Apache: "Header always set"和 "Header set"之间的区别？

Question

问题

1. Apache 中始终设置 header 和 header 设置 有什么区别？
2. 也就是说，always 关键字在设置 header 的情况下会发生什么变化？
3. 我应该始终使用 always 设置 header 吗？
4. 有什么理由不这样做吗？

背景

我见过...

Header always set X-Frame-Options DENY

...以及...

Header always set Access-Control-Allow-Headers "*"

...我有时听说 always 关键字的存在可以确保 header 设置正确，或者最好在中包含 always 关键字一般的。然而，对于为什么会出现这种情况，我从未找到明确、明确的答案。

我已经检查了 Apache docs for mod_headers ，其中仅简要提及始终:

When your action is a function of an existing header, you may need to specify a condition of always, depending on which internal table the original header was set in. The table that corresponds to always is used for locally generated error responses as well as successful responses. Note also that repeating this directive with both conditions makes sense in some scenarios because always is not a superset of onsuccess with respect to existing headers:

• You're adding a header to a locally generated non-success (non-2xx) response, such as a redirect, in which case only the table corresponding to always is used in the ultimate response.
• You're modifying or removing a header generated by a CGI script, in which case the CGI scripts are in the table corresponding to always and not in the default table.
• You're modifying or removing a header generated by some piece of the server but that header is not being found by the default onsuccess condition.

据我所知，这意味着 始终设置 header 确保即使在非 200 个页面上也能设置 header 。然而，我使用 Header set 设置的 HTTP header 似乎始终适用于我的 404 页面等。我在这里误解了什么吗？

FWIW，我发现了像 What is the difference between "always" and "onsuccess" in Apache's Header config? 这样的帖子，但唯一的答案并没有真正为我解释清楚。

非常感谢，
迦勒

Answer 1

What is the difference between Header always set and Header set in Apache?

正如手册中引用的内容所说，如果没有“始终”，您的添加只会在成功响应时才会出现。

但这还包括通过 mod_proxy 以及其他类似的处理程序(大致类似于代理)“成功”转发错误。您发现与手册不符的 404 错误是什么产生的？本地文件上的 404 肯定会像引用的位所描述的那样表现。

That is, what does the always keyword change about the circumstances under which the header is set?

Apache 的 API 保留与每个请求相关的两个列表: headers 和 err_headers。如果服务器在处理请求时遇到错误，则不会使用前者。

Should I always set my headers using always?

这取决于它们的重要性。假设您正在设置与您期望为某些资源提供的内容相关的 Cache-Control header 。现在假设您实际上正在提供类似 400 或 502 之类的内容。您可能不希望对其进行缓存!

Is there any reason not to?

见上文。

-/-

手册中还有一些内容您没有引用，它解释了错误代码的代理或 CGI，但没有解释 Apache 为其生成错误响应的代码:

The optional condition argument determines which internal table of responses headers this directive will operate against. Despite the name, the default value of onsuccess does not limit an action to responses with a 2xx status code.

Headers set under this condition are still used when, for example, a request is successfully proxied or generated by CGI, even when they have generated a failing status code.