header always set Content-Security-Policy "default-src 'self'; style-src 'self' https://cdnjs.cloudflare.com https://fonts.googleapis.com; font-src 'self' https://cdnjs.cloudflare.com https://fonts.gstatic.com; img-src 'self'; script-src 'self' https://static.cloudflareinsights.com 'nonce-%{CSP_NONCE}e'; connect-src 'self' https://cloudflareinsights.com; object-src 'none';"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
## Cache Control Rules - Specific Rules First
<FilesMatch "\.(ttf|otf|eot|woff|woff2)$">
Header set Cache-Control "max-age=31536000, public, immutable"
</FilesMatch>
<FilesMatch "\.(jpg|jpeg|png|gif|ico|webp|svg)$">
Header set Cache-Control "max-age=31536000, public"
</FilesMatch>
<FilesMatch "\.(css|js)$">
Header set Cache-Control "max-age=2628000, public"
</FilesMatch>
<FilesMatch "\.(html|htm)$">
Header set Cache-Control "max-age=3600, public"
</FilesMatch>
<FilesMatch ".*">
Header setifempty Cache-Control "max-age=604800, public"
</FilesMatch>
</IfModule>
#### SSL Configuration
#[redacted]
#### Logging
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
</IfModule>curl -Icurl -I output:curl -I --resolve my.website:443:127.0.0.1 https://my.website/assets/fonts/Cinzel-Regula
r.ttf
[omitted lines to save space]
Cache-Control: max-age=31536000, public, immutable
Content-Type: font/ttfcurl -I --resolve my.website:443:127.0.0.1 https://my.website/assets/fonts/Cinzel-Regula
r.ttf
[omitted lines to save space]
Cache-Control: max-age=31536000, public, immutable
Content-Type: font/ttf