我有一个名为cdn.domain.com的子域名,我从中提供CSS,JS和一些图像。
当我运行谷歌浏览器audit时,它表示我可以通过从无cookie域提供这些文件来提高速度。
我在互联网上搜索过,发现大部分是这样的:
<FilesMatch "\.(js|css|jpg|png|jpeg|gif|xml|json|txt|pdf|mov|avi|otf|woff|ico|swf)$">
RequestHeader unset Cookie
Header unset Cookie
Header unset Set-Cookie
</FilesMatch>
但是当我在根目录中将其添加到我的.htaccess时,我发现我的请求没有变化,当我将其添加到cdn.domain.com的.htaccess时,也没有任何反应。
当我查看请求标头时,我总是看到:
Cookie:__utma=124771992.1672641002.1393489852.1393489852.1393489852.1; __utmz=124771992.1393489852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cve=7%2BOFANPFY6bPsm9274j8hJIz%2BPvLQRT%2FJZG9ftr2o7c%3D; cvp=dNuYumBN%2F642JaRgONUeEq1upp2y%2F%2FtDjt%2BBbV87W%2BA%3D
子域是全局域的子文件夹。 全局和子域都有这个.htaccess:
# http://www.askapache.com/htaccess/htaccess.html
## ERRORDOCUMENTS
# http://askapache.com/htaccess/apache-status-code-headers-errordocument.html
ErrorDocument 400 /include/html/errorPages/400.html
ErrorDocument 403 /include/html/errorPages/403.html
ErrorDocument 404 /include/html/errorPages/404.html
ErrorDocument 500 /include/html/errorPages/500.html
<IfModule mod_headers.c>
SetEnvIf Origin "http(s)?://(www\.)?(copperviper.com)$" AccessControlAllowOrigin=$0$1
Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header set Access-Control-Allow-Credentials true
</IfModule>
<FilesMatch "\.(js|css|jpg|png|jpeg|gif|xml|json|txt|pdf|mov|avi|otf|woff|ico|swf)$">
RequestHeader unset Cookie
Header unset Cookie
Header unset Set-Cookie
</FilesMatch>
order deny,allow
deny from all
allow from 62.132.244.73
# Possible values for the Options directive are "None", "All", or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
RewriteEngine On
RewriteBase /cdn/
# REWRITE TO WWW
RewriteCond %{REQUEST_URI} !^/robots\.txt$ [NC]
RewriteCond %{HTTP_HOST} !^www\.[a-z-]+\.[a-z]{2,6} [NC]
RewriteCond %{HTTP_HOST} ([a-z-]+\.[a-z]{2,6})$ [NC]
RewriteRule ^/(.*)$ http://%1/$1 [R=301,L]
# REWRITE TO SEF URL'S
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/(.*)/(.*)/(.*) index.php?a=$1&b=$2&c=$3&d=$4 [QSA,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/(.*)/(.*) index.php?a=$1&b=$2&c=$3 [QSA,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/(.*) index.php?a=$1&b=$2 [QSA,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php?a=$1 [QSA,L]
# COMPRESSION
SetOutputFilter DEFLATE
AddOutputFilterByType DEFLATE text/plain text/html text/x-php text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript application/x-httpd-php application/octet-stream image/svg+xml application/font-woff image/svg+xml
# REMOVE BROWSER BUGS
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent
# enable PHP error logging
php_flag log_errors on
php_flag display_startup_errors on
php_flag display_errors on
php_flag html_errors on
php_value docref_root 3
php_value docref_ext 3
php_value upload_max_filesize 2000M
php_value post_max_size 2000M
php_value max_execution_time 200000
php_value max_input_time 200000
# CACHED FOREVER
# MOD_REWRITE TO RENAME EVERY CHANGE
ExpiresActive On
ExpiresDefault A29030400
Header set Cache-Control "public"
Header set Expires "Thu, 15 Apr 2010 20:00:00 GMT"
Header unset Last-Modified
# PROTECT .htaccess
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>
# Commonly used filename extensions to character sets.
AddDefaultCharset UTF-8
DefaultLanguage en-US
# Set the Time Zone of your Server
SetEnv TZ Etc/GMT
# ServerAdmin: This address appears on some server-generated pages, such as error documents.
SetEnv SERVER_ADMIN bug@copper-viper.com
# SEND CUSTOM HEADERS
Header set P3P "policyref='http://www.askapache.com/w3c/p3p.xml'"
Header set X-Pingback "http://www.askapache.com/xmlrpc.php"
Header set Content-Language "en-US"
Header set Vary "Accept-Encoding"
# ADD VALUES FROM HTTP HEADERS
SetEnvIfNoCase ^If-Modified-Since$ "(.+)" HTTP_IF_MODIFIED_SINCE=$1
SetEnvIfNoCase ^If-None-Match$ "(.+)" HTTP_IF_NONE_MATCH=$1
SetEnvIfNoCase ^Cache-Control$ "(.+)" HTTP_CACHE_CONTROL=$1
SetEnvIfNoCase ^Connection$ "(.+)" HTTP_CONNECTION=$1
SetEnvIfNoCase ^Keep-Alive$ "(.+)" HTTP_KEEP_ALIVE=$1
SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
SetEnvIfNoCase ^Cookie$ "(.+)" HTTP_MY_COOKIE=$1
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
ServerSignature On
## LIMIT UPLOAD FILE SIZE TO PROTECT AGAINST DOS ATTACK
#bytes, 0-2147483647(2GB)
LimitRequestBody 10240000
## MOST SECURE WAY TO REQUIRE SSL
# http://www.askapache.com/htaccess/apache-ssl-in-htaccess-examples.html
#SSLOptions +StrictRequire
#SSLRequireSSL
#SSLRequire %{HTTP_HOST} eq "askapache.com"
#ErrorDocument 403 https://askapache.com
# Safe Request Methods
# Denies any request not using GET,PROPFIND,POST,OPTIONS,PUT,HEAD[403]
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST|PROPFIND|OPTIONS|PUT)$ [NC]
RewriteRule .* - [F,NS,L]
# Forbid Proxies ^
# Denies any POST Request using a Proxy Server. Can still access site, but not comment. http://perishablepress.com/press/2008/04/20/how-to-block-proxy-servers-via-htaccess/
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule .* - [F,NS,L]
# HTTP PROTOCOL ^
# Denies any badly formed HTTP PROTOCOL in the request, 0.9, 1.0, and 1.1 only
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ .+\ HTTP/(0\.9|1\.0|1\.1) [NC]
RewriteRule .* - [F,NS,L]
# SPECIFY CHARACTERS ^
# Denies any request for a url containing characters other than "a-zA-Z0-9.+/-?=&" - REALLY helps but may break your site depending on your links.
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ [a-zA-Z0-9\.\+_/\-\?\=\&]+\ HTTP/ [NC]
RewriteRule .* - [F,NS,L]
# BAD Content Length ^
# Denies any POST request that doesnt have a Content-Length Header
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:Content-Length} ^$
RewriteRule .* - [F,NS,L]
# BAD Content Type ^
# Denies any POST request with a content type other than application/x-www-form-urlencoded|multipart/form-data
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:Content-Type} !^(application/x-www-form-urlencoded|multipart/form-data.*(boundary.*)?)$ [NC]
RewriteRule .* - [F,NS,L]
# Missing HTTP_HOST ^
# Denies requests that dont contain a HTTP HOST Header.
RewriteCond %{HTTP_HOST} ^$
RewriteRule .* - [F,NS,L]
# Bogus Graphics Exploit ^
# Denies obvious exploit using bogus graphics
RewriteCond %{HTTP:Content-Disposition} \.php [NC]
RewriteCond %{HTTP:Content-Type} image/.+ [NC]
RewriteRule .* - [F,NS,L]
# No UserAgent, Not POST ^
# Denies POST requests by blank user-agents. May prevent a small number of visitors from POSTING.
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule .* - [F,NS,L]
我在这里做错了什么?
答案 0 :(得分:1)
这是manual page for setcookie()对$domain参数的解释:
将域设置为“www.example.com”将使Cookie可用 在www子域和更高的子域中。 可用的Cookie 较低的域名,例如'example.com'将可用于更高级别 子域名,例如“www.example.com”。旧版浏览器仍然存在 实施已弃用的»RFC 2109可能需要领先。至 匹配所有子域。
这意味着在现代浏览器中(我认为这几乎意味着在实践中),domain.com的任何cookie集都将由浏览器发送回cdn.domain.com。这就是cookie规范的工作方式,我认为没有一个干净的解决方案。
理想情况下,您的无Cookie域名应使用完全不同的顶级域名;或者您的网站应该托管在子域中,例如www.domain.com,这样您就可以对Cookie进行微调。我想在这一点上没有一个是合理的选择,所以你可能不得不忍受它。